Forms Authentication & authorization MVC 4

I'm trying to create an anonymous controller in order to acheive form authentication. I configured my IIS 7 with anonymous and form authentication enabled and set my web.config to deny anonymous users. On the login controller I put the [AllowAnonymous] decoration on my controller (and my actions).

The only action I can get on this set of configuration is the login action (which returns the "login" view), and I'm guessing that the MVC allows me to get this action because I set it as the login URL on my web.config.

Here is my web config configuration:

     <authentication mode="Forms">
        <forms loginUrl="~/Login/Login" timeout="2880" />
     </authentication>

All the other actions are redirected to the login action. On this set of configuration I can't achieve other important actions like restore password, register, etc.

What am I doing wrong?


Use global authentification filter with custom behaviour instead of authorization configuration in web.config (best for MVC)

add global filter

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new AuthorizeAttribute());
    }
}

Then, [AllowAnonymous] will works, and all other controllers and actions requires Authorization.


You can also register Authorize filter in RegisterGlobalFilters method:

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new HandleErrorAttribute());
    filters.Add(new AuthorizeAttribute());
} 

And then use the AllowAnonymous attribute on action methods that require anonymous access:

[Authorize]
public class AccountController : Controller
{
    [AllowAnonymous]
    public ActionResult RecoverPassword()
    {
     ...
    }
}

There are two possible approaches.

First - you can deny anonymous requests globally with the Authorize attribute and mark these few which do not need authorization with AllowAnonymous attribute (which is new to MVC4).

Second - do not deny globally but rather secure your selected controllers/actions with Authorize attribute.

链接地址: http://www.djcxy.com/p/42096.html

上一篇: 将viewbag传递给动作控制器的局部视图

下一篇: 表单认证和授权MVC 4