RequireHttps 在带参数的重定向上失败
除了简单地从 HTTP 重定向到 HTTPS 之外, RequireHttps 属性还将我的 URL 的问号 ? 更改为 %3F。毫不奇怪,这会破坏事情。
为什么?我该如何修复它?
场景:
我尝试导航到
http://www.example.com/message/compose但是假设我没有查看该页面的权限。
; _ 公共类消息控制器 继承System.Web.Mvc.Controller 函数 Compose() 作为 ActionResult ... 如果……那么 抛出新异常(Net.HttpStatusCode.Unauthorized.ToString) 结束如果 ... 返回视图() 结束功能 ... 结束课程 该操作引发异常。
异常由我的 Error.aspx 页面处理
<%@ 页面语言="VB" Inherits="System.Web.Mvc.ViewPage(Of System.Web.Mvc.HandleErrorInfo)" %> <脚本运行=“服务器”> Sub Page_Load(ByVal Sender As System.Object, ByVal e As System.EventArgs) 如果 Model.Exception.Message = Net.HttpStatusCode.Unauthorized.ToString 那么 response.redirect("/signin?ReturnUrl=" + Url.Encode(request.Path)) 结束如果 ... 结束子 ...我被重定向到我的登录页面
http://www.example.com/signin?ReturnUrl=%2fmessage %2fcompose但是我我正在使用 HTTP 而不是 HTTPS。我的操作需要 HTTPS。 (RemoteRequireHttps继承自RequireHttps 并覆盖其 OnAuthorization 方法以简单地忽略本地主机。)
; _ 公共类AccountController 继承System.Web.Mvc.Controller _ 函数 SignIn() 作为 ActionResult ... 结束功能 ... 结束课程 我被重定向到
https://www.example.com/signin%3FReturnUrl=%2fmessage%2fcompose我在浏览器中看到此错误:
错误的请求
RequireHttps 似乎将我的问号 ? 更改为 %3F。
Besides simply redirecting from HTTP to HTTPS, the RequireHttps attribute also changes my URL's question mark ? to %3F. Unsurprisingly, that breaks things.
Why? How do I fix it?
scenario:
I try to navigate to
http://www.example.com/message/composeBut let's say I don't have permission to view that page.
<HandleError()> _ Public Class MessageController Inherits System.Web.Mvc.Controller Function Compose() As ActionResult ... If ... Then Throw New Exception(Net.HttpStatusCode.Unauthorized.ToString) End If ... Return View() End Function ... End ClassThe action throws an exception.
The exception is handled by my Error.aspx page
<%@ Page Language="VB" Inherits="System.Web.Mvc.ViewPage(Of System.Web.Mvc.HandleErrorInfo)" %> <script runat="server"> Sub Page_Load(ByVal Sender As System.Object, ByVal e As System.EventArgs) If Model.Exception.Message = Net.HttpStatusCode.Unauthorized.ToString Then response.redirect("/signin?ReturnUrl=" + Url.Encode(request.Path)) End If ... End Sub </script> ...I'm redirected to my Sign In page at
http://www.example.com/signin?ReturnUrl=%2fmessage%2fcomposeBut I'm using HTTP and not HTTPS. My action requires HTTPS. (That RemoteRequireHttps inherits from RequireHttps and overrides its OnAuthorization method to simply disregard localhost.)
<HandleError()> _ Public Class AccountController Inherits System.Web.Mvc.Controller <RemoteRequireHttps()> _ Function SignIn() As ActionResult ... End Function ... End ClassI'm redirected to
https://www.example.com/signin%3FReturnUrl=%2fmessage%2fcomposeI see this error in my browser:
Bad Request
It seems that RequireHttps changes my question mark ? to %3F.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我们正在考虑使用 ISAPI Rewrite 这样的 URL 重写器来在此类事件到达您的代码之前对其进行处理。当然,这只有在您有权访问服务器的情况下才有效。
另外,如果您使用 IIS 7,我相信它带有内置的 URL 重写功能。
We're considering using a URL rewriter like ISAPI Rewrite to handle things like this before they ever get to your code. Of course, this would only work if you have access to the server.
Also, if you're using IIS 7, I believe it comes with URL rewriting functionality built in.
我的对我自己的问题的回答 这里可能会有所帮助(似乎是 MVC 2 Preview 2 中的错误)
我可以问一下为什么你不使用 [Authorize] 或 自定义授权属性。如果您使用 .NET 身份验证,则应使用 [Authorize]。
注意:即使您确实使用[授权],它实际上并不能解决您遇到的问题。
My answer to my own question here might help (appears to be a bug in MVC 2 Preview 2)
Can I ask why you're not using [Authorize] or a custom authorization attribute. If you're using .NET authentication you should use [Authorize].
Note: even if you do use [Authorize] it doesnt actually fix the problem you're experiencing.
我刚刚重新设计了它,以完全避免问号(以及异常抛出)。
场景:
我尝试导航到
http://www.example.com/message/compose但假设我没有查看该页面的权限。
我被重定向到我的登录页面。我的路线如下所示:
所以地址是
http://www.example.com/signin/message/compose但我使用的是 HTTP 而不是 HTTPS。我的操作需要 HTTPS。
我被重定向到
https://www.example.com/signin/message/compose没有问号。没问题。
I've just reengineered this to avoid the question mark (and also exception throws) altogether.
scenario:
I try to navigate to
http://www.example.com/message/composeBut let's say I don't have permission to view that page.
I'm redirected to my Sign In page. My route looks like this:
So that's at address
http://www.example.com/signin/message/composeBut I'm using HTTP and not HTTPS. My action requires HTTPS.
I'm redirected to
https://www.example.com/signin/message/composeNo question mark. No problem.