从AuthorizeAttribute继承的属性不起作用 [英] Attribute inheriting from AuthorizeAttribute not working

问题描述

我目前正在尝试根据用户角色在新的ASP MVC 5应用程序中实现安全性.目的是防止用户在没有特定角色(或更高角色)的情况下访问某些控制器或控制器方法.根据到目前为止我对这个问题所读的内容，我创建了一个继承了AuthorizeAttribute的属性，该属性看起来像这样(MyAppRole是一个枚举，btw):

I'm currently trying to implement security in a new ASP MVC 5 application, based on user roles. The goal is to prevent users from accessing certain controllers or controller methods if they don't have a certain role (or higher). Based on what I've read on the question so far, I created an attribute that inherits AuthorizeAttribute which looks like this (MyAppRole is an enum, btw) :

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public sealed class AuthorizeRoleOrSuperiorAttribute : AuthorizeAttribute
{
    private MyAppRole _authorizedRole;

    public AuthorizeRoleOrSuperiorAttribute(MyAppRole authorizedRole)
    { //Breakpoint here
        _authorizedRole = authorizedRole;
    }

    public override void OnAuthorization(HttpActionContext actionContext)
    { //Breakpoint here
        base.OnAuthorization(actionContext);

        if (!UserInfo.GetUserRoles().Any(r => (int)r >= (int)_authorizedRole))
            throw new UnauthorizedAccessException(ErrorsModule.RoleMissing);
    }
}

我在方法和/或控制器上这样称呼它:

And I call it this way on methods and/or controllers :

[AuthorizeRoleOrSuperior(MyAppRole.Admin)]
public class MyController : Controller
{
    [AuthorizeRoleOrSuperior(MyAppRole.Admin)]
    public ViewResult Index()
    {
        [...]
    }

    [...]
}

我在构造函数和OnAuthorization方法上放置了一个断点，但是，当我启动应用程序并调用相关的控制器或方法时，即使我什至没有登录，也从未打过任何一个，并且调用了该动作.

I placed a breakpoint on the constructor and the OnAuthorization method but, when I launch the app and call the concerned controller or method, I never hit any of them and the action is called, even though I'm not even logged in.

注意:当我使用AuthorizeAttribute时，它可以正常工作.

Note : the AuthorizeAttribute is working properly when I use it.

有什么想法可以阻止该属性工作并过滤访问?

Any idea what could prevent the attribute to work and filter accesses ?

推荐答案

您是否从System.Web.Http.AuthorizeAttribute继承属性?它的工作方式不同于System.Web.Mvc.AuthorizeAttribute.

Are you inheriting the attribute from System.Web.Http.AuthorizeAttribute? It works differently than System.Web.Mvc.AuthorizeAttribute.

尝试从System.Web.Mvc.AuthorizeAttribute继承.

Try inheriting from System.Web.Mvc.AuthorizeAttribute instead.

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public sealed class AuthorizeRoleOrSuperiorAttribute : System.Web.Mvc.AuthorizeAttribute
{
    private MyAppRole _authorizedRole;

    public AuthorizeRoleOrSuperiorAttribute(MyAppRole authorizedRole)
    { //Breakpoint here
        _authorizedRole = authorizedRole;
    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    { //Breakpoint here
        base.OnAuthorization(filterContext);

        if (!UserInfo.GetUserRoles().Any(r => (int)r >= (int)_authorizedRole))
            throw new UnauthorizedAccessException(ErrorsModule.RoleMissing);
    }
}

那至少应该使您达到断点.

That should at least make you hit the breakpoint.

注意以下参数差异: OnAuthorization(AuthorizationContext filterContext) 和 public override void OnAuthorization(HttpActionContext actionContext)

Note parameter difference in: OnAuthorization(AuthorizationContext filterContext) and public override void OnAuthorization(HttpActionContext actionContext)

您还可以设置filterContext.Result = new HttpUnauthorizedResult();以获得正确的401 http状态代码.

You can also set filterContext.Result = new HttpUnauthorizedResult(); to get the correct 401 http status code.

这篇关于从AuthorizeAttribute继承的属性不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！