有人可以解释ASP.NET MVC code这个块我，好吗？ [英] Can someone explain this block of ASP.NET MVC code to me, please?

问题描述

这是ASP.NET MVC2（RTM）当前code System.Web.Mvc.AuthorizeAttribute 类： -

this is the current code in ASP.NET MVC2 (RTM) System.Web.Mvc.AuthorizeAttribute class :-

public virtual void OnAuthorization(AuthorizationContext filterContext)
{
    if (filterContext == null)
    {
        throw new ArgumentNullException("filterContext");
    }
    if (this.AuthorizeCore(filterContext.HttpContext))
    {
        HttpCachePolicyBase cache = filterContext.HttpContext.Response.Cache;
        cache.SetProxyMaxAge(new TimeSpan(0L));
        cache.AddValidationCallback(
            new HttpCacheValidateHandler(this.CacheValidateHandler), null);
    }
    else
    {
        filterContext.Result = new HttpUnauthorizedResult();
    }
}

所以，如果我'授权'然后做一些缓存的东西，否则抛出一个401未授权的响应。

so if i'm 'authorized' then do some caching stuff, otherwise throw a 401 Unauthorized response.

问：什么是那些3行的缓存做

欢呼：）

推荐答案

这code的存在是为了让你把两个[的OutputCache]和[授权]一起在没有运行有，这是一个响应的危险动作授权用户的缓存生成并提供给未授权的用户。

This code exists to allow you to put both [OutputCache] and [Authorize] together on an action without running the risk of having a response that was generated for an authorized user cached and served to a user that is not authorized.

下面是源$ C ​​$ C从AuthorizeAttribute.cs评论：

Here's the source code comment from AuthorizeAttribute.cs:

由于我们执行授权
  在操作层面，授权
  code中的输出缓存后运行
  模块。在最坏的情况下，这可能
  允许被授权的用户，以使
  缓存网页，那么
  未经授权的用户以后将
  提供服务的缓存页面。我们解决
  这告诉代理服务器不缓存
  敏感的页面，然后我们钩住了
  自定义授权code到
  缓存机制，使我们有
  在一个页面是否应该说了算
  从缓存中。

Since we're performing authorization at the action level, the authorization code runs after the output caching module. In the worst case this could allow an authorized user to cause the page to be cached, then an unauthorized user would later be served the cached page. We work around this by telling proxies not to cache the sensitive page, then we hook our custom authorization code into the caching mechanism so that we have the final say on whether a page should be served from the cache.

那么是什么原因这个属性在做什么？它首先禁用此响应的代理缓存，因为代理无法做出正确的决定，其中用户或无权查看。如果一个代理用于未经授权的用户的响应，这是一个非常糟糕的事情。

So just what is this attribute doing? It first disables proxy caching of this response, as proxies can't make the proper determination of which users are or are not authorized to view it. And if a proxy serves the response to an unauthorized user, this is a Very Bad Thing.

现在怎么样AddValidationCallback？在ASP.NET中，输出缓存模块挂钩的事件运行的前的HTTP处理。由于MVC是真的只是一个特殊的HTTP处理程序，这意味着如果输出缓存模块检测到这种反应已经被缓存，该模块将只是直接从缓存服务响应不通过MVC管道将在所有。这也可能是一个非常糟糕的事情，如果输出缓存用于未经授权的用户的响应。

Now what about AddValidationCallback? In ASP.NET, the output caching module hooks events that run before the HTTP handler. Since MVC is really just a special HTTP handler, this means that if the output caching module detects that this response has already been cached, the module will just serve the response directly from cache without going through the MVC pipeline at all. This is also potentially a Very Bad Thing if the output cache serves the response to an unauthorized user.

现在需要仔细看看的 CacheValidateHandler 的：

Now take a closer look at CacheValidateHandler:

private void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus) {
    validationStatus = OnCacheAuthorization(new HttpContextWrapper(context));
}

// This method must be thread-safe since it is called by the caching module.
protected virtual HttpValidationStatus OnCacheAuthorization(HttpContextBase httpContext) {
    if (httpContext == null) {
        throw new ArgumentNullException("httpContext");
    }

    bool isAuthorized = AuthorizeCore(httpContext);
    return (isAuthorized) ? HttpValidationStatus.Valid : HttpValidationStatus.IgnoreThisRequest;
}

这只是有效的关联的 AuthorizeCore 的方法与缓存的响应。当输出缓存模块检测到匹配，它将重新运行AuthorizeCore方法来确保当前用户真的被允许看到缓存的响应。如果AuthorizeCore返回true，它会被视为缓存命中（HttpValidationStatus.Valid），并响应从缓存中而无需通过MVC管道去。如果AuthorizeCore返回false，它会被视为高速缓存未命中（HttpValidationStatus.IgnoreThisRequest），以及MVC管道照常运行产生的反应。

This effectively just associates the AuthorizeCore method with the cached response. When the output cache module detects a match, it will re-run the AuthorizeCore method to make sure that the current user really is allowed to see the cached response. If AuthorizeCore returns true, it's treated as a cache hit (HttpValidationStatus.Valid), and the response is served from cache without going through the MVC pipeline. If AuthorizeCore returns false, it's treated as a cache miss (HttpValidationStatus.IgnoreThisRequest), and the MVC pipeline runs as usual to generate the response.

顺便说一句，因为委托形成AuthorizeCore（从而掌握AuthorizeAttribute的特定实例），并保存在一个静态缓存，这就是为什么所有类型的继承AuthorizeAttribute必须是线程安全的。

As an aside, since a delegate is formed to AuthorizeCore (thus capturing the particular instance of AuthorizeAttribute) and saved in a static cache, this is why all types subclassing AuthorizeAttribute must be thread-safe.

这篇关于有人可以解释ASP.NET MVC code这个块我，好吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！