使用AllowAnonymous不与自定义AuthorizationAttribute工作 [英] AllowAnonymous not working with Custom AuthorizationAttribute

问题描述

这已经让我难住了一段时间。的经常遇到类似的情况似乎都不在这里显然适用。我可能错过了一些明显的，但我无法看到它。

This has had me stumped for a while. None of the commonly encountered similar situations seem to apply here apparently. I've probably missed something obvious but I can't see it.

在我的MVC Web应用程序我使用授权，并使用AllowAnonymous在你必须明确地开辟为公众提供一个行动，而不是锁定网站的安全区域这样的属性。我更preFER这种方法。我无法得到我却在的WebAPI相同的行为。

In my Mvc Web Application I use the Authorize and AllowAnonymous attributes in such a way that you have to explicitly open up an action as publicly available rather than lock down the secure areas of the site. I much prefer that approach. I cannot get the same behaviour in my WebAPI however.

我写了一个自定义授权属性，从System.Web.Http.AuthorizeAttribute继承了与以下内容：

I have written a custom Authorization Attribute that inherits from System.Web.Http.AuthorizeAttribute with the following:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class MyAuthorizationAttribute : System.Web.Http.AuthorizeAttribute

我有这个注册为一个过滤器：

I have this registered as a filter:

    public static void RegisterHttpFilters(HttpFilterCollection filters)
    {
        filters.Add(new MyAuthorizationAttribute());
    }

这所有的作品如预期，行动不再可用无凭据。问题是，现在下面的方法将不允许使用AllowAnonymous属性做的事情：

This all works as expected, actions are no longer available without credentials. The problem is that now the following method will not allow the AllowAnonymous attribute to do it's thing:

[System.Web.Http.AllowAnonymous]
public class HomeController : ApiController
{
    [GET("/"), System.Web.Http.HttpGet]
    public Link[] Index()
    {
        return new Link[] 
        { 
            new SelfLink(Request.RequestUri.AbsoluteUri, "api-root"),
            new Link(LinkRelConstants.AuthorizationEndpoint, "OAuth/Authorize/", "authenticate"),
            new Link(LinkRelConstants.AuthorizationTokenEndpoint , "OAuth/Tokens/", "auth-token-endpoint")
        };
    }
}

最常见的情形似乎越来越两个授权/使用AllowAnonymous属性混淆。 System.Web.Mvc是Web应用程序和System.Web.Http是的WebAPI（据我所知反正）。

The most common scenario seems to be getting the two Authorize / AllowAnonymous attributes mixed up. System.Web.Mvc is for web apps and System.Web.Http is for WebAPI (as I understand it anyway).

这两个我使用的属性都来自同一个命名空间 - System.Web.Http。我认为，这将只是继承的基本功能，并让我注入code，我需要在OnAuthotize方法。

Both of the Attributes I'm using are from the same namespace - System.Web.Http. I assumed that this would just inherit the base functionality and allow me to inject the code I need in the OnAuthotize method.

据中使用AllowAnonymous属性的工作OnAuthorize方法，我立即打电话给里面的文档：

According to the documentation the AllowAnonymous attribute works inside the OnAuthorize method which I call immediately:

    public override void OnAuthorization(HttpActionContext actionContext)
    {
        base.OnAuthorization(actionContext);

任何思想的将是真正的AP preciated。

Any thought's would be really appreciated.

有没有人遇到过这个问题，并找到了根本原因？

Has anyone encountered this problem before and found the root cause?

推荐答案

在AuthorizeAttribute有以下code：

In the AuthorizeAttribute there is the following code:

    private static bool SkipAuthorization(HttpActionContext actionContext)
    {
        Contract.Assert(actionContext != null);

        return actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Any()
               || actionContext.ControllerContext.ControllerDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Any();
    }

这篇关于使用AllowAnonymous不与自定义AuthorizationAttribute工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！