自AuthorizeAttribute自定义验证 [英] Custom AuthorizeAttribute with custom authentication
问题描述
我使用ASP.NET MVC 4 Web应用程序作为前端一些WCF服务。
所有的用户登录/注销和会话控制在后端完成。 MVC应用程序只能存储与会话ID一个Cookie。我的客户不允许使用窗体身份验证,一切都必须定做。
I am using ASP.NET MVC 4 Web application as a front-end for some WCF services. All the user log in/log out and session control is done on the back-end. MVC app should only store a single cookie with session ID. My client does not allow to use Forms Authentication, everything must be customized.
我已经建立了在我的web.config以下内容:
I have set up the following in my web.config:
<system.web>
...
<authentication mode="None" />
</system.web>
<system.webServer>
<modules>
...
<remove name="FormsAuthentication" />
...
</modules>
</system.webServer>
我也有一个全球性的过滤器:
I have also a global filter:
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
// Force all actions to request auth. Only actions marked with [AllowAnonymous] will be allowed.
filters.Add(new MyAuthorizeAttribute());
}
}
这就是所谓的在Global.asax中
which is called in Global.asax
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
我已经标有[使用AllowAnonymous]每控制器和操作它不需要授权。
I have marked with [AllowAnonymous] every controller and action which does not need authorization.
而现在我要实现MyAuthorizeAttribute。我曾尝试一些教程,但他们都不完全符合我的情况。
And now I have to implement MyAuthorizeAttribute. I have tried some tutorials, but none of them completely match my scenarios.
基本上,我有处理下列情况下每个动作:
Basically, I have to handle the following scenarios for each action:
- 如果存在有效的饼干,当前请求应当考虑
授权(不会有任何角色检查,只有一种用户)。 - 如果没有饼干,我应该
覆盖默认的MVC处理程序(它试图加载帐户/登录)
并将用户重定向到首页/索引页的消息,用户
应登录。 - 如果在WCF方法调用抛出
那里的FaultException我们的定制SecurityFault说
这届会议已过期(SecurityFault具有自定义枚举场
其中包含异常的原因),我要毁了我的定制
会话cookie,并再次将用户重定向到主页/索引页一
消息指出用户应登录,因为他的最后一届有
过期。对于所有其他SecurityFaults我可以让他们经历 - 我
有一个全局错误处理程序。
据我了解,我需要重写AuthorizeCore(检查我的cookie来看看如果会话存在,并且仍然有效),并HandleUnauthorizedRequest(将用户重定向到首页/指数,而不是默认的登录页面)。
As far as I understand, I need to override AuthorizeCore (to check my cookie to see if the session exists and is still valid) and HandleUnauthorizedRequest (to redirect users to Home/Index instead of default Login page).
有关重定向我尝试:
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
base.HandleUnauthorizedRequest(filterContext);
filterContext.Result = new RedirectResult("/Home/Index/NeedsLogin");
}
这似乎处理的情况第2罚款。(我不知道有关该基地的呼叫,但 - ?需要它)
which seems to handle the scenario 2nd fine (I'm not sure about that base call, though - is it needed?).
有关1号的情况下,我需要实现AuthorizeCore。我不知道,怎么做是正确的。我已经看到,AuthorizeAttribute有一些code处理缓存的情况下,也许还有更多隐藏的功能,我不想打破它。
For the 1st scenario, I need to implement AuthorizeCore. I'm not sure, how to do it correctly. I have seen that AuthorizeAttribute has some code for handling caching situations and maybe many more hidden functionality and I don't want to break it.
有关第三的情况下,我不知道如果MyAuthorizeAttribute将能够处理它。可以AuthorizeAttribute行动的内部发生的捕捉异常,不然我就在我的全局错误处理程序来处理SecurityFault.SessionExpired情况?
For the 3rd scenario, I am not sure if MyAuthorizeAttribute will be able to handle it. Can AuthorizeAttribute catch exceptions which occur inside of the Action or I'll have to handle SecurityFault.SessionExpired situations in my global error handler?
推荐答案
不能完全确定我得到它,但如果你创建一个自定义过滤器的授权,从System.Web.MVC.Authorize继承属性是这样的。
Not totally sure I get it but if you create an Custom Authorization Filter that inherits from System.Web.MVC.Authorize attribute like this.
public class CustomAuthorize : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (CookieIsValid(filterContext.Request.Cookies["cookieyouwant"])
{
filterContext.Result = new RedirectResult("DestUrl");
}
else
{
filterContext.Result = new RedirectResult("/Home/Index/NeedsLogin");
}
}
}
和再装点你的方法需要使用这个授权会认为这样的伎俩?
And then decorate your Methods that need to employ this Authorization will that do the trick?
这篇关于自AuthorizeAttribute自定义验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
