使用数据库的MVC3操作筛选器(EF 4.1 DBContext，Ninject) [英] MVC3 Action Filter Using Database (EF 4.1 DBContext, Ninject)

问题描述

我试图在Action上设置授权"过滤器，创建自己的ActionFilterAttribute，在其中进行数据库查找以确定用户是否有权访问特定资源.

I'm trying to setup an 'Authorization' Filter on an Action, creating my own ActionFilterAttribute where I do a database lookup to determine if a user has access to a certain resource.

在从ActionFilterAttribute继承的类上，我创建了一个Injected(Ninject)属性来保存我用于数据库访问的服务.我有一个无参数的构造函数，因此可以将其用作操作的属性.在"OnActionExecuting"方法中，我可以访问Injected属性(它不为null)，但是正在使用的基本DBCotext已关闭.

On my class inheriting from ActionFilterAttribute, I have created an Injected(Ninject) property to hold the service that I am using for the database access. I have a parameterless constructor so that I can use this as an attribute on my actions. In the 'OnActionExecuting' Method, I am able to gain access to the Injected property (it's not null), but the base DBCotext that it is using is closed.

在直到发行说明所述的MVC3的RTM之前，这种方法都可以正常工作.

This working fine, up until the RTM of MVC3, where the Release Notes stated:

重大更改: 在ASP.NET MVC的早期版本中，操作过滤器是按以下方式创建的 要求，但在少数情况下除外.这 行为永远无法保证 行为，但仅仅是一个实现 过滤器的详细信息和合同 认为他们是无国籍的.在 ASP.NET MVC 3，过滤器被更多地缓存 积极地.因此，任何习惯 动作过滤器存储不当 实例状态可能已损坏.

Breaking Changes: In previous versions of ASP.NET MVC, action filters are create per request except in a few cases. This behavior was never a guaranteed behavior but merely an implementation detail and the contract for filters was to consider them stateless. In ASP.NET MVC 3, filters are cached more aggressively. Therefore, any custom action filters which improperly store instance state might be broken.

我第一次使用此过滤器时，它会按预期工作，但是如果刷新页面或其他用户访问此过滤器，则会收到错误消息:

The first time I use this filter, it works as expected, but if I refresh the page or another user access this filter, I get the error:

操作无法完成 因为DbContext已经 处置.

The operation cannot be completed because the DbContext has been disposed.

鉴于重大更改说明，我猜这应该是我期望的.

which is what I guess I should expect given the breaking changes notes.

我的问题是，完成我需要做的事情的首选/推荐方法是什么?应该在ActionFilterAttribute中还是应该在其他地方进行授权"?

My question is this, what would be the preferred/recommended way of accomplishing what I need to do? Should this be in an ActionFilterAttribute, or should this 'authorization' be done somewhere else?

推荐答案

我会在Application_AuthenticateRequest中进行身份验证，并使用Thread.CurrentPrincipal在您的属性中进行授权，但是您的方法也应该起作用.您只需要考虑以下事实:每个请求的DbContext都会不同，但是您的属性却不会.像这样的东西应该可以解决问题(我假设您使用的是DependencyResolver):

I'd do authentication in Application_AuthenticateRequest and authorization in your attribute using Thread.CurrentPrincipal, but your method should work too. You just need to count with fact that DbContext will be different for each request but your attribute won't. Something like this should do the trick (I'm assuming you are using DependencyResolver):

public class MyMightyAttribute : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        var context = (DbContext)DependencyResolver.Current.GetService(typeof(DbContext))
        // authenticate, authorize, whatever
        base.OnActionExecuting(filterContext);
    }
}

这篇关于使用数据库的MVC3操作筛选器(EF 4.1 DBContext，Ninject)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！