问题
I am using forms authentication in my ASP.NET MVC application. I want to the signup page from the authorization process. I know I can add a location tag in my main web.config file or create a new web.config inside the specific folder. But I just to exclude one specific action in the User controller. How do I do it?
回答1:
Do not use Web.config <location> authorization in an MVC application. Doing so will lead to security vulnerabilities in your web site.
Instead, use the [Authorize] attribute to control who has access to certain controllers or actions. (You can use the [Authorize] attribute on a controller's type if you want it to apply to all actions in that controller.)
More information:
- http://www.asp.net/mvc/tutorials/authenticating-users-with-forms-authentication-cs
- http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx
回答2:
Try this slick way to do it.
It adds the ability to exclude Controller-level filters from an action.
[ExcludeFilter(typeof(AuthorizeAttribute)]
public ActionMethod DontAuthorize.....
Much easier!
回答3:
You could also have created your own AllowWithoutAuthorisation attribute and decorated that ActionResult with it.
EDIT This is kinda untested but couldn't you do;
[Authorize(Users="*")]
EDIT 2
Or you could decorate each ActionResult with [Authorise] and ommit the one you want not to have authorised.
回答4:
OK, I have got it.
What I did is, I created a separate controller for that action and added a location element in my web.config to allow anonymous access to that action.
This will allow all access to that controller without authentication.
来源:https://stackoverflow.com/questions/2971767/excluding-an-action-from-authorization-in-asp-net-mvc-2