asp.net-mvc-3 - 为什么我的重写 OnAuthorization 没有返回我设置的filterContext.Result？

Question

这是我的基本 Controller 的代码，其想法是，如果授权字符串不在 HTTP header 中，我们会将它们踢出。我发誓它本来可以正常工作，但现在突然不起作用了。奇怪的是，当我调试时，它实际上是进入 if 语句，因此我请求的 HTTP header 确实是 NULL 或空字符串，但是，它不会提前退出并返回 403 Access Denied 了...它正在工作很好，突然间，当我尝试解析实际上未找到的授权字符串时，它会忽略整个事情并最终在应用程序中崩溃。

public class AuthController : Controller
    {
        protected int AccountID;

        protected override void OnAuthorization(AuthorizationContext filterContext)
        {
            //if no authorization string is provided, access denied
            if (string.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"]))
            {
                filterContext.Result = Content("Access Denied", "text/plain");
                filterContext.HttpContext.Response.StatusCode = 403; //forbidden


                base.OnAuthorization(filterContext);
            }

            //otherwise grab the authorization string and validate it
            string authString = filterContext.HttpContext.Request.Headers["Authorization"];
            string urlPath = string.IsNullOrEmpty(filterContext.HttpContext.Request.Path) ? "" : filterContext.HttpContext.Request.Path;
            int getAccountID = 0;

            //if authorization fails...
            if (!AuthCore.Authorize(authString, urlPath, ref getAccountID))
            {
                filterContext.Result = Content("Access Denied", "text/plain");
                filterContext.HttpContext.Response.StatusCode = 403; //forbidden

                base.OnAuthorization(filterContext);
            }

            //AccountID will never be zero at this point
            AccountID = getAccountID;

            //carry on with Controller Action, request is valid and AccountID is known
            base.OnAuthorization(filterContext);
        }

更新:刚刚尝试过filterContext.Result = new HttpUnauthorizedResult();相反，结果相同。 Controller 操作继续，并在尝试解析未找到的 header 字符串时抛出错误。

更新2:添加了“return;”在除了最后一个之外的每个 base.OnAuthorization() 调用之后，现在当它失败时，我会得到一个从 MVC 移动的 302，然后是 404，结果是应用程序试图重定向到默认登录页面 URL，但实际上并没有存在...这足够好吗？也许吧，但我宁愿直接阻止它，也不愿让一些奇怪的重定向发生，因为阻止它们的方式对我来说并不安全。

Answer 1

啊哈!

我调用base.OnAuthorization()太多次了，显然这实际上并不是线程的永久告别...不知道为什么我认为现在我想到了...这是工作代码:

protected override void OnAuthorization(AuthorizationContext filterContext)
{
    int getAccountID = 0;

    //if no authorization string is provided, access denied
    if (string.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"]))
    {
        filterContext.Result = Content("Access Denied", "text/plain");
        filterContext.HttpContext.Response.StatusCode = 403; //forbidden
    }
    else
    {
        //otherwise grab the authorization string and validate it
        string authString = filterContext.HttpContext.Request.Headers["Authorization"];
        string urlPath = string.IsNullOrEmpty(filterContext.HttpContext.Request.Path) ? "" : filterContext.HttpContext.Request.Path;

        //if authorization fails...
        if (!AuthCore.Authorize(authString, urlPath, ref getAccountID))
        {
            filterContext.Result = Content("Access Denied", "text/plain");
            filterContext.HttpContext.Response.StatusCode = 403; //forbidden
        }
    }

    //AccountID will never be zero at this point
    AccountID = getAccountID;

    //carry on with Controller Action, request is valid and AccountID is known
    base.OnAuthorization(filterContext);
}