问题
I'm using ASP.NET Authorization to deny users access to my site before logging in, but this is also blocking the Register.cshtml page. How do I sort out my authorizations to allow this page through?
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Register.cshtml">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
回答1:
IMHO, you should not use web.config to control the authentication of your application instead use Authorize attribute.
Add this in your Global.asax file under RegisterGlobalFilters method
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new AuthorizeAttribute());
}
or you can decorate also your controller with [Authorize]
[Authorize]
public class HomeController : Controller
{
...
}
For action which require Anonymous access use AllowAnonymous attribute
[AllowAnonymous]
public ActionResult Register() {
// This action can be accessed by unauthorized users
return View("Register");
}
As per Reference,
You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to apply the Authorize attribute to each controller and use the new AllowAnonymous attribute on the login and register actions. Making security decisions based on the current area is a Very Bad Thing and will open your application to vulnerabilities.
回答2:
This is happening because you are denying everyone from application by using
<authorization>
<deny users="?" />
</authorization>
Above code will override all permission given to the folder
Good idea would be Deny user folderwise and keep Register/Login/Help/Contact pages at root level.
来源:https://stackoverflow.com/questions/17567902/asp-net-authorization-deny-all-before-login-except-the-register-page