问题
I am implementing a javascript file upload functionality in my MVC 3 application and therefore I need to use Http Handler (.ashx) to allow large file upload. Now I need to somehow forbid unauthenticated users to call handler's methods. If I had a controller, I would simply apply [Authorize] attibute to it. But does the attribute work when applied to an Http Handler's method? IF not, how can I allow only people that have a current session cookie to make calls to Http Handler?
回答1:
You could use the <location> section in your web.config to deny access to ~/upload.ashx to anonymous users:
<location path="upload.ashx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Remark: never use the <location> tag to control authorization with ASP.NET MVC controller actions and routes. Use the built-in [Authorize] attribute to decorate the corresponding controller/action.
来源:https://stackoverflow.com/questions/10984546/setting-autorization-rules-for-ashx-handler-in-asp-net-mvc-3-application