我使用集成安全性，我需要能够授予开放访问特定的路线有一个ASP.Net MVC应用程序。有问题的途径是〜/协议/上传。我已经尝试了一些事情，没有什么迄今的工作。

I have an ASP.Net MVC app using Integrated Security that I need to be able grant open access to a specific route. The route in question is ~/Agreements/Upload. I have tried a few things and nothing has worked thus far.

<configuration> 
  <location path="~/Agreements/Upload">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration> 

在以下目录安全性>身份验证方法IIS我只有集成Windows身份验证选择。现在，这可能是我的问题的一部分（如即使IIS允许上述IIS没有）。但是，如果是那样的话我怎么配置，以便集成安全性的作品，但让谁不认证的人访问给定的路线？

In IIS under Directory Security > Authentication Methods I only have "Integrated Windows Authentication" selected. Now, this could be part of my problem (as even though IIS allows the above IIS doesn't). But if that's the case how do I configure it so that Integrated Security works but allows people who aren't authenticated to access the given route?

推荐答案

在ASP.NET MVC中你不应该使用的位置元素在web.config中。鉴于Web表单引擎映射到磁盘上的物理文件，该发动机的MVC使用路由。这意味着，你可能无意中允许访问受保护控制器，通过偶然的自定义路线。

In ASP.NET MVC you should not use the location element in the web.config. Whereas the web forms engine mapped to physical files on disk, the MVC engine using routing. This means that you could inadvertently allow access to a "protected controller" through a custom route by accident.

确保ASP.NET MVC应用程序的推荐的方法是通过使用授权的属性，如下面的示例所示：

The recommended way of securing ASP.NET MVC applications is through the use of the Authorize attribute, as seen in the example below:

public class HomeController : Controller
{
    [Authorize]
    public ActionResult Index()
    { 
        return View();
    }
}

该控制器的动作是要保护，而不是路径是什么。在ASP.NET MVC安全BOD，列维·布罗德里克是相当声音的关于这个问题的：

The controller action is what you want to protect and not the route. The ASP.NET MVC Security bod, Levi Broderick is rather vocal about this issue: