在MVC 4使用自定义授权 [英] Using custom authorization in MVC 4
问题描述
我目前正在开发使用MVC 4个Web API项目类型的Web API。我目前在哪里,我需要一些安全添加到API的一个阶段。我知道了授权属性,但是,客户端将preFER不同的方法。
为此,我曾试图重写授权属性在我自己的类,并作为基本开始我只是有AuthorizeCore总是返回这应该是指没有经过认证假的。如果我再控制器中添加这一个动作,动作总是在完成我总是检索数据。
我认为,原因可能是由于属性不是在web.config文件正在注册的习惯,但是,我不确定如何不使用窗体身份验证时,去了解这一点。
I'm currently developing a Web API using the MVC 4 web API project type. I am currently at a stage where I need to add some security to the API. I am aware of the Authorize attribute, however, the client would prefer a different approach. For this I have tried to override the Authorize attribute in my own class and as a basic start I simply have the AuthorizeCore always returning false which should mean not authenticated. If i then add this to an Action within a controller, the action always completes and I always retrieve the data. I believe the reason may be due to the custom attribute not being registered in the web.config file, however, I am unsure how to go about this when not using forms authentication.
在code我使用的测试是一个新的MVC 4个Web API的自定义属性如下图所示的项目。
The code I am using to test is a fresh MVC 4 web API project with the custom attribute shown below.
public class Auth : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return false;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new RedirectResult("http://www.google.com");
}
}
我已然后添加的属性到默认ValuesController作为这样的Get方法
I have then added the attribute onto the Get method of the default ValuesController as such
[Auth]
public IEnumerable<string> Get()
然而,当我浏览到域/ API /价值观我总是美元,该数据而不是预期的重定向到谷歌psented p $。任何帮助是AP preciated。
However, when I navigate to domain/api/Values I am always presented with the data instead of the expected redirect to google. Any help is appreciated.
编辑:环顾四周过了一会儿我越发现这个位置:<一href=\"http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way.aspx\">http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way.aspx这表明,我选错错AuthorizeAttribute类作为我选择从System.Web.MVC之一,而不是从System.Web.Http之一。看起来,HTTP版本不允许配置作为MVC版本的相同的水平,因为它不允许我覆盖AuthorizeCore。在这个任何更多的帮助AP preciated。
After looking around a little more I found this here: http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way.aspx This suggests that I chose the wrong wrong AuthorizeAttribute class as I had chosen the one from System.Web.MVC rather than the one from System.Web.Http. It appears that the Http version does not allow the same level of configuration as the MVC version as it doesn't allow me to override the AuthorizeCore. Any more help on this is appreciated.
推荐答案
看来,这个问题是通过使用AuthorizeAttribute的版本错误造成的。使用System.Web.Http找到的版本之后,code返回正确的错误code如果用户没有所需的权限。在这里举例的是等效code什么,我把原来的问题
It appears that the problem was caused by using the wrong version of AuthorizeAttribute. After using the version found in System.Web.Http the code returns the correct error code should the user not have the required permissions. As an example here is the equivalent code to what I put in the original question
using System;
using System.Web.Http;
using System.Net.Http;
public class AuthAttribute : AuthorizeAttribute
{
public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
{
HandleUnauthorizedRequest(actionContext);
}
protected override void HandleUnauthorizedRequest(System.Web.Http.Controllers.HttpActionContext actionContext)
{
var response = actionContext.Request.CreateResponse(System.Net.HttpStatusCode.Redirect);
response.Headers.Add("Location", "http://www.google.com");
actionContext.Response = response;
}
}
这篇关于在MVC 4使用自定义授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
