2

At my web application I need to create an action what will be accessible using http non secured connection. All other have to be accessible for https only. I found that I can use [RequireHttps] attribute for controller and action.

But is there something like [AllowHttp] attribute?

I do not want to put to all controller's action [RequireHttps] attribute. It's easier to put [RequireHttps] to Controller and [AllowHttp] to one action what can be accessed unsecured. Of course if this attribute is available

I mean something like we can do with Authentication. [Authorize] to controller and [AllowAnonymous] for some actions what can be accessed without authentication.

4

1 回答 1

3

正如您在 AuthorizeAttribute 的源代码中看到的那样,它检查 AllowAnonymousAttribute 的存在

 bool skipAuthorization = filterContext.ActionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), inherit: true)
                                 || filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), inherit: true);

所以你可以从 RequireHttps 派生你自己的属性并添加相同的检查,所以它看起来像

 if (!skipAuthorization && !filterContext.HttpContext.Request.IsSecureConnection)
        {

            HandleNonHttpsRequest(filterContext);
        }

而不是 AllowAnonymousAttribute,您可以添加自己的 AllowHttpAttribute 并用这个新的 AllowHttpAttribute 标记您的操作

于 2013-04-23T11:22:35.590 回答