当用户未经身份验证时,ASP.NET 会覆盖重定向中的默认 returnto 参数
我们使用具有角色的表单身份验证来限制对网站的某些页面和区域的访问。当用户未获得授权时,无论是因为他们未登录或没有所需的角色,他们都会被重定向到带有返回 URL 的登录页面。
我们使用授权标签在 web.config 中定义所需的访问权限,例如:
<authorization>
<deny users="?"/>
</authorization>
我们正在开发的 Web 应用程序使用 HttpContext.Current.RewritePath 来实现更友好的 URL 和动态页面。因此,对“/MyPages/MyDocuments.aspx!”的请求将被重写为“/PageTypes/Library.aspx”或类似的内容。
但是,当应用程序由于用户没有权限而重定向时,将使用 ReWritePath 而不是原始 URL。
我需要重写什么才能使返回 URL 成为请求的 URL 而不是实际的心理路径?
We are using forms authentication with roles to restrict access to certain pages and areas of a website. When a user is not authorised, either because they are not logged in or do not have the required role, they are redirected to the login page with a returnto url.
We define what access is required in the web.config using the authorization tags like:
<authorization>
<deny users="?"/>
</authorization>
The web application we are working on uses HttpContext.Current.RewritePath for friendlier URLs and dynamic pages. So that a request for "/MyPages/MyDocuments.aspx! gets re-written to "/PageTypes/Library.aspx" or something along those lines.
However when the application redirects because a user does not have permission the ReWritePath is used instead of the Raw URL.
What do I need to override so that the returnto URL is the requested URL instead of the actual psychical path?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
根据您运行的 IIS 版本(6 或 7),答案可能有所不同,但我怀疑问题是 ASP.NET 请求管道首先使用表单身份验证对用户进行身份验证,然后运行 RewritePath 代码/ 模块,从而覆盖正常的 returnto 响应。
它们的关键可能是在身份验证/授权模块之前将重写模块插入管道。如果您使用原始代码而不是 HTTP 模块在基类、global.asax 等中执行此操作,请在执行代码之前首先检查用户是否有效/或授权。
ASP.NET 管道以及重写对比的思考路由
Depending on what version of IIS (6 or 7) you are running, the answer may be different, however I suspect the problem is that the ASP.NET request pipeline is first authenticating the user using forms authentication, and then later running the RewritePath code / module, thus overwriting the normal returnto response.
They key may be to plug the rewrite module into the pipeline earlier than the authentication / authorization modules. If you are using raw code rather than an HTTP Module to do this in your base class, global.asax etc, first check to see if the user is valid / or authorized before executing the code.
ASP.NET Pipeline and Thoughts on Rewriting Vs Routing
我最终所做的是将我的代码移至 Application_AuthorizeRequest 中,这意味着用户在请求页面之前经过身份验证,从而保持原始 URL 不变。
What I ended up doing was moving my code into Application_AuthorizeRequest which meant that the user was authenticated before the page was requested which kept the original URL intact.