自MVC AuthorizeAttribute为的ASP.NET Web API [英] Custom MVC AuthorizeAttribute for ASP.NET Web API
问题描述
我想实现我的Web API控制器的自定义授权属性,而是跨越意外的行为就来了。
I am trying to implement a custom authorization attribute on my Web API controllers, but came across an unexpected behavior.
<Authorize(Users:="myUser")>
Public Function GetTodoItems() As IQueryable(Of TodoItem)
以上code工作得非常好:它将允许的MYUSER的检索项目,BOT没有其他人被允许访问。然而,当我试图用我的自定义授权同样的方法,整个检查被跳过,并且任何用户都可以访问该资源。无论是 AuthorizeCore 也不在我的派生类中的 OnAuthorization 重写方法被调用。
The above code works very well: It will allow "myUser" to retrieve the items, bot nobody else is allowed access. However, when I try the same approach with my custom authorization, the entire check is skipped, and any user can access the resource. Neither the AuthorizeCore nor the OnAuthorization overridden methods in my derived class are called.
<MyAuth(Users:="myUser")>
Public Function GetTodoItems() As IQueryable(Of TodoItem)
在派生类 System.Web.Mvc.AuthorizeAttribute 继承,项目部署在IIS,用的 Windows身份验证的&安培;启用的模拟的和的匿名身份验证的禁用。
The derived class inherits from System.Web.Mvc.AuthorizeAttribute, and the project is deployed on IIS, with Windows Authentication & Impersonation enabled, and Anonymous Authentication disabled.
如果我添加了相同的自定义授权一个MVC控制器,然后它的作品。但在API控制器,什么都没有。如果授权属性不会有任何的工作,它会更有意义。我缺少的东西吗?这是一个预期的行为,或在Beta中的错误?
If I add the same custom authorization to an MVC Controller, then it works. But on the API Controllers, nothing. If the Authorize attribute wouldn't have worked either, it would have made more sense. Am I missing something? Is this an expected behavior, or a bug in the Beta?
推荐答案
您应该使用 System.Web.Http.AuthorizeAttribute 从System.Web.Http.dll用于Web API而不是 System.Web.Mvc.AuthorizeAttribute 。
You should use System.Web.Http.AuthorizeAttribute from System.Web.Http.dll for Web API instead of System.Web.Mvc.AuthorizeAttribute.
这是因为命名空间System.Web.Http.AuthorizeAttribute 是 AuthorizationFilterAttribute 导出。该过滤器由Web API自动处理。在我自己的实现我直接来源于 AuthorizationFilterAttribute 的基本HTTP认证的处理。
That is, because namespace System.Web.Http.AuthorizeAttribute is derived from AuthorizationFilterAttribute. The filters are handled automatically by the Web API. In my own implementation I derived directly from AuthorizationFilterAttribute for handling of the basic HTTP authentication.
这篇关于自MVC AuthorizeAttribute为的ASP.NET Web API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
