为什么SuppressFormsAuthenticationRedirect在AuthorizeAttribute.HandleUnauthorizedRequest覆盖中不起作用？ [英] Why doesn't SuppressFormsAuthenticationRedirect work in AuthorizeAttribute.HandleUnauthorizedRequest override?

问题描述

我有一个带有控制器的MVC 5.1站点，该控制器具有一个POST操作。我有一个Android应用程序，想要使用基本身份验证发布到该应用程序。我创建了一个 BasicAuthorizeAttribute 类并将其应用于我的控制器，出于测试目的，使其拒绝所有内容：

I've got an MVC 5.1 site with a controller with a single POST action. I have an Android app that I want to POST to it using basic authentication. I created a BasicAuthorizeAttribute class and applied it to my controller, and for testing purposes make it reject everything:

public class BasicAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        return false;
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        filterContext.HttpContext.Response.SuppressFormsAuthenticationRedirect = true;
        base.HandleUnauthorizedRequest(filterContext);
    }
}

我可以在调试器中逐步执行HandleUnauthorizedRequest，但是Fiddler显示POST响应是302重定向到登录页面。我认为 SuppressFormsAuthenticationRedirect 应该可以防止这种情况。这是一个问题，因为Android应用遵循重定向并从登录请求中获得200 OK，因此POST成功。我在做什么错？

I can step through my HandleUnauthorizedRequest in the debugger, but Fiddler shows the POST response is a 302 redirect to the login page. I thought SuppressFormsAuthenticationRedirect was supposed to prevent that. It's a problem because the Android app follows the redirect and gets 200 OK from the login request, so it appears the POST succeeded. What am I doing wrong?

推荐答案

将200 OK状态代码设置为 HandleUnauthorizedRequest的调用上游。明确清除，设置和结束响应。在这种情况下， SuppressFormsAuthenticationRedirect 似乎不必要。

The 200 OK status code is set upstream of the call to HandleUnauthorizedRequest. Explicitly clearing, setting and ending the response works. SuppressFormsAuthenticationRedirect doesn't appear to be necessary in this case.

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
    filterContext.HttpContext.Response.Clear();
    filterContext.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
    filterContext.HttpContext.Response.End();
    base.HandleUnauthorizedRequest(filterContext);
}

这篇关于为什么SuppressFormsAuthenticationRedirect在AuthorizeAttribute.HandleUnauthorizedRequest覆盖中不起作用？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！