当用户在 asp.net mvc3 中未被授权时重定向到另一个页面 [英] Redirect to another page when user is not authorized in asp.net mvc3

问题描述

我读过

如果未在 MVC 中进行身份验证，如何轻松重定向3? 和当用户未授权时重定向到 AccessDenied 页面 但是来自答案的链接(意味着 http://wekeroad.com/2008/03/12/aspnet-mvc-securing-your-controller-actions/) 不起作用.

我放了

[Authorize(Users = "test")]公共类 RestrictedPageController:控制器{公共 ActionResult 索引(){返回视图()；}....}

在我的 web.config 中，我已经

 <身份验证模式="表单"><forms loginUrl="~/Account/LogOn" timeout="2880"/></认证>

根据https://stackoverflow.com/a/6770583/998696

但是当我想访问 /RestrictedPage/Index 时，它必须将我重定向到其他页面(来自其他控制器).取而代之的是，错误显示如下:

/Project"应用程序中的服务器错误.未找到视图LogOn"或其主视图，或者没有视图引擎支持搜索的位置.搜索了以下位置:~/Views/Account/LogOn.aspx~/Views/Account/LogOn.ascx~/Views/Shared/LogOn.aspx~/Views/Shared/LogOn.ascx~/Views/Account/LogOn.cshtml~/Views/Account/LogOn.vbhtml~/Views/Shared/LogOn.cshtml~/Views/Shared/LogOn.vbhtml

登录前，Logon页面表单正确显示，但访问/RestrictedPage/Index页面时出现上述错误.我可以使用不同的用户登录，授权访问 RestrictedPage 页面.

我的错误在哪里以及如何设置重定向?

解决方案

默认的 Authorize 属性的行为方式是，当用户未通过身份验证或经过身份验证但未授权然后将状态代码设置为401(未授权).当过滤器将状态代码设置为 401 时，ASP.NET 框架会检查网站是否启用了表单身份验证，如果启用，则重定向到在那里设置的 loginUrl 参数.

如果你想改变这种行为，比如你想将用户重定向到一个 AccessDenied 控制器，如果用户已经过身份验证但没有被授权，那么你必须扩展 Authorize属性并覆盖 HandleUnauthorizedRequest 方法.

例如

公共类CustomAuthorize:AuthorizeAttribute{受保护的覆盖无效 HandleUnauthorizedRequest(AuthorizationContext filterContext){如果(！filterContext.HttpContext.User.Identity.IsAuthenticated){filterContext.Result = new HttpUnauthorizedResult();}别的{filterContext.Result = new RedirectToRouteResult(newRouteValueDictionary(new { controller = "AccessDenied" }));}}}

您可以根据需要覆盖 HandleUnauthorizedRequest，然后您必须标记控制器操作以使用 CustomAuthorize 属性而不是内置属性.>

I've read

How to easily redirect if not authenticated in MVC 3? and Redirect to AccessDenied page when user is not authorized but the link from an answer (means http://wekeroad.com/2008/03/12/aspnet-mvc-securing-your-controller-actions/) doesn't work.

I put

[Authorize(Users = "test")]
    public class RestrictedPageController: Controller
    {

        public ActionResult Index()
        {
           return View();
        }

 ....
    }

And in my web.config, I have already

 <authentication mode="Forms">
      <forms loginUrl="~/Account/LogOn" timeout="2880" />
 </authentication>

accordingly with https://stackoverflow.com/a/6770583/998696

But when I want to access /RestrictedPage/Index, it must redirect me to other page (from other controller). Instead of this, the error appears like:

Server Error in '/Project' Application.

The view 'LogOn' or its master was not found or no view engine supports the searched locations. The following locations were searched:
~/Views/Account/LogOn.aspx
~/Views/Account/LogOn.ascx
~/Views/Shared/LogOn.aspx
~/Views/Shared/LogOn.ascx
~/Views/Account/LogOn.cshtml
~/Views/Account/LogOn.vbhtml
~/Views/Shared/LogOn.cshtml
~/Views/Shared/LogOn.vbhtml

Before login, the Logon page form appears correctly but the above error appears when accessing /RestrictedPage/Index page. I can login with user different one authorized to access RestrictedPage page.

Where is my mistake and how setup redirection ?

解决方案

The default Authorize attribute behaves in such a way that when the user is not authenticated or authenticated but not authorized then it set the status code as 401 (UnAuthorized). When the filter sets the status code as 401 the ASP.NET framework checks if the website has forms authentication enabled and if it is then redirects to loginUrl parameter set up there.

If you want to change that behavior say you want to redirect the user to an AccessDenied controller if the user is authenticated but not authorized then you have to extend the Authorize attribute and override the HandleUnauthorizedRequest method.

For ex.

public class CustomAuthorize: AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            filterContext.Result = new HttpUnauthorizedResult();
        }
        else
        {
           filterContext.Result = new RedirectToRouteResult(new 
               RouteValueDictionary(new { controller = "AccessDenied" }));
        }
    }
}

You can override the HandleUnauthorizedRequest as per your need and then you have to mark the controller actions to use the CustomAuthorize attribute instead of the built-in one.

这篇关于当用户在 asp.net mvc3 中未被授权时重定向到另一个页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！