I am having trouble with forms authentication. The root web.config is setup to deny access to all non authenticated users with a structure like:
我在表单身份验证方面遇到问题。根web.config设置为拒绝访问所有未经过身份验证的用户,其结构如下:
Controllers
Folder - Webforms
Folder1 - Webforms
Model
Public Folder - Webforms with web.config to allow public access
Views
web.config with deny
控制器文件夹 - Webforms Folder1 - Webforms模型公用文件夹 - 带有web.config的Webforms允许公共访问使用deny查看web.config
I need to have the home controller public as well, but if I leave the authorize attribute off the root web.config will still block access to the views folder. I want to avoid doing something like below I can avoid it.
我需要将主控制器公开,但是如果我将authorize属性保留在根web.config之外,仍将阻止访问views文件夹。我想避免做下面的事情,我可以避免它。
Controllers
Webforms
-Folder
-Folder2
-web.config with deny unauthorized users
Views
web.config with public access
控制器Webforms -Folder -Folder2 -web.config,拒绝未经授权的用户查看具有公共访问权限的web.config
Does anyone have any thoughts to make the first directory structure work?
有没有人有任何想法使第一个目录结构工作?
1 个解决方案
#1
I'm having trouble seeing what the config sections actually look like. Can you edit the post and drop those sections into a Code Sample block (the button with binary in the text editor toolbar).
我无法看到配置部分实际上是什么样子。您可以编辑帖子并将这些部分放入代码示例块(文本编辑器工具栏中带有二进制的按钮)。
Is the goal to lock down everything that's WebForms and make the MVC driven bits public?
目标是锁定WebForms的所有内容并使MVC驱动位公开吗?
(Would have just put this in a comment, but I don't have the rep points to leave comments yet.)
(本来只是把它放在评论中,但我还没有代表点发表评论。)
[Edit] For sake of offering something useful, but acknowledging I still don't know the end goal for which bits you want to lock down, on the MVC side, is it feasible for you to use the security attributes within your Controllers? For example, instead of trying to lock actions (or entire controllers) down in the web.config, you can add the [Authorize(Roles="YourRoles")] to the specific actions or to the top of the controller. Pros and cons to this approach, but I like it as I don't have to mess around with the config file much which is something I simply don't enjoy. This is of course assuming you're using the standard ASP.NET membership provider, but even if you've rolled your own, you should be able to accomplish the task in a similar manner with some additional effort. Just a thought...
[编辑]为了提供有用的东西,但承认我仍然不知道你要锁定哪些位的最终目标,在MVC方面,你是否可以在控制器中使用安全属性?例如,您可以将[Authorize(Roles =“YourRoles”)]添加到特定操作或控制器顶部,而不是尝试在web.config中锁定操作(或整个控制器)。这种方法的优点和缺点,但我喜欢它,因为我不必乱用配置文件,这是我根本不喜欢的东西。这当然是假设您正在使用标准的ASP.NET成员资格提供程序,但即使您已经使用了自己的成员资格提供程序,您也应该能够以类似的方式完成任务并进行一些额外的工作。只是一个想法...
#1
I'm having trouble seeing what the config sections actually look like. Can you edit the post and drop those sections into a Code Sample block (the button with binary in the text editor toolbar).
我无法看到配置部分实际上是什么样子。您可以编辑帖子并将这些部分放入代码示例块(文本编辑器工具栏中带有二进制的按钮)。
Is the goal to lock down everything that's WebForms and make the MVC driven bits public?
目标是锁定WebForms的所有内容并使MVC驱动位公开吗?
(Would have just put this in a comment, but I don't have the rep points to leave comments yet.)
(本来只是把它放在评论中,但我还没有代表点发表评论。)
[Edit] For sake of offering something useful, but acknowledging I still don't know the end goal for which bits you want to lock down, on the MVC side, is it feasible for you to use the security attributes within your Controllers? For example, instead of trying to lock actions (or entire controllers) down in the web.config, you can add the [Authorize(Roles="YourRoles")] to the specific actions or to the top of the controller. Pros and cons to this approach, but I like it as I don't have to mess around with the config file much which is something I simply don't enjoy. This is of course assuming you're using the standard ASP.NET membership provider, but even if you've rolled your own, you should be able to accomplish the task in a similar manner with some additional effort. Just a thought...
[编辑]为了提供有用的东西,但承认我仍然不知道你要锁定哪些位的最终目标,在MVC方面,你是否可以在控制器中使用安全属性?例如,您可以将[Authorize(Roles =“YourRoles”)]添加到特定操作或控制器顶部,而不是尝试在web.config中锁定操作(或整个控制器)。这种方法的优点和缺点,但我喜欢它,因为我不必乱用配置文件,这是我根本不喜欢的东西。这当然是假设您正在使用标准的ASP.NET成员资格提供程序,但即使您已经使用了自己的成员资格提供程序,您也应该能够以类似的方式完成任务并进行一些额外的工作。只是一个想法...