2

I'm working on a MVC 4 web application, on VS 2010. What I am trying to do is:

  1. Restrict access to all users unless you are SUPERADMIN automatically (login in using form authentication)
  2. If the action/controller states you that a specific roles can have access then it gives them access. For example:

    [AuthorizeFor(Roles = "REVIEWER")]
    public ActionResult Index()
    {
       return View();
    }
    

    In the case above, only users with roles SUPERADMIN OR REVIEWER can access this action.

  3. I will also be using WEBAPI so I can push content to third parties, and so should be accessible by anyone, but they will need to authenticate via url paramenter with hmac. For example: http://example.com/api/feed/1?appid=BLAH&timestamp=BLAH&hmac=BLAH. In short, the API section of the site should not be using the same authentication as the rest of it.

How would I set this up?

I am building a content management system for internal use here at my job, and the API will supply the data that we enter in to third party websites/vendors.

4

1 回答 1

2

您可以添加到 App_Start/FilterConfig.cs 中的 GlobalFilterCollection:

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        // Applies an Authorize Attribute to each controller so that by default all SUPERADMINS have access you could then add [Authorize(Roles = "REVIEWER"] to individual items.
        filters.Add(new System.Web.Mvc.AuthorizeAttribute() { Roles = "SUPERADMIN" });
    }
}

在 WebAPI 控制器中,您可以使用 WebAPI 控制器的 [AllowAnonymous] 属性并通过检查 hmac 参数自己处理身份验证。

于 2013-06-18T12:25:06.717 回答