Asp.net mvc HandleUnauthorizedRequest进入无限期
我有以下两个动作,它们不断地相互调用,并以无限循环的方式进行。我做错了什么Asp.net mvc HandleUnauthorizedRequest进入无限期,asp.net-mvc,vb.net,Asp.net Mvc,Vb.net,我有以下两个动作,它们不断地相互调用,并以无限循环的方式进行。我做错了什么 Public Overrides Sub OnAuthorization(filterContext As System.Web.Mvc.AuthorizationContext) 'This calls the AuthorzeCore function and also makes sure that the browser does not cache this function M
Public Overrides Sub OnAuthorization(filterContext As System.Web.Mvc.AuthorizationContext)
'This calls the AuthorzeCore function and also makes sure that the browser does not cache this function
MyBase.OnAuthorization(filterContext)
If Not IsNothing(filterContext.Result) Then
Return
End If
'Gets the calling Controller
Dim controllerName As String = filterContext.Controller.GetType().Name
'Gets the calling action
Dim actionName As String = filterContext.ActionDescriptor.ActionName
'Checks whether the logged in user has access to the action of the controller
Dim canAccess As test.Security.Permissions.PermissionTypes
canAccess = test.ApplicationSecurity.GetSecurityObject().GetAccess(controllerName & "." & actionName)
If canAccess = Security.Permissions.PermissionTypes.DISABLE Then
'User has access to the application but not to the action they are trying to access, so throw a Unauthorised exception
filterContext.HttpContext.Response.StatusCode = 403
HandleUnauthorizedRequest(filterContext)
End If
End Sub
Protected Overrides Sub HandleUnauthorizedRequest(filterContext As System.Web.Mvc.AuthorizationContext)
''To make sure that we throw a not authorised error rather not authenticated message
'If filterContext.HttpContext.Request.IsAuthenticated Then
' 'filterContext.Result = New HttpStatusCodeResult(CType(System.Net.HttpStatusCode.Forbidden, Int32))
' filterContext.Result = New RedirectToRouteResult(
'Else
' MyBase.HandleUnauthorizedRequest(filterContext)
'End If
If (filterContext.HttpContext.Request.IsAjaxRequest()) Then
Dim urlHelper As UrlHelper = New UrlHelper(filterContext.RequestContext)
filterContext.Result = New JsonResult With {.Data = New With {.Error = "NotAuthorized", .URL = urlHelper.Action("UnAuthorized", "Error")}, _
.JsonRequestBehavior = JsonRequestBehavior.AllowGet}
ElseIf filterContext.HttpContext.Response.StatusCode = 403 Then
filterContext.Result = New ViewResult With {.ViewName = "UnAuthorized"}
Else
filterContext.Result = New ViewResult With {.ViewName = "UnAuthenticated"}
End If
End Sub
您不应该从内部
OnAuthorization
调用HandleUnauthorizedRequest
,当请求无法授权时,会自动调用此方法
从:
在以下情况下,授权被拒绝:
•请求不与任何用户关联
•用户未通过身份验证
•用户已通过身份验证,但不在授权用户组(如定义)中,或者如果用户不在任何
授权角色的名称(如果定义)
如果拒绝授权,则此方法将调用
HandleUnauthorizedRequest(HttpActionContext)来处理
未经授权的请求
如果我从OnAuthorization函数中删除handleunauthorizedrequest调用,那么它只会忽略我已将statuscode设置为403并显示页面。我不确定这是否是一个好的做法,但它是有效的,如果我添加此行,而不是在授权函数filterContext.Result=New ViewResult和{.ViewName=“UnAuthorized”}中将状态代码设置为403,那么建议使用例如
filterContext.Result=New HttpUnauthorizedResult()
。如果我这样做,那么它基本上只是向用户显示用户名和密码弹出框,而不是显示带有我想要的错误消息的特定视图。还有其他方法吗?您可以通过httpContext
访问控制器,请参见