如何拦截在ASP.NET MVC窗体身份验证401? [英] How to intercept 401 from Forms Authentication in ASP.NET MVC?
问题描述
我想生成一个401页。如果用户没有正确的权限。
I would like to generate a 401 page if the user does not have the right permission.
用户请求一个URL重定向到登录页面(我拒绝在web.config中所有匿名)。用户成功登录和被重定向到原始URL。然而,在权限检查,确定该用户没有所要求的权限,所以我想产生一个401但窗体身份验证始终处理401和用户登录页面重定向。
The user requests a url and is redirected to the login page (I have deny all anonymous in web.config). The user logs in successfully and is redirected to the original url. However, upon permission check, it is determined that the user does not have the required permission, so I would like to generate a 401. But Forms Authentication always handles 401 and redirects the user to the login page.
要我来说,这是不正确的。用户已验证,用户只是没有合适的授权
To me, this isn't correct. The user has already authenticated, the user just does not have the proper authorization.
在其他情况下,如AJAX或REST服务的情况下,我绝对不希望登录页面 - 我需要适当的401页
In other scenarios, such as in ajax or REST service scenario, I definitely do not want the login page - I need the proper 401 page.
到目前为止,我已经试过定制的授权过滤器与401返回的ViewResult,但没有奏效。然后,我尝试了正常的行为过滤器,覆盖OnActionExecuting,这也不能工作。
So far, I've tried custom Authorize filter to return ViewResult with 401 but didn't work. I then tried a normal Action Filter, overriding OnActionExecuting, which did not work either.
我能够做的就是在Global.asax中,PostRequestHandlerExecute处理事件,并检查权限,然后写出来直接回应:
What I was able to do is handle an event in global.asax, PostRequestHandlerExecute, and check for the permission then write out directly to response:
if (permissionDenied)
{
Context.Response.StatusCode = 401;
Context.Response.Clear();
Context.Response.Write("Permission Denied");
Context.Response.Flush();
Context.Response.Close();
return;
}
这工作,但它不是真正的我想要的。
首先,我甚至不知道这是正确的活动,或者在管道的地方这样做。
其次,我要401页有一点点更多的内容。 preferably,它应该是一个aspx页面可能是相同的母版页作为网站的其余部分。这样一来,浏览网站的用户可以看到,权限被拒绝,但具有相同的外观和感觉等,但阿贾克斯或服务的用户,将会得到适当的地位code采取行动。
That works but it's not really what I want. First of all, I'm not even sure if that is the right event or the place in the pipeline to do that. Second, I want the 401 page to have a little more content. Preferably, it should be an aspx page with possibly the same master page as the rest of the site. That way, anyone browsing the site can see that the permission is denied but with the same look and feel, etc. but the ajax or service user will get the proper status code to act on.
不知道如何可以做到这一点?
我见过的其他职位有类似的要求,但没有看到,我可以用一个解决方案。
Any idea how this can be achieved? I've seen other posts with similar requests but didn't see a solution that I can use.
不,我不想要一个403。
And no, I do not want a 403.
推荐答案
我找到了一个可行的解决方案。
I found a workable solution.
401重定向通过的 FormsAuthenticationModule 的 EndRequest 的过程中发生。由于活动期间处理模块被调用之前的的Global.asax 的,我们可以覆盖状态code后的 FormsAuthenticationModule 的有其肮脏的手请求。
401 redirect by FormsAuthenticationModule occurs during EndRequest. Since during event processing Modules are invoked before global.asax, we can override the status code after FormsAuthenticationModule has had its grubby hands on the request.
在我的自定义AuthorizationFilter,我设置的 HttpContext.Items [PermissionDenied] 的为true,然后在我的的Global.asax 的 EndRequest 的,我翻转从200到401的状态code,那么我的 Server.Transfer的的到我的自定义PermissionDenied视图。
In my custom AuthorizationFilter, I set HttpContext.Items["PermissionDenied"] to true and then in my global.asax EndRequest, I flip the status code from 200 to 401. Then I Server.Transfer to my custom PermissionDenied view.
我仍然preFER的 FormsAuthenticationModule 的本身进行了更新,处理这种情况,但我觉得这是不是太hackish的,我认为我可以住在一起。
I would still prefer FormsAuthenticationModule itself was updated to handle this scenario but I think this is not too hackish that I think I can live with it.
显然,你可以改变你的信号,即的Global.asax 的应该翻转状态code。我只是想状态code设定成类似511和使用,作为条件,而不是的 HttpContext.Items 的和工作为好。我猜,只要适当的地位code走出门,ASP.NET引擎不关心。
Obviously, you can change how you signal that global.asax should flip the status code. I just tried setting the status code to something like 511 and used that as the condition rather than HttpContext.Items and that worked as well. I guess as long the proper status code goes out the door, the ASP.NET engine doesn't care.
这篇关于如何拦截在ASP.NET MVC窗体身份验证401?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
