这是我的基本 Controller 的代码,其想法是,如果授权字符串不在 HTTP header 中,我们会将它们踢出。我发誓它本来可以正常工作,但现在突然不起作用了。奇怪的是,当我调试时,它实际上是进入 if 语句,因此我请求的 HTTP header 确实是 NULL 或空字符串,但是,它不会提前退出并返回 403 Access Denied 了...它正在工作很好,突然间,当我尝试解析实际上未找到的授权字符串时,它会忽略整个事情并最终在应用程序中崩溃。
public class AuthController : Controller
{
protected int AccountID;
protected override void OnAuthorization(AuthorizationContext filterContext)
{
//if no authorization string is provided, access denied
if (string.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"]))
{
filterContext.Result = Content("Access Denied", "text/plain");
filterContext.HttpContext.Response.StatusCode = 403; //forbidden
base.OnAuthorization(filterContext);
}
//otherwise grab the authorization string and validate it
string authString = filterContext.HttpContext.Request.Headers["Authorization"];
string urlPath = string.IsNullOrEmpty(filterContext.HttpContext.Request.Path) ? "" : filterContext.HttpContext.Request.Path;
int getAccountID = 0;
//if authorization fails...
if (!AuthCore.Authorize(authString, urlPath, ref getAccountID))
{
filterContext.Result = Content("Access Denied", "text/plain");
filterContext.HttpContext.Response.StatusCode = 403; //forbidden
base.OnAuthorization(filterContext);
}
//AccountID will never be zero at this point
AccountID = getAccountID;
//carry on with Controller Action, request is valid and AccountID is known
base.OnAuthorization(filterContext);
}
更新:刚刚尝试过filterContext.Result = new HttpUnauthorizedResult();相反,结果相同。 Controller 操作继续,并在尝试解析未找到的 header 字符串时抛出错误。
更新2:添加了“return;”在除了最后一个之外的每个 base.OnAuthorization() 调用之后,现在当它失败时,我会得到一个从 MVC 移动的 302,然后是 404,结果是应用程序试图重定向到默认登录页面 URL,但实际上并没有存在...这足够好吗?也许吧,但我宁愿直接阻止它,也不愿让一些奇怪的重定向发生,因为阻止它们的方式对我来说并不安全。
最佳答案
啊哈!
我调用base.OnAuthorization()太多次了,显然这实际上并不是线程的永久告别...不知道为什么我认为现在我想到了...这是工作代码:
protected override void OnAuthorization(AuthorizationContext filterContext)
{
int getAccountID = 0;
//if no authorization string is provided, access denied
if (string.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"]))
{
filterContext.Result = Content("Access Denied", "text/plain");
filterContext.HttpContext.Response.StatusCode = 403; //forbidden
}
else
{
//otherwise grab the authorization string and validate it
string authString = filterContext.HttpContext.Request.Headers["Authorization"];
string urlPath = string.IsNullOrEmpty(filterContext.HttpContext.Request.Path) ? "" : filterContext.HttpContext.Request.Path;
//if authorization fails...
if (!AuthCore.Authorize(authString, urlPath, ref getAccountID))
{
filterContext.Result = Content("Access Denied", "text/plain");
filterContext.HttpContext.Response.StatusCode = 403; //forbidden
}
}
//AccountID will never be zero at this point
AccountID = getAccountID;
//carry on with Controller Action, request is valid and AccountID is known
base.OnAuthorization(filterContext);
}
关于asp.net-mvc-3 - 为什么我的重写 OnAuthorization 没有返回我设置的filterContext.Result?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/6835152/