在 ASP.NET MVC 中重定向未经授权的控制器 [英] Redirecting unauthorized controller in ASP.NET MVC

问题描述

我在 ASP.NET MVC 中有一个控制器，我将其限制为管理员角色:

I have a controller in ASP.NET MVC that I've restricted to the admin role:

[Authorize(Roles = "Admin")]
public class TestController : Controller
{
   ...

如果不是管理员角色的用户导航到此控制器，他们会看到一个空白屏幕.

If a user who is not in the Admin role navigates to this controller they are greeted with a blank screen.

我想要做的是将它们重定向到 View，上面写着您需要具有管理员角色才能访问此资源."

What I would like to do is redirect them to View that says "you need to be in the Admin role to be able to access this resource."

我想到的一种方法是检查 IsUserInRole() 上的每个操作方法，如果不在角色中，则返回此信息视图.但是，我必须将其放在每个违反 DRY 原则且维护起来显然很麻烦的 Action 中.

One way of doing this that I've thought of is to have a check in each action method on IsUserInRole() and if not in role then return this informational view. However, I'd have to put that in each Action which breaks the DRY principal and is obviously cumbersome to maintain.

推荐答案

创建基于 AuthorizeAttribute 的自定义授权属性并覆盖 OnAuthorization 以执行您希望如何完成的检查.通常情况下，如果授权检查失败，AuthorizeAttribute 会将过滤结果设置为 HttpUnauthorizedResult.您可以将其设置为 ViewResult(您的 Error 视图).

Create a custom authorization attribute based on AuthorizeAttribute and override OnAuthorization to perform the check how you want it done. Normally, AuthorizeAttribute will set the filter result to HttpUnauthorizedResult if the authorization check fails. You could have it set it to a ViewResult (of your Error view) instead.

编辑:我有几篇博文更详细:

EDIT: I have a couple of blog posts that go into more detail:

• http://farm-fresh-code.blogspot.com/2011/03/revisiting-custom-authorization-in.html
• http://farm-fresh-code.blogspot.com/2009/11/customizing-authorization-in-aspnet-mvc.html

示例:

    [AttributeUsage( AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false )]
    public class MasterEventAuthorizationAttribute : AuthorizeAttribute
    {
        /// <summary>
        /// The name of the master page or view to use when rendering the view on authorization failure.  Default
        /// is null, indicating to use the master page of the specified view.
        /// </summary>
        public virtual string MasterName { get; set; }

        /// <summary>
        /// The name of the view to render on authorization failure.  Default is "Error".
        /// </summary>
        public virtual string ViewName { get; set; }

        public MasterEventAuthorizationAttribute()
            : base()
        {
            this.ViewName = "Error";
        }

        protected void CacheValidateHandler( HttpContext context, object data, ref HttpValidationStatus validationStatus )
        {
            validationStatus = OnCacheAuthorization( new HttpContextWrapper( context ) );
        }

        public override void OnAuthorization( AuthorizationContext filterContext )
        {
            if (filterContext == null)
            {
                throw new ArgumentNullException( "filterContext" );
            }

            if (AuthorizeCore( filterContext.HttpContext ))
            {
                SetCachePolicy( filterContext );
            }
            else if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
            {
                // auth failed, redirect to login page
                filterContext.Result = new HttpUnauthorizedResult();
            }
            else if (filterContext.HttpContext.User.IsInRole( "SuperUser" ))
            {
                // is authenticated and is in the SuperUser role
                SetCachePolicy( filterContext );
            }
            else
            {
                ViewDataDictionary viewData = new ViewDataDictionary();
                viewData.Add( "Message", "You do not have sufficient privileges for this operation." );
                filterContext.Result = new ViewResult { MasterName = this.MasterName, ViewName = this.ViewName, ViewData = viewData };
            }

        }

        protected void SetCachePolicy( AuthorizationContext filterContext )
        {
            // ** IMPORTANT **
            // Since we're performing authorization at the action level, the authorization code runs
            // after the output caching module. In the worst case this could allow an authorized user
            // to cause the page to be cached, then an unauthorized user would later be served the
            // cached page. We work around this by telling proxies not to cache the sensitive page,
            // then we hook our custom authorization code into the caching mechanism so that we have
            // the final say on whether a page should be served from the cache.
            HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
            cachePolicy.SetProxyMaxAge( new TimeSpan( 0 ) );
            cachePolicy.AddValidationCallback( CacheValidateHandler, null /* data */);
        }


    }

这篇关于在 ASP.NET MVC 中重定向未经授权的控制器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！