为什么SuppressFormsAuthenticationRedirect在AuthorizeAttribute.HandleUnauthorizedRequest覆盖中不起作用? [英] Why doesn't SuppressFormsAuthenticationRedirect work in AuthorizeAttribute.HandleUnauthorizedRequest override?
问题描述
我有一个带有控制器的MVC 5.1站点,该控制器具有一个POST操作。我有一个Android应用程序,想要使用基本身份验证发布到该应用程序。我创建了一个 BasicAuthorizeAttribute
类并将其应用于我的控制器,出于测试目的,使其拒绝所有内容:
I've got an MVC 5.1 site with a controller with a single POST action. I have an Android app that I want to POST to it using basic authentication. I created a BasicAuthorizeAttribute
class and applied it to my controller, and for testing purposes make it reject everything:
public class BasicAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return false;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.HttpContext.Response.SuppressFormsAuthenticationRedirect = true;
base.HandleUnauthorizedRequest(filterContext);
}
}
我可以在调试器中逐步执行HandleUnauthorizedRequest,但是Fiddler显示POST响应是302重定向到登录页面。我认为 SuppressFormsAuthenticationRedirect
应该可以防止这种情况。这是一个问题,因为Android应用遵循重定向并从登录请求中获得200 OK,因此POST成功。我在做什么错?
I can step through my HandleUnauthorizedRequest in the debugger, but Fiddler shows the POST response is a 302 redirect to the login page. I thought SuppressFormsAuthenticationRedirect
was supposed to prevent that. It's a problem because the Android app follows the redirect and gets 200 OK from the login request, so it appears the POST succeeded. What am I doing wrong?
推荐答案
将200 OK状态代码设置为 HandleUnauthorizedRequest的调用上游
。明确清除,设置和结束响应。在这种情况下, SuppressFormsAuthenticationRedirect
似乎不必要。
The 200 OK status code is set upstream of the call to HandleUnauthorizedRequest
. Explicitly clearing, setting and ending the response works. SuppressFormsAuthenticationRedirect
doesn't appear to be necessary in this case.
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.HttpContext.Response.Clear();
filterContext.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
filterContext.HttpContext.Response.End();
base.HandleUnauthorizedRequest(filterContext);
}
这篇关于为什么SuppressFormsAuthenticationRedirect在AuthorizeAttribute.HandleUnauthorizedRequest覆盖中不起作用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!