Security » Authorization » 简单授权

Simple Authorization¶ 简单授权

82 of 86 people found this helpful

Authorization in MVC is controlled through the AuthorizeAttribute attribute and its various parameters. At its simplest applying the AuthorizeAttribute attribute to a controller or action limits access to the controller or action to any authenticated user.

MVC中的授权通过AuthorizeAttribute属性及其不同的参数来实现。控制器或者方法的AuthorizeAttribute 属性最简单的应用是限制认证用户的使用。

For example, the following code limits access to the AccountController to any authenticated user.

例如，下列代码限制只有授权用户才能连接AccountController 。

[Authorize]
public class AccountController : Controller
{
    public ActionResult Login()
    {
    }

    public ActionResult Logout()
    {
    }
}

If you want to apply authorization to an action rather than the controller simply apply the AuthorizeAttribute attribute to the action itself;

如果想对一个方法实施授权，而不是简单地对控制器实施授权，那么仅将AuthorizeAttribute 属性放到该方法上。

public class AccountController : Controller
{
    public ActionResult Login()
    {
    }

    [Authorize]
    public ActionResult Logout()
    {
    }
}

Now only authenticated users can access the logout function.

现在，只有授权用户可以使用logout函数。

You can also use the AllowAnonymousAttribute attribute to allow access by non-authenticated users to individual actions; for example

你也可使用AllowAnonymousAttribute 属性来允许非授权用户使用单独的方法，例如：

[Authorize]
public class AccountController : Controller
{
    [AllowAnonymous]
    public ActionResult Login()
    {
    }

    public ActionResult Logout()
    {
    }
}

This would allow only authenticated users to the AccountController, except for the Login action, which is accessible by everyone, regardless of their authenticated or unauthenticated / anonymous status.

这会使除了Login方法外，只有授权用户可以使用AccountController，不论其授权或者非授权以及匿名的任何人都可使用Login方法。

Warning 注意

[AllowAnonymous] bypasses all authorization statements. If you apply combine [AllowAnonymous] and any [Authorize] attribute then the Authorize attributes will always be ignored. For example if you apply [AllowAnonymous] at the controller level any [Authorize] attributes on the same controller, or on any action within it will be ignored.

[AllowAnonymous] 忽略了所有的授权语句。如果联合使用 [AllowAnonymous]和[Authorize] 属性，Authorize属性将一直被忽略。例如：如果在控制器级别使用了[AllowAnonymous]，在同一个控制器的任何[Authorize]或者其中的任何方法将被忽略。