使用AuthorizeAttribute什么时候开始设置RETURNURL参数 [英] What initially sets the ReturnUrl parameter when using AuthorizeAttribute

问题描述

在一个ASP.NET MVC项目，当你修饰类或方法，[授权]和授权失败，网站会自动重定向到登录页面（使用在web.config中指定的loginUrl）。此外，一些在ASP.NET MVC框架沿原请求的URL作为RETURNURL参数传递。

In an ASP.NET MVC project, when you decorate a class or method with [Authorize] and authorization fails, the site automatically redirects to the login page (using the loginUrl specified in web.config). In addition, something in the ASP.NET MVC framework passes along the original request's URL as a ReturnUrl parameter.

什么是负责这个附加RETURNURL？我找不到项目模板中的code吧。我也看了看在ASP.NET堆栈源$ C ​​$ C 中的code为AuthorizeAttribute但couldn有'吨发现任何东西。我也尝试搜索整个ASP.NET堆栈源$ C ​​$ C为RETURNURL，但无法找到任何东西。

What is responsible for appending this ReturnUrl? I couldn't find any code for it in the project template. I also took a look at the code for AuthorizeAttribute in the ASP.NET stack source code but couldn't find anything there. I also tried searching the entire ASP.NET stack source code for "returnurl" but couldn't locate anything.

我想问的原因是，我发现在这个过程中的错误。你可以用一个全新的互联网的ASP.NET MVC项目看到这一点。在FormsAuth超时设置为在web.config 1分钟，然后登录。请等待一分钟以上，并尝试注销。这将重定向到登录页面/帐户/注销的RETURNURL，从而导致404在登录后，我解决这个现在我自己AuthorizeAttribute工作：

The reason I ask is that I've discovered a bug in this process. You can see this with a brand new Internet ASP.NET MVC project. Set the FormsAuth timeout to 1 minute in the web.config and then sign in. Wait over a minute and try to sign out. This will redirect to the login page with a ReturnUrl of /account/logoff, which leads to a 404 after logging in. I've worked around this for now with my own AuthorizeAttribute:

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);

        if (filterContext.Result is HttpUnauthorizedResult)
        {
            string returnUrl = null;
            if (filterContext.HttpContext.Request.HttpMethod.Equals("GET", System.StringComparison.CurrentCultureIgnoreCase))
                returnUrl = filterContext.HttpContext.Request.RawUrl;

            filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary()
            {
                { "client", filterContext.RouteData.Values[ "client" ] },
                { "controller", "Account" },
                { "action", "Login" },
                { "ReturnUrl", returnUrl }
            });
        }
    }
}

不过，我想看看源，看看我能找出为什么这个bug存在，如果它确实是一个错误。

However, I would like to take a look at the source and see if I can figure out why this bug exists, if it is indeed a bug.

推荐答案

的查询字符串RETURNURL参数添加到重定向到FormsAuthentication类中的登录页面在System.Web.dll程序集。 FormsAuthenticion.RedirectToLoginPage方法重载最终调用内部的方法，GetLoginPage。在RETURNURL变量和LoginUrl的两个名字可以通过web.config设置所覆盖。

The returnUrl querystring parameter is added to the redirect to the login page inside the FormsAuthentication class in the System.Web.dll assembly. FormsAuthenticion.RedirectToLoginPage method overloads end up calling the internal method, GetLoginPage. Both the name of the "ReturnUrl" variable and the LoginUrl can be overridden via web.config settings.

在默认AuthorizeAttribute遇到一个未经授权的请求，它只是返回一个HttpUnauthorizedResult，这仅仅是围绕着的HTTPStatus codeResult包装用的401状态code的FormsAuthenticationModule踢幕后，并执行工作休息。有MVC和这些基类之间没有直接的互动，除非你当然可以直接调用FormsAuthentication类的静态方法。

When the default AuthorizeAttribute encounters an unauthorized request, it just returns an HttpUnauthorizedResult, which is just a wrapper around the HttpStatusCodeResult with a status code of 401. The FormsAuthenticationModule kicks in behind the scenes and does the rest of the work. There is no direct interaction between MVC and these base classes, unless of course you are calling the FormsAuthentication class static methods directly.

的 您的解决方案是一个标准，当你要覆盖这一行为。的

Your solution is a standard one, when you want to override this behavior.

这不工作的GetLoginPage方法如下：

The GetLoginPage method that does the work is as follows:

internal static string GetLoginPage(string extraQueryString, bool reuseReturnUrl)
{
    HttpContext current = HttpContext.Current;
    string loginUrl = FormsAuthentication.LoginUrl;
    if (loginUrl.IndexOf('?') >= 0)
    {
        loginUrl = FormsAuthentication.RemoveQueryStringVariableFromUrl(loginUrl, FormsAuthentication.ReturnUrlVar);
    }
    int num = loginUrl.IndexOf('?');
    if (num >= 0)
    {
        if (num < loginUrl.Length - 1)
        {
            loginUrl = string.Concat(loginUrl, "&");
        }
    }
    else
    {
        loginUrl = string.Concat(loginUrl, "?");
    }
    string str = null;
    if (reuseReturnUrl)
    {
        str = HttpUtility.UrlEncode(FormsAuthentication.GetReturnUrl(false), current.Request.QueryStringEncoding);
    }
    if (str == null)
    {
        str = HttpUtility.UrlEncode(current.Request.RawUrl, current.Request.ContentEncoding);
    }
    loginUrl = string.Concat(loginUrl, FormsAuthentication.ReturnUrlVar, "=", str);
    if (!string.IsNullOrEmpty(extraQueryString))
    {
        loginUrl = string.Concat(loginUrl, "&", extraQueryString);
    }
    return loginUrl;
}

这篇关于使用AuthorizeAttribute什么时候开始设置RETURNURL参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！