的ASP.NET Web API:正确方法返回一个401 /未经授权的响应 [英] ASP.NET Web API : Correct way to return a 401/unauthorised response
问题描述
我有一个使用OAuth /令牌身份验证来验证请求的MVC的WebAPI的网站。所有相关的控制器都具有正确的属性,认证工作确定。
I have an MVC webapi site that uses OAuth/token authentication to authenticate requests. All the relevant controllers have the right attributes, and authentication is working ok.
的问题是,不是所有的请求的所用的属性的范围来授权 - 一些授权检查有code是受控制器方法调用来执行 - 什么是返回一个401的正确方法在这种情况下,未授权的反应?
The problem is that not all of the request can be authorised in the scope of an attribute - some authorisation checks have to be performed in code that is called by controller methods - what is the correct way to return a 401 unauthorised response in this case?
我曾尝试抛出新的HttpException(401,未经授权的访问);
,但是当我做这个响应状态code是500,我去也得到一个堆栈跟踪。即使在我们的记录DelegatingHandler我们可以看到,该响应是500,而不是401
I have tried throw new HttpException(401, "Unauthorized access");
, but when I do this the response status code is 500 and I get also get a stack trace. Even in our logging DelegatingHandler we can see that the response is 500, not 401.
推荐答案
您应该抛出一个<一个href=\"https://msdn.microsoft.com/en-us/library/system.web.http.htt$p$psponseexception.aspx\"><$c$c>Htt$p$psponseException$c$c>从您的API方法,而不是<一href=\"https://msdn.microsoft.com/en-us/library/system.web.httpexception.aspx\"><$c$c>HttpException$c$c>:
You should be throwing a HttpResponseException
from your API method, not HttpException
:
throw new HttpResponseException(HttpStatusCode.Unauthorized);
或者,如果你想提供一个自定义消息:
Or, if you want to supply a custom message:
var msg = new HttpResponseMessage(HttpStatusCode.Unauthorized) { ReasonPhrase = "Oops!!!" };
throw new HttpResponseException(msg);
这篇关于的ASP.NET Web API:正确方法返回一个401 /未经授权的响应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!