在MVC未经授权的访问页 - 重定向到UnAuthrized视图，而不是登录页 [英] UnAuthorized Page Access in MVC - ReDirect to UnAuthrized view instead of Login Page

问题描述

我有在访问基于各种角色的MVC网站。一旦用户登录到系统，他们可以看到导航到他们被授权的网页。尽管一些用户仍然可以尝试访问直接URL的网页。一旦他们这样做，系统会自动将其重定向到登录页面。相反，登录页的我想重定向到另一个视图（非授权）。

I have an MVC website which in which access is based on various Roles. Once user login to the system they can see navigation to the pages they are authorized for. Although some users still can try to access pages with direct URL. Once they do it system automatically reDirect them to the Login Page. Instead of Login page I want to redirect them to another view (UnAuthorized).

Web.Config中有以下项：

Web.Config has following entry:

    <customErrors mode="On">
      <error statusCode="401" redirect="~/Home/Unauthorized" />
      <error statusCode="404" redirect="~/Home/PageNotFound" />
    </customErrors>
    <authentication mode="Forms">
<forms name="Development" loginUrl="~/Account/Login" cookieless="UseCookies" timeout="120"></forms>
    </authentication>

我已经注册在Global.asax.cs中这些路线以及

I have registered these routes in Global.asax.cs as well.

routes.MapRoute(
    name: "Unauthorized",
    url: "{controller}/{action}/{id}",
    defaults: new { controller = "Home", action = "Unauthorized", id = UrlParameter.Optional }
   );


   routes.MapRoute(
    name: "PageNotFound",
    url: "{controller}/{action}/{id}",
    defaults: new { controller = "Home", action = "PageNotFound", id = UrlParameter.Optional }
    );

会不会不够？

干杯

推荐答案

经过一番研究，我认为最简单的回答这个问题，只是创建自定义授权，非常类似于一个接jbbi（但因为这一次没工作新HttpUnauthorizedResult（）时internaly自动重定向到登录 - 至少在MVC 5与身份）

After some research I think the easiest answer to this problem is just creating custom authorize, very similar to the one by jbbi (but that one didn't worked since the "new HttpUnauthorizedResult()" is internaly automatically redirecting to the login - at least in mvc 5 with identity)

public class CustomAuthorize : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            //if not logged, it will work as normal Authorize and redirect to the Login
            base.HandleUnauthorizedRequest(filterContext);

        }
        else
        {
            //logged and wihout the role to access it - redirect to the custom controller action
            filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { controller = "Error", action = "AccessDenied" }));
        }
    }
}

和使用是相同的默认授权

and the usage is the same as the default Authorize:

[CustomAuthorize(Roles = "Administrator")]

然后，只需把事情做对，不要忘了送出去的错误页的HTTP code。 F.E.像这样在控制器中。

Then, just to do things right, don't forget to send out the Http code of the error page. f.e. like this in the controller.

public ActionResult AccessDenied()
{
    Response.StatusCode = 403;
    return View();
}

这很容易，它的工作原理，甚至我（.NET MVC菜鸟）明白这一点。

It's easy, it works and even I (.net mvc rookie) understand this.

注意：它不工作，与401 code相同的 - 它总是会接管401和internaly重定向到登录。但在我的情况是，根据定义，也403件。

Note: It doesn't work the same with 401 code - it will always take over the 401 and internaly redirect it to the login. But in my case is, by definition, the 403 also fitting.

这篇关于在MVC未经授权的访问页 - 重定向到UnAuthrized视图，而不是登录页的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！