导出 (0) 打印
全部展开
此文章由人工翻译。 将光标移到文章的句子上,以查看原文。
译文
原文

AuthorizeAttribute 类

表示一个特性,该特性用于限制调用方对操作方法的访问。

System.Object
  System.Attribute
    System.Web.Mvc.FilterAttribute
      System.Web.Mvc.AuthorizeAttribute

命名空间:  System.Web.Mvc
程序集:  System.Web.Mvc(System.Web.Mvc.dll 中)

[AttributeUsageAttribute(AttributeTargets.Class|AttributeTargets.Method, Inherited = true, 
	AllowMultiple = true)]
public class AuthorizeAttribute : FilterAttribute, 
	IAuthorizationFilter

AuthorizeAttribute 类型公开以下成员。

  名称描述
公共方法AuthorizeAttribute初始化 AuthorizeAttribute 类的新实例。
页首

  名称描述
公共属性AllowMultiple获取或设置一个值,该值指示是否可指定筛选器特性的多个实例。 (继承自 FilterAttribute。)
公共属性Order获取或者设置执行操作筛选器的顺序。 (继承自 FilterAttribute。)
公共属性Roles获取或设置用户角色。
公共属性TypeId获取此特性的唯一标识符。 (重写 Attribute.TypeId。)
公共属性Users获取或设置授权用户。
页首

  名称描述
受保护的方法AuthorizeCore重写时,提供一个入口点用于进行自定义授权检查。
公共方法Equals (继承自 Attribute。)
受保护的方法Finalize (继承自 Object。)
公共方法GetHashCode (继承自 Attribute。)
公共方法GetType (继承自 Object。)
受保护的方法HandleUnauthorizedRequest处理授权失败的 HTTP 请求。
公共方法IsDefaultAttribute (继承自 Attribute。)
公共方法Match (继承自 Attribute。)
受保护的方法MemberwiseClone (继承自 Object。)
公共方法OnAuthorization在过程请求授权时调用。
受保护的方法OnCacheAuthorization在缓存模块请求授权时调用。
公共方法ToString (继承自 Object。)
页首

  名称描述
显式接口实现私有方法_Attribute.GetIDsOfNames (继承自 Attribute。)
显式接口实现私有方法_Attribute.GetTypeInfo (继承自 Attribute。)
显式接口实现私有方法_Attribute.GetTypeInfoCount (继承自 Attribute。)
显式接口实现私有方法_Attribute.Invoke (继承自 Attribute。)
页首

Many Web applications require users to log in before the users are granted access to restricted content. In some applications, even users who are logged in might have restrictions on what content they can view or what fields they can edit.

To restrict access to an ASP.NET MVC view, you restrict access to the action method that renders the view. To accomplish this, the MVC framework provides the AuthorizeAttribute class.

For more information about using attributes, see Extending Metadata Using Attributes.

This topic contains the following sections:

Using AuthorizeAttribute

When you mark an action method with AuthorizeAttribute, access to that action method is restricted to users who are both authenticated and authorized. If you mark a controller with the attribute, all action methods in the controller are restricted.

The Authorize attribute lets you indicate that authorization is restricted to predefined roles or to individual users. This gives you a high degree of control over who is authorized to view any page on the site.

If an unauthorized user tries to access a method that is marked with the Authorize attribute, the MVC framework returns a 401 HTTP status code. If the site is configured to use ASP.NET forms authentication, the 401 status code causes the browser to redirect the user to the login page.

Deriving from AuthorizeAttribute

If you derive from the AuthorizeAttribute class, the derived type must be thread safe. Therefore, do not store state in an instance of the type itself (for example, in an instance field) unless that state is meant to apply to all requests. Instead, store state per request in the Items property, which is accessible through the context objects passed to AuthorizeAttribute.

The following example shows several ways to use AuthorizeAttribute. The HomeController class has three action methods that are marked with the Authorize attribute, and two that are not marked. On the AuthenticatedUsers method, the attribute limits access to users who are logged in. On the AdministratorsOnly method, the attribute limits access to users who have been assigned to either the Admin role or the Super User role. On the SpecificUserOnly method, the attribute limits access to the users whose names are Betty or Johnny. The Index and About methods can be accessed by anyone, even anonymous users.


[HandleError]
 public class HomeController : Controller
 {
     public ActionResult Index()
     {
         ViewData["Message"] = "Welcome to ASP.NET MVC!";

         return View();
     }

     public ActionResult About()
     {
         return View();
     }

     [Authorize]
     public ActionResult AuthenticatedUsers()
     {
         return View();
     }

     [Authorize(Roles = "Admin, Super User")]
     public ActionResult AdministratorsOnly()
     {
         return View();
     }

     [Authorize(Users = "Betty, Johnny")]
     public ActionResult SpecificUserOnly()
     {
         return View();
     }
 }


此类型的任何公共 static(在 Visual Basic 中为 Shared) 成员都是线程安全的。 但不保证所有实例成员都是线程安全的。

社区附加资源

添加
显示:
© 2014 Microsoft