AllowAnonymous 不使用自定义 AuthorizationAttribute [英] AllowAnonymous not working with Custom AuthorizationAttribute

问题描述

这让我难住了一段时间.常见的类似情况似乎都不适用于这里.我可能漏掉了一些明显但我看不到的东西.

This has had me stumped for a while. None of the commonly encountered similar situations seem to apply here apparently. I've probably missed something obvious but I can't see it.

在我的 Mvc Web 应用程序中，我以这样一种方式使用 Authorize 和 AllowAnonymous 属性，您必须明确地打开一个公开可用的操作，而不是锁定站点的安全区域.我更喜欢这种方法.但是，我无法在我的 WebAPI 中获得相同的行为.

In my Mvc Web Application I use the Authorize and AllowAnonymous attributes in such a way that you have to explicitly open up an action as publicly available rather than lock down the secure areas of the site. I much prefer that approach. I cannot get the same behaviour in my WebAPI however.

我编写了一个继承自 System.Web.Http.AuthorizeAttribute 的自定义授权属性，其内容如下:

I have written a custom Authorization Attribute that inherits from System.Web.Http.AuthorizeAttribute with the following:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class MyAuthorizationAttribute : System.Web.Http.AuthorizeAttribute

我已将此注册为过滤器:

I have this registered as a filter:

    public static void RegisterHttpFilters(HttpFilterCollection filters)
    {
        filters.Add(new MyAuthorizationAttribute());
    }

这一切都按预期工作，没有凭据就无法再执行操作.问题是现在下面的方法不允许 AllowAnonymous 属性来做它的事情:

This all works as expected, actions are no longer available without credentials. The problem is that now the following method will not allow the AllowAnonymous attribute to do it's thing:

[System.Web.Http.AllowAnonymous]
public class HomeController : ApiController
{
    [GET("/"), System.Web.Http.HttpGet]
    public Link[] Index()
    {
        return new Link[] 
        { 
            new SelfLink(Request.RequestUri.AbsoluteUri, "api-root"),
            new Link(LinkRelConstants.AuthorizationEndpoint, "OAuth/Authorize/", "authenticate"),
            new Link(LinkRelConstants.AuthorizationTokenEndpoint , "OAuth/Tokens/", "auth-token-endpoint")
        };
    }
}

最常见的情况似乎是混淆了两个 Authorize/AllowAnonymous 属性.System.Web.Mvc 用于 Web 应用程序，System.Web.Http 用于 WebAPI(反正我是这么理解的).

The most common scenario seems to be getting the two Authorize / AllowAnonymous attributes mixed up. System.Web.Mvc is for web apps and System.Web.Http is for WebAPI (as I understand it anyway).

我使用的两个属性都来自同一个命名空间 - System.Web.Http.我认为这只会继承基本功能并允许我在 OnAuthotize 方法中注入我需要的代码.

Both of the Attributes I'm using are from the same namespace - System.Web.Http. I assumed that this would just inherit the base functionality and allow me to inject the code I need in the OnAuthotize method.

根据文档，AllowAnonymous 属性在我立即调用的 OnAuthorize 方法中起作用:

According to the documentation the AllowAnonymous attribute works inside the OnAuthorize method which I call immediately:

    public override void OnAuthorization(HttpActionContext actionContext)
    {
        base.OnAuthorization(actionContext);

任何想法都将不胜感激.

Any thought's would be really appreciated.

有没有人遇到过这个问题并找到了根本原因?

Has anyone encountered this problem before and found the root cause?

推荐答案

AuthorizeAttribute 中有如下代码:

In the AuthorizeAttribute there is the following code:

private static bool SkipAuthorization(HttpActionContext actionContext)
{
    Contract.Assert(actionContext != null);

    return actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Any()
               || actionContext.ControllerContext.ControllerDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Any();
}

将此方法包含在您的 AuthorizeAttribute 类中，然后将以下内容添加到您的 OnAuthorization 方法的顶部以在找到任何 AllowAnonymous 属性时跳过授权:

Include this method in your AuthorizeAttribute class then add the following to the top of your OnAuthorization method to skip authorization if any AllowAnonymous attributes are found:

if (SkipAuthorization(actionContext)) return;

这篇关于AllowAnonymous 不使用自定义 AuthorizationAttribute的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！