问题
I use Asp.Net MVC 3, C# together with ApplicationServices Membership (the standard way suing MS Sql 2008 db).
My folder structure is
CONTROLLERS
-- PageAController.cs
-- ADMIN
-- PageBController.cs
I have a Users some with Role "AdminRole", some with no rules associated (anonymouse).
I would like DENY access to the specific Controller and show a LOGIN page for PageAController.cs and to all Controllers within folder ADMIN for User that HAVE NOT the "AdminRole" associated.
- What it the way to go?
- Do I need setup Web.Config... how?
回答1:
Hope this helps
Use AuthorizeAttribute
You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the [Authorize] attribute to each controller and action method (except for the login/register methods). Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities
[Authorize(Roles="AdminRole")]
public class PageAController
{
}
[Authorize(Roles="AdminRole,AnotherRole")]
public class PageBController
{
}
来源:https://stackoverflow.com/questions/12723294/how-to-limit-the-access-to-a-controller-or-a-folder-in-mvc