当前位置: 文江博客 话题详情

定制授权

发布于 2024-09-29 17:42:14 字数 1036 浏览 5 评论 0 原文

我试图通过创建基本控制器并重写 OnAuthorization 方法来使用我自己的授权。

当授权失败时它工作正常,但当我的检查成功时我会收到 401 页面(但默认授权检查失败)。

    protected override void OnAuthorization(AuthorizationContext filterContext)
    {
        var roleAttribute = typeof(AuthorizeAttribute);
        var attributes = filterContext.ActionDescriptor.GetCustomAttributes(roleAttribute, true);
        if (attributes.Length == 0)
            attributes = GetType().GetCustomAttributes(roleAttribute, true);
        if (attributes.Length == 0)
            return;

        MvcHelper.Authenticate();


        foreach (AuthorizeAttribute item in attributes)
        {
            if (!Thread.CurrentPrincipal.IsInRole(item.Roles))
            {
                filterContext.Result = new RedirectResult("~/Error/Unauthorized/" + "?MissingRole=" + item.Roles);
                return;
            }
        }

        //how do I prevent the default authorization here?
    }

我尝试过使用 filterContext.HttpContext.SkipAuthorization = true; 但它没有帮助。

原文

I'm trying to use my own authorization by creating a base controller and override the OnAuthorization method.

It works fine when authorization fails, but I get a 401 page when my checks succeed (but the default authorization checks fail).

    protected override void OnAuthorization(AuthorizationContext filterContext)
    {
        var roleAttribute = typeof(AuthorizeAttribute);
        var attributes = filterContext.ActionDescriptor.GetCustomAttributes(roleAttribute, true);
        if (attributes.Length == 0)
            attributes = GetType().GetCustomAttributes(roleAttribute, true);
        if (attributes.Length == 0)
            return;

        MvcHelper.Authenticate();


        foreach (AuthorizeAttribute item in attributes)
        {
            if (!Thread.CurrentPrincipal.IsInRole(item.Roles))
            {
                filterContext.Result = new RedirectResult("~/Error/Unauthorized/" + "?MissingRole=" + item.Roles);
                return;
            }
        }

        //how do I prevent the default authorization here?
    }

I've tried with filterContext.HttpContext.SkipAuthorization = true; but it doesn't help.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

请恋爱 2024-10-06 17:42:14

我通常在 ActionFilter 中执行此操作: https://gist.github.com/e297b435ceb8f022fb95

public override void OnActionExecuting(ActionExecutingContext filterContext)
{
    if (filterContext == null)
        throw new ArgumentNullException("FilterContext");

    if (AuthProvider == null)
        throw new ArgumentNullException("IAuthProvider");

    if (AuthProvider.Authenticate(filterContext) == false)
    {
        var req = filterContext.HttpContext.Request;

        var response = filterContext.HttpContext.Response;
        response.StatusCode = 401;
        response.AddHeader("WWW-Authenticate", "Basic realm=\"Emergidata\"");
        response.End();
    }
    else
    {
        var controller = filterContext.Controller as IAppController;
        controller.DynamicSession= AuthProvider.AuthProviderContext;
    }
}

I usually do this in an ActionFilter : https://gist.github.com/e297b435ceb8f022fb95

public override void OnActionExecuting(ActionExecutingContext filterContext)
{
    if (filterContext == null)
        throw new ArgumentNullException("FilterContext");

    if (AuthProvider == null)
        throw new ArgumentNullException("IAuthProvider");

    if (AuthProvider.Authenticate(filterContext) == false)
    {
        var req = filterContext.HttpContext.Request;

        var response = filterContext.HttpContext.Response;
        response.StatusCode = 401;
        response.AddHeader("WWW-Authenticate", "Basic realm=\"Emergidata\"");
        response.End();
    }
    else
    {
        var controller = filterContext.Controller as IAppController;
        controller.DynamicSession= AuthProvider.AuthProviderContext;
    }
}
回复 原文
屋檐 2024-10-06 17:42:14

我将分两步执行此操作:

I would do this in two steps:

  • First I would secure the whole application so you explicitly must white list those controllers that should be available to anonymous users, read the section "Limitation of the LogonAuthorize filter approach" on http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx. There you have one filter that you apply globally to limit the access to your application and one attribute that you apply to those actions you want to allow anonymous access to.
  • The next step would be to implement another filter that you apply to those actions where you want the user to have a specific role or ability. This filter would inherit from AuthorizeAttribute.
回复 原文
~没有更多了~

关于作者

花海

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

初遇

文章 0 评论 0

听闻余生

文章 0 评论 0

Z_dy

文章 0 评论 0

左岸枫

文章 0 评论 0

1848719402

文章 0 评论 0

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文