MiniProfiler是绕过我的授权过滤器 [英] MiniProfiler is bypassing my Authorization filter
问题描述
我有迷你探查工作,但现在我想通过作为 HTTP下的探查安全描述的设置功能来限制访问://miniprofiler.com/
I have mini-profiler working, but now I am trying to restrict access by setting functions as described under "Profiler Security" at http://miniprofiler.com/
MiniProfiler.Settings.Results_Authorize = IsUserAllowedToSeeMiniProfilerUI;
MiniProfiler.Settings.Results_List_Authorize = IsUserAllowedToSeeMiniProfilerUI;
我的 IsUserAllowedToSeeMiniProfilerUI 函数需要看ClaimsPrincipal,这是由全局注册授权过滤器定制修改的结果。
My IsUserAllowedToSeeMiniProfilerUI function needs to look at the results of the ClaimsPrincipal, which is modified by a custom globally registered Authorization filter.
当我看着电话,主要请求被授权预期,并且 IsUserAllowedToSeeMiniProfilerUI 返回true。然而,检索结果探查HTTP请求(〜/迷你探查资源/结果或〜/迷你探查资源/结果首页)绕过我的全局授权过滤器,所以ClaimsPrincipal未正确修改这一要求,而 IsUserAllowedToSeeMiniProfilerUI 错误地返回假由于这一点。
When I watch the calls, the primary request is authorized as expected, and IsUserAllowedToSeeMiniProfilerUI returns true. However, the http request that retrieves the profiler results (~/mini-profiler-resources/results or ~/mini-profiler-resources/results-index) bypasses my global authorization filter, so the ClaimsPrincipal isn't correctly modified for that request, and IsUserAllowedToSeeMiniProfilerUI incorrectly returns false due to that.
我注册小型Profiler的过滤器 GlobalFilters.Filters.Add(新ProfilingActionFilter()),也有在web.config中注册的处理程序
I register mini-profiler's filter as GlobalFilters.Filters.Add(new ProfilingActionFilter()), and also have the handler registered in the web.config as
<system.webServer>
<handlers>
<add name="MiniProfiler" path="mini-profiler-resources/*" verb="*"
type="System.Web.Routing.UrlRoutingModule"
resourceType="Unspecified" preCondition="integratedMode" />
<!-- ... -->
</handlers>
我的自定义授权过滤器可以将其作为 GlobalFilters.Filters.Add登记在Global.asax(新MyAuthorizationFilter())
My custom authorization filter is registered in the Global.asax by adding it as GlobalFilters.Filters.Add(new MyAuthorizationFilter())
为什么微型分析器绕过我的授权过滤器?
Why is mini-profiler bypassing my authorization filter?
推荐答案
GlobalFilters 为中心的MVC框架。所以默认的全局注册授权过滤器才会生效由MVC框架处理的请求 - 不是所有的http请求
GlobalFilters is centric to the MVC framework. So by default the globally registered authorization filters will only take effect for requests handled by the mvc framework - not for all http requests.
MiniProfiler实现在一个类中的客户端的结果 MiniProfilerHandler 同时实现的 IRouteHandler 和的 的IHttpHandler 。 (默认探查提供商 WebRequestProfilerProvider 确保了 MiniProfilerHandler 路由注册。UrlRoutingModule的Web.config登记可确保迷你分析器的URL实际上路由)。
MiniProfiler implements its client-side results in a single class MiniProfilerHandler that implements both IRouteHandler and IHttpHandler. (The default profiler provider WebRequestProfilerProvider ensures that the routes for MiniProfilerHandler are registered. The web.config registration of UrlRoutingModule ensures that the mini profiler urls are actually routed.)
因此迷你探查处理直接探查结果HTTP请求作为由路由位于HTTP处理程序 - 正常的MVC请求流之外
Thus mini profiler handles the profiler results http requests directly as an http handler that is located by routing - outside of the normal MVC request flow.
因此,有必要以处理例如任何自定义授权逻辑 IsUserAllowedToSeeMiniProfilerUI 方法考虑到任何授权的过滤器(或为此事采取其他行动过滤器)都不能保证有运行。但是请注意,它看起来 Results_Authorize 在某个阶段也援引分析功能一旦启动,所以你也必须处理您的过滤器的有无的情况下运行。
So it is necessary to handle any custom authorization logic in the e.g. IsUserAllowedToSeeMiniProfilerUI method taking into account that any authorization filters (or other action filters for that matter) are not guaranteed to have run. Note however, that it appears that Results_Authorize is also invoked at some stage once profiling is started, so you also must handle the case where your filters have run.
另请参阅:了解MVC应用程序执行流程
这篇关于MiniProfiler是绕过我的授权过滤器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
