浏览 CodePlex 上的 MVC 部分后,我注意到 MVC 中的 [Authorize] 属性在授权失败时返回 HttpUnauthorizedResult() (codeplex AuthorizeAttribute 类)。
在 CodePlex 的 HttpUnauthorizedResult() 源中是代码(我不允许输入另一个 URL,因为我的代表不够高,但请用 22929#266476 替换上面 URL 上的数字):
// 401 is the HTTP status code for unauthorized access - setting this
// will cause the active authentication module to execute its default
// unauthorized handler
context.HttpContext.Response.StatusCode = 401;
特别是,注释描述身份验证模块的默认未授权处理程序。
我似乎找不到有关此默认未经授权处理程序的任何信息。特别是,我没有使用 FormsAuthentication,当授权失败时,我会收到一个丑陋的 IIS 401 错误页面。
有谁知道这个默认的未经授权的处理程序,特别是 FormsAuthentication 如何挂钩自身来覆盖它?
我正在为我的足球队编写一个非常简单的应用程序,用于确认或否认他们是否可以参加特定比赛。如果我在 web.config 中启用 FormsAuthentication,则重定向可以工作,但我没有使用 FormsAuthentication,我想知道是否有解决方法。
After browsing the MVC section on CodePlex I noticed that the [Authorize] attribute in MVC returns a HttpUnauthorizedResult() when authorization fails (codeplex AuthorizeAttribute class).
In the source of HttpUnauthorizedResult() from CodePlex is the code (I'm not allowed to enter another URL as my rep isn't high enough, but replace the numbers on the URL above with 22929#266476):
// 401 is the HTTP status code for unauthorized access - setting this
// will cause the active authentication module to execute its default
// unauthorized handler
context.HttpContext.Response.StatusCode = 401;
In particular, the comment describes the authentication module's default unauthorized handler.
I can't seem to find any information on this default unauthorized handler. In particular, I'm not using FormsAuthentication and when authorization fails I get an ugly IIS 401 error page.
Does anyone know about this default unauthorized handler, and in particular how FormsAuthentication hooks itself in to override it?
I'm writing a really simple app for my football team who confirm or deny whether they can play a particular match. If I enable FormsAuthentication in the web.config the redirect works, but I'm not using FormsAuthentication and I'd like to know if there's a workaround.
发布评论
评论(1)
如果您有 Reflector,请查看 System.Web.Security.FormsAuthenticationModule.Init()。此方法挂钩 Application_EndRequest 并调用 OnLeave()。 OnLeave() 方法检查响应代码是否为 HTTP 401。如果是,则模块执行重定向,而不是将 401 冒泡到客户端。 (这个逻辑就是注释中所说的“默认的未经授权的处理程序”。)在您的特定情况下,ASP.NET 让 401 冒泡到客户端,但 IIS 拦截它并显示一个丑陋的错误页面。
您可以在 Global.asax 中执行非常类似的操作。创建一个方法Application_EndRequest;该方法将在应用程序服务的每个请求结束时调用。从这里开始,您可以做任何您想做的事。如果您想检查响应是否为 401 并将其重定向到其他页面,您可以从此处执行此操作。
If you have Reflector, take a look at System.Web.Security.FormsAuthenticationModule.Init(). This method hooks Application_EndRequest and calls OnLeave(). The OnLeave() method checks that the response code is HTTP 401. If it is, then the module performs a redirect rather than bubbling the 401 up to the client. (This logic is what the comment is referring to as the 'default unauthorized handler.') In your particular case, ASP.NET is letting the 401 bubble up to the client, but IIS is intercepting it and displaying an ugly error page.
You can do something very similar from within Global.asax. Make a method Application_EndRequest; this method will be called at the end of every request serviced by your application. From here, you can do whatever you want. If you want to check if the response is a 401 and redirect them to a different page, you can do so from here.