ASP.NET MVC 将 RequireSSL 属性和 Authorize 属性结合在一起

发布于 2024-07-27 12:47:52 字数 880 浏览 5 评论 0原文

是否有人在控制器上成功地同时使用了 Authorize 和 RequireSSL（来自 MVC futures）属性？我创建了一个控制器，必须强制执行用户必须登录并使用安全连接才能执行的规则。如果用户没有建立安全连接，我希望应用程序重定向到 https，因此我在 RequireSSL 属性上使用 Redirect=true。代码看起来像这样（CheckPasswordExpired 是我自己开发的属性）：

[Authorize]
[RequireSsl(Redirect = true)]
[CheckPasswordExpired(ActionName = "ChangePassword",
    ControllerName = "Account")]
[HandleError]
public class ActionsController : Controller
{
    ....
}

mysite.com/Actions/Index 是站点的默认路由，也是表单身份验证重定向到的默认页面。

当我浏览到 http://mysite.com 时，我想要得到的是用户重定向到安全连接，因为他们还没有经过身份验证，所以进入登录页面。我得到的是 HTTP 400 错误（错误请求）。如果我导航到 http://mysite.com/Account/Login，重定向会起作用，但两者都不起作用我的帐户控制器和登录操作方法都具有 [Authorize] 属性。

有人有使用这两个属性来实现我的目标的经验吗？

谢谢！

原文

Is anyone successfully using both the Authorize and RequireSSL (from MVC futures) attributes together on a controller? I have created a controller for which I must enforce the rule that the user must be logged in and using a secure connection in order to execute. If the user is not on a secure connection, I want the app to redirect to https, thus I am using Redirect=true on the RequireSSL attribute. The code looks something like (CheckPasswordExpired is my homegrown attribute):

[Authorize]
[RequireSsl(Redirect = true)]
[CheckPasswordExpired(ActionName = "ChangePassword",
    ControllerName = "Account")]
[HandleError]
public class ActionsController : Controller
{
    ....
}

mysite.com/Actions/Index is the default route for the site and also the default page to redirect to for forms authentication.

When I browse to http://mysite.com, what I want to get is the user redirected to a secure connection, and because they are not authenticated yet, to the login page. What I get is an HTTP 400 error (Bad Request). If I navigate to http://mysite.com/Account/Login, the redirect works, but neither my Account controller nor Login action method have the [Authorize] attribute.

Anyone have any experience with using these two attributes together to achieve my objective?

Thanks!

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

夜声 2024-08-03 12:47:52

我正在成功使用它们。您的默认操作有属性吗？

public class HomeController : BaseController
{
  [Authorize]
  [RequireSsl]
  public ActionResult Index ()
  {
  }
}

顺便说一句，我使用的是比 future 稍作修改的版本，这样我就可以全局禁用 SSL：

[AttributeUsage (AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
public sealed class RequireSslAttribute : FilterAttribute, IAuthorizationFilter
{
    public RequireSslAttribute ()
    {
        Redirect = true;
    }

    public bool Redirect { get; set; }

    public void OnAuthorization (AuthorizationContext filterContext)
    {
        Validate.IsNotNull (filterContext, "filterContext");

        if (!Enable)
        {
            return;
        }

        if (!filterContext.HttpContext.Request.IsSecureConnection)
        {
            // request is not SSL-protected, so throw or redirect
            if (Redirect)
            {
                // form new URL
                UriBuilder builder = new UriBuilder
                {
                    Scheme = "https",
                    Host = filterContext.HttpContext.Request.Url.Host,
                    // use the RawUrl since it works with URL Rewriting
                    Path = filterContext.HttpContext.Request.RawUrl
                };
                filterContext.Result = new RedirectResult (builder.ToString ());
            }
            else
            {
                throw new HttpException ((int)HttpStatusCode.Forbidden, "Access forbidden. The requested resource requires an SSL connection.");
            }
        }
    }

    public static bool Enable { get; set; }
}

I'm using both of them with success. Do you have the attributes on your default action?

public class HomeController : BaseController
{
  [Authorize]
  [RequireSsl]
  public ActionResult Index ()
  {
  }
}

BTW I'm using a slightly modified version than the futures so that I can disable SSL globally:

[AttributeUsage (AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
public sealed class RequireSslAttribute : FilterAttribute, IAuthorizationFilter
{
    public RequireSslAttribute ()
    {
        Redirect = true;
    }

    public bool Redirect { get; set; }

    public void OnAuthorization (AuthorizationContext filterContext)
    {
        Validate.IsNotNull (filterContext, "filterContext");

        if (!Enable)
        {
            return;
        }

        if (!filterContext.HttpContext.Request.IsSecureConnection)
        {
            // request is not SSL-protected, so throw or redirect
            if (Redirect)
            {
                // form new URL
                UriBuilder builder = new UriBuilder
                {
                    Scheme = "https",
                    Host = filterContext.HttpContext.Request.Url.Host,
                    // use the RawUrl since it works with URL Rewriting
                    Path = filterContext.HttpContext.Request.RawUrl
                };
                filterContext.Result = new RedirectResult (builder.ToString ());
            }
            else
            {
                throw new HttpException ((int)HttpStatusCode.Forbidden, "Access forbidden. The requested resource requires an SSL connection.");
            }
        }
    }

    public static bool Enable { get; set; }
}

回复收藏 0 原文

~没有更多了~