17

我重写了类来执行自定义授权

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.Request.IsAuthenticated)
        {
            filterContext.Result = new System.Web.Mvc.HttpStatusCodeResult(403);
        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

现在在 web.config 我已经配置了 403 错误页面

<customErrors defaultRedirect="/Shared/Error" mode="On">
  <error statusCode="403" redirect="/Shared/UnAuthorize" />
</customErrors>

但浏览器仍然向我显示 403 的默认错误页面,我在这里缺少什么,任何想法

4

7 回答 7

11

除了 Max B 之外,只是一个小提示/注释。答案:

当我使用自定义错误时,我会创建一个ErrorsController, 和一个 UnAuthorize ActionResult 并执行以下操作:

<error statusCode="403" redirect="/Errors/UnAuthorize" />

通过这种方式,我可以在控制器中添加额外信息或执行其他操作,例如:

  • 就像登录到有人试图访问经过身份验证的区域的数据库一样。
  • 错误计数。
  • 也许是他们可以用来发送管理员信息的错误或报告表单。
  • ...

这样您就可以更好地控制正在发生的事情。

于 2011-08-11T09:23:45.647 回答
11

我知道这是一个非常古老的问题,但我正在为可能有同样问题的人发帖。像我一样,我有同样的问题并解决了它。如果你想触发 web.config 中的 customErrors 元素,你可以试试下面。

protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
{
    throw new HttpException(403, "Forbidden");
}
于 2014-06-25T06:35:46.637 回答
6

当我编写自己的自定义 AuthorizeAttribute 时,我遇到了与您完全相同的问题。当我在 web.config 中添加“customErrors”标签时,不会显示 403 的自定义错误页面。这就是我解决它的方法:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.Request.IsAuthenticated)
        {
           filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary(
                    new
                        { 
                            controller = "Error", 
                            action = "Unauthorised" 
                        })
                ); 

        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

将我想显示的路由分配给 filterContext.Result,而不是分配 403 HttpStatusCode。

于 2013-12-31T18:39:37.010 回答
3

或者您可以执行此替代解决方案,而不是使用:

filterContext.Result = new System.Web.Mvc.HttpStatusCodeResult(403);

您可以将其更改为:

if (filterContext.HttpContext.Request.IsAuthenticated)
        {               
            throw new UnauthorizedAccessException();
        }

并在您的 Controller/BaseController 中覆盖方法 OnException(ExceptionContext filterContext)

protected override void OnException(ExceptionContext filterContext)
    {
        if (filterContext.ExceptionHandled)
        {
            return;
        }

        if (filterContext.Exception.GetType() == typeof(UnauthorizedAccessException))
        {   
            filterContext.Result = new ViewResult
            {
                ViewName = "~/Views/Error/NotAuthorized.cshtml"
            };
            filterContext.ExceptionHandled = true;
            return;
        }

        base.OnException(filterContext);
    }
于 2011-12-08T09:01:53.710 回答
0

对我来说,似乎 HttpStatusCodeResult(403) 是错误的 if 分支。在我看来,代码应该是这样的:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
    {
        if (!filterContext.HttpContext.Request.IsAuthenticated)
        {
            base.HandleUnauthorizedRequest(filterContext);
            filterContext.Result = new System.Web.Mvc.HttpStatusCodeResult(403);
        }
    }
}
于 2011-08-11T09:17:05.663 回答
0

如何在 mvc 中处理 401(未经授权)、403(禁止)和 500(内部服务器错误)。对于 ajax/非 ajax 调用和 aspx 表单下的身份验证。

可以对其进行更改,以不同方式处理各种未捕获的异常,并且无论请求是否为 ajax,都可以做出不同的反应。auth 部分允许它绕过任何常规的 mvc Web 表单重定向到登录页面,而是返回 401 未授权 - 然后您的客户端 js 框架可以更轻松地对 http 状态 401/403 做出反应。

// FilterConfig.cs:
filters.Add(new ApplicationAuthorizeAttribute());
filters.Add(new ApplicationHandleErrorAttribute());

public class ApplicationAuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        // Note: To reach here, a Web.config path-specific rule 'allow users="?"' is needed (otherwise it redirects to login)

        var httpContext = filterContext.HttpContext;
        var request = httpContext.Request;
        var response = httpContext.Response;

        if (request.IsAjaxRequest())
        {
            response.SuppressFormsAuthenticationRedirect = true;
            response.TrySkipIisCustomErrors = true;
        }

        filterContext.Result = new HttpUnauthorizedResult();
    }
}

public class ApplicationHandleErrorAttribute : HandleErrorAttribute
{
    public override void OnException(ExceptionContext context)
    {
        var exception = context.Exception is AggregateException
            ? ((AggregateException)context.Exception).InnerExceptions.First()
            : context.Exception;
        var request = context.HttpContext.Request;
        var response = context.HttpContext.Response;
        var isAjax = request.IsAjaxRequest();

        if (exception is MyCustomPermissionDeniedException)
        {
            filterContext.Result = new HttpStatusCodeResult(HttpStatusCode.Forbidden);
            response.TrySkipIisCustomErrors = isAjax;
            filterContext.ExceptionHandled = true;
            return;
        }

#if DEBUG
        if (!isAjax)
        {
            // Show default aspx yellow error page for developers
            return;
        }
#endif

        var requestUri = request.Url == null ? "" : request.Url.AbsoluteUri;
        MyCustomerLogger.Log(exception, requestUri);

        response.Clear();
        response.StatusCode = (int)System.Net.HttpStatusCode.InternalServerError;

#if DEBUG
        var errorMessage = exception.Message;
#else
        var errorMessage = "An error occurred, please try again or contact the administrator.";
#endif

        response.Write(isAjax
            ? JsonConvert.SerializeObject(new {Message = errorMessage})
            : errorMessage);
        response.End();
        response.TrySkipIisCustomErrors = true;
        context.ExceptionHandled = true;
    }
}

网络配置:

<system.webServer>

<authentication mode="Forms">
  <forms name=".MYAUTHCOOKIE" protection="All" loginUrl="/Account/Login" timeout="18000" slidingExpiration="true" enableCrossAppRedirects="false" />
</authentication>

<authorization>
  <deny users="?" />
</authorization>

</system.webServer>

<!-- ajax api security done via ApplicationAuthorizeAttribute -->
<location path="api">
  <system.web>
    <authorization>
      <allow users="?"/>
    </authorization>
  </system.web>
</location>

Web 服务 api 请求的附加路由:(放在常规 mvc 路由之上)

// This route has special ajax authentication handling (no redirect to login page)
routes.MapRoute(
    name: "DefaultApi",
    url: "api/{controller}/{action}/{id}",
    defaults: new { id = UrlParameter.Optional }
);

jquery 处理错误的示例客户端代码:

$.ajaxSetup({
    complete: function onRequestCompleted(xhr, textStatus) {
        if (xhr.readyState == 4 && xhr.status == 401) {
            // Not needed with smart status: && xhr.responseText.substring(0, 150).indexOf("<title>Log in") != -1
            //location.href = "/Account/Login";
            alert("Your session has timed out.");
        }
    }
});

或者,您可以使所有身份验证都通过 ApplicationHandleErrorAttribute,并摆脱 web.config 拒绝用户 =“?”。但是我有一个遗留的 aspx 页面,它没有命中 mvc 过滤,所以我想要拒绝用户 =“?”。

于 2015-05-27T17:24:03.043 回答
0

1-创建一个类来命名LoggedOrAuthorizedAttribute

    public class LoggedOrAuthorizedAttribute: AuthorizeAttribute
    {
        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            base.OnAuthorization(filterContext);
            CheckIfUserIsAuthenticated(filterContext);
        }

        private void CheckIfUserIsAuthenticated(AuthorizationContext filterContext)
        {
            // If Result is null, we're OK: the user is authenticated and authorized. 
            if (filterContext.Result == null)
                return;

            // If here, you're getting an HTTP 401 status code. In particular,
            // filterContext.Result is of HttpUnauthorizedResult type. Check Ajax here. 
            if (filterContext.HttpContext.User.Identity.IsAuthenticated)
            {
                filterContext.Result = new RedirectResult("/Error/Error401");
            }
        }
     }

2-将您创建的属性添加到操作的顶部

    [LoggedOrAuthorizedAttribute(Roles = "Admin")]
    public ActionResult Index()
    {
        return View();
    }

    [LoggedOrAuthorizedAttribute(Roles = "User")]
    public ActionResult IndexUser()
    {
        return View();
    }
于 2021-06-17T13:19:44.390 回答