窗体身份验证+ ASP.NET MVC绝对RETURNURL [英] Forms authentication + ASP.NET MVC absolute ReturnURL

问题描述

我对服务器的中央认证应用。服务器B对需要从服务器来验证相同的域的一个或多个应用程序。这是很容易设置，使该服务器B应用重定向到服务器。什么是不那么容易被获取RETURNURL是绝对的。

I have a central authentication application on server a. Server b has one or more applications on the same domain that need to authenticate from server a. It's easy enough to set it up so that the server b apps redirect out to server a. What's not so easy is getting the ReturnURL to be absolute.

下面的皱纹。消费服务器B上的应用程序有两个控制器，一个公钥和一个安全的。如果[授权]装修放在公共的动作（这是默认控制器），获得正确的绝对URL。但是，如果它在它自己的控制器，我得到一个相对URL。

Here's the wrinkle. Consuming app on server b has two controllers, one public and one secured. If the [authorize] decoration is placed on an action in the public (which is the default controller), I get the proper absolute URL. However, if its in it's own controller I get a relative URL.

我可以在使用应用程序拦截上pre-请求事件，但我需要网站的某些部分是公开的，而不是整个粉碎。

I can intercept the on pre-request event in the consuming applications, but I need some parts of the site to be public, not the whole smash.

想法？

推荐答案

标准AuthorizeAttribute的工作原理是通过设置响应状态code至401如果请求未通过身份验证的方式。这个球，默认身份验证模块的一个未经授权的请求标准响应。我假设你使用基于表单的身份验证，这将建立一个基于请求的URL的返回URL。在这种情况下，很可能是相对URL

The way the standard AuthorizeAttribute works is by setting the response status code to 401 if the request is not authenticated. This kicks in the default authentication module's standard response to an unauthorized request. I assume that you're using forms-based authentication, which would build the return url based on the url in the request. In this case, probably a relative URL.

有一件事情你可以做的是不是依靠内置的行为，你可以实现一个SSOAuthorizeAttribute扩展了AuthorizeAttribute类，并覆盖OnAuthorization。然后，您可以从中提取表格元素loginUrl在Web配置，并建立自己的RedirectResult并从AuthorizationContext参数HttpContext.Request.Url.AbsoluteUri财产拉RETURNURL。

One thing you could do is instead of relying on the built-in behavior, you could implement a SSOAuthorizeAttribute which extends the AuthorizeAttribute class and overrides OnAuthorization. You could then extract the loginUrl from the forms element in the web configuration and build your own RedirectResult and pull the returnUrl from the HttpContext.Request.Url.AbsoluteUri property in the AuthorizationContext parameter.

 public class SSOAuthorizeAttribute : AuthorizeAttribute
 {
      public override void OnAuthorization( 
                          AuthorizationContext filterContext )
      {
          if (filterContext == null)
          {
              throw new ArgumentNullException( "filterContext" );
          }

          if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
          {
              // get from cached variable from web configuration
              string loginUrl = ... 
              if (filterContext.HttpContext.Request != null)
              {
                  loginUrl += "?ReturnUrl=" + filterContext.HttpContext
                                                           .Request
                                                           .Url
                                                           .AbsoluteUri;
              }

              filterContext.Result = new RedirectResult( loginUrl );
          }
      }
 }

这篇关于窗体身份验证+ ASP.NET MVC绝对RETURNURL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！