带有ADFS声明的.Net MVC Authorize属性的重定向循环 [英] Redirect loop with .Net MVC Authorize attribute with ADFS Claims
问题描述
我在使用.Net MVC 5应用程序配置ADFS时遇到问题。
I have a problem configuring ADFS with my .Net MVC 5 app.
我已在VS 2015中将我的项目配置为使用声明,但工作正常,但是有一个问题。
I have configured my project in VS 2015 to use claims and it works ok, but I have an issue.
我可以登录,使用ADFS,可以检查用户角色等。当我尝试使用
I can sign in, ussing ADFS, I can check user roles etc. The problem occures when i try to use
[Authorize(Roles="somenonExistingRole")]
尽管我已经通过身份验证,但是再次进行身份验证时,我却被重定向到ADFS页面,并且我被重定向到发生循环的页面。页面将我发送到ADFS门户,ADFS将我重定向到门户,经过几次尝试,我从ADFS中收到了一个错误(针对许多请求)
despite that I'm already authenticated I am redirected to ADFS page, when Authentication takes place again, and I'm redirected to my page, where loop occures. Page send me to ADFS portal , ADFS redirects my to portal, and after few tries i get an error from ADFS ( to many requests )
我是否必须实现类似自己提供角色?或者我需要配置一些额外的东西。也许我可以限制尝试次数?角色准备就绪后,为什么我重定向到ADFS?
Do I have to implement something like Role provider by myself? or i need to configure something extra. Maybe i could just limit number of tries? Why am I redirected to ADFS when I have my roles allready?
在代码中没有多少要显示的内容,如要求的那样:
控制器即时测试:
there is not much to show actualy in the code, ut as requested: the controller that im testing:
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
[Authorize]
public ActionResult About()
{
var u = HttpContext.User;
if (u.IsInRole("/"))
{
ViewBag.Message = "User is in role.";
}
else
{
ViewBag.Message = "User is NOT in role.";
}
return View();
}
[Authorize(Roles = "/nonexistingRole")]
public ActionResult Contact()
{
ViewBag.Message = "Your contact page.";
return View();
}
}
和configure auth节
and the configure auth section
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseWsFederationAuthentication(
new WsFederationAuthenticationOptions
{
Wtrealm = realm,
MetadataAddress = adfsMetadata,
});
}
推荐答案
要解决循环问题,您应该覆盖 AuthorizeAttribute
。
To fix the loop problem, you should override the AuthorizeAttribute
.
默认情况下,当用户角色不符合要求时,MVC会返回401 Unauthorized AuthorizeAttribute
要求。这将初始化对身份提供者的重新认证请求。由于用户已经登录,因此AAD返回到同一页面,然后发布另一个401,创建重定向循环。在这里,我们重写AuthorizeAttribute的HandleUnauthorizedRequest方法以显示在我们的应用程序上下文中有意义的内容。
By Default, MVC returns a 401 Unauthorized when a user's roles do not meet the AuthorizeAttribute
requirements. This initializes a reauthentication request to the identity provider. Since the user is already logged in, AAD returns to the same page, which then issues another 401, creating a redirect loop. Here, we override the AuthorizeAttribute's HandleUnauthorizedRequest method to show something that makes sense in the context of our application.
使用VS 2015创建新的MVC项目时,将生成此类:
This class was generated when creating a new MVC project using VS 2015 :
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAuthenticated)
{
//One Strategy:
//filterContext.Result = new System.Web.Mvc.HttpStatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
//Another Strategy:
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary(
new
{
controller = "Error",
action = "ShowError",
errorMessage = "You do not have sufficient priviliges to view this page."
})
);
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
}
这篇关于带有ADFS声明的.Net MVC Authorize属性的重定向循环的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!