从AuthorizeAttribute继承的属性不起作用 [英] Attribute inheriting from AuthorizeAttribute not working
问题描述
我目前正在尝试根据用户角色在新的ASP MVC 5应用程序中实现安全性.目的是防止用户在没有特定角色(或更高角色)的情况下访问某些控制器或控制器方法.根据到目前为止我对这个问题所读的内容,我创建了一个继承了AuthorizeAttribute的属性,该属性看起来像这样(MyAppRole是一个枚举,btw):
I'm currently trying to implement security in a new ASP MVC 5 application, based on user roles. The goal is to prevent users from accessing certain controllers or controller methods if they don't have a certain role (or higher). Based on what I've read on the question so far, I created an attribute that inherits AuthorizeAttribute which looks like this (MyAppRole is an enum, btw) :
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public sealed class AuthorizeRoleOrSuperiorAttribute : AuthorizeAttribute
{
private MyAppRole _authorizedRole;
public AuthorizeRoleOrSuperiorAttribute(MyAppRole authorizedRole)
{ //Breakpoint here
_authorizedRole = authorizedRole;
}
public override void OnAuthorization(HttpActionContext actionContext)
{ //Breakpoint here
base.OnAuthorization(actionContext);
if (!UserInfo.GetUserRoles().Any(r => (int)r >= (int)_authorizedRole))
throw new UnauthorizedAccessException(ErrorsModule.RoleMissing);
}
}
我在方法和/或控制器上这样称呼它:
And I call it this way on methods and/or controllers :
[AuthorizeRoleOrSuperior(MyAppRole.Admin)]
public class MyController : Controller
{
[AuthorizeRoleOrSuperior(MyAppRole.Admin)]
public ViewResult Index()
{
[...]
}
[...]
}
我在构造函数和OnAuthorization方法上放置了一个断点,但是,当我启动应用程序并调用相关的控制器或方法时,即使我什至没有登录,也从未打过任何一个,并且调用了该动作.
I placed a breakpoint on the constructor and the OnAuthorization method but, when I launch the app and call the concerned controller or method, I never hit any of them and the action is called, even though I'm not even logged in.
注意:当我使用AuthorizeAttribute时,它可以正常工作.
Note : the AuthorizeAttribute is working properly when I use it.
有什么想法可以阻止该属性工作并过滤访问?
Any idea what could prevent the attribute to work and filter accesses ?
推荐答案
您是否从System.Web.Http.AuthorizeAttribute继承属性?它的工作方式不同于System.Web.Mvc.AuthorizeAttribute.
Are you inheriting the attribute from System.Web.Http.AuthorizeAttribute? It works differently than System.Web.Mvc.AuthorizeAttribute.
尝试从System.Web.Mvc.AuthorizeAttribute继承.
Try inheriting from System.Web.Mvc.AuthorizeAttribute instead.
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public sealed class AuthorizeRoleOrSuperiorAttribute : System.Web.Mvc.AuthorizeAttribute
{
private MyAppRole _authorizedRole;
public AuthorizeRoleOrSuperiorAttribute(MyAppRole authorizedRole)
{ //Breakpoint here
_authorizedRole = authorizedRole;
}
public override void OnAuthorization(AuthorizationContext filterContext)
{ //Breakpoint here
base.OnAuthorization(filterContext);
if (!UserInfo.GetUserRoles().Any(r => (int)r >= (int)_authorizedRole))
throw new UnauthorizedAccessException(ErrorsModule.RoleMissing);
}
}
那至少应该使您达到断点.
That should at least make you hit the breakpoint.
注意以下参数差异:
OnAuthorization(AuthorizationContext filterContext)
和
public override void OnAuthorization(HttpActionContext actionContext)
Note parameter difference in:
OnAuthorization(AuthorizationContext filterContext)
and
public override void OnAuthorization(HttpActionContext actionContext)
您还可以设置filterContext.Result = new HttpUnauthorizedResult();
以获得正确的401 http状态代码.
You can also set filterContext.Result = new HttpUnauthorizedResult();
to get the correct 401 http status code.
这篇关于从AuthorizeAttribute继承的属性不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!