为什么在身份验证之前执行onAuthorization? [英] Why is onAuthorization executing before authentication?
问题描述
我试图做一些自定义授权,所以我创建了一个覆盖OnAuthorization
方法的控制器.我还将Authorize
属性应用于此控制器.
问题是为什么OnAuthorization
方法在基本表单身份验证过程之前被称为?
I'm trying to do some custom authorization so I created a controller overriding the OnAuthorization
method. I also applied the Authorize
attribute to this controller.
The question is why is the OnAuthorization
method called BEFORE the basic forms authentication process?
我想对用户进行身份验证后对其进行授权. 我想念什么吗?
I would like to authorize the user after he is authenticated. Am I missing something?
这是代码:
[Authorize]
public class AuthorizationController : Controller
{
protected override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
if (filterContext == null)
{
throw new ArgumentNullException("filterContext");
}
List<string> allowedControllers = new List<string>() { "SecurityController" };
List<string> allowedActions = new List<string>() { "Index" };
string controllerName = filterContext.Controller.GetType().Name;
string actionName = filterContext.ActionDescriptor.ActionName;
if (!allowedControllers.Contains(controllerName)
|| !allowedActions.Contains(actionName))
{
filterContext.Result = View("UnauthorizedAccess");
}
}
}
我测试过的控制器类似于:
The controller that I tested with is something like:
public class SecurityController : AuthorizationController
{
public ActionResult Index()
{
return View();
}
public ActionResult AnotherIndex()
{
return View();
}
}
推荐答案
AuthorizeAttribute
要做的第一件事就是检查用户是否已通过身份验证.如果不是,那将是发出重定向到登录页面的时间.
One of the first things the AuthorizeAttribute
does is check to see if the user is authenticated. If they are not then that is when a redirect to the login page will be issued.
AuthorizeAttribute
基本上将认证检查与授权包装在一起:
The AuthorizeAttribute
basically wraps the authentication check in with the authorization piece:
protected virtual bool AuthorizeCore(HttpContextBase httpContext) {
if (httpContext == null) {
throw new ArgumentNullException("httpContext");
}
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated) {
return false;
}
在示例中([Authorize])使用没有角色/用户的AuthorizeAttribute时,基本上只是检查以确保在这种情况下对用户进行身份验证.
When you use the AuthorizeAttribute with no roles/users as you do in your example ([Authorize]), it is basically just checking to make sure the user is authenticated in this case.
我可能会更改您的代码以覆盖AuthorizeAttribute,而不是在您的控制器中执行此代码.您可以执行以下操作:
I would probably change your code to override the AuthorizeAttribute instead of doing this code in your controller. You can do the following:
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
filterContext.Result = CreateResult(filterContext);
}
protected ActionResult CreateResult(AuthorizationContext filterContext)
{
var controllerContext = new ControllerContext(filterContext.RequestContext, filterContext.Controller);
var controller = (string)filterContext.RouteData.Values["controller"];
var action = (string)filterContext.RouteData.Values["action"];
// any custom model here
var model = new UnauthorizedModel();
// custom logic to determine proper view here - i'm just hardcoding it
var viewName = "~/Views/Shared/Unauthorized.cshtml";
return new ViewResult
{
ViewName = viewName,
ViewData = new ViewDataDictionary<UnauthorizedModel>(model)
};
}
}
这篇关于为什么在身份验证之前执行onAuthorization?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!