I'm trying to mix some MVC3 functionality into an existing WebForms application. I've followed a few guides, and got everything set up and working except for the authorization piece. The existing application has <deny users="*" /> sitting at the root web.config, and each subfolder has its own web.config that allows access to the pages within for specific roles.
My new understanding is that this style of can't/shouldn't be used on Controllers, and I should be using Authorize attributes instead. I've decorated my test "HomeController" class with [Authorize(Roles="AdminRole")], but I get an "Access Denied" page when I attempt to view the page.
If i change the root web.config to say <allow users="*" />, the page works. Does this mean that the attribute I added to the controller is working, but the root web.config setting is taking precedence over it? I don't want to mess with our existing authorization stuff since the site is well established and I'm just trying to add MVC in to play with. Am I missing something? Thanks for any insight you can provide.
Ah this is a bit tricky as you are trying to use MVC security in an app already using Web Forms. If this was pure mvc the choice is simple. If you can't pull the mvc features out into a separate app then this leaves you in a bit of a pickle.
My first recommendation would be to try to extract the code. If you are using MVC to only provide restful features maybe also check out MVC4 web api to provide an api for your app and share the components used between them which would require pulling them out of your web app into a Domain library or some other appropriately named library.
With that said, not 100% sure if the allow users="*" is working as expected, but I believe it is. Its easy enough to test, simply change Roles="AdminRole" to Roles="placeholder" and try again.
Setting this though kills the rest of your auth so one idea could be to put all mvc routes under a particular url, such as "/api/" and allow * in the web.config to that path and then use mvc's security on all of your controller methods. This would have low impact to your main web app.
来源:https://stackoverflow.com/questions/10703719/mixing-asp-net-webforms-and-mvc-authorization