Javascript 未经授权的AJAX请求返回状态码200而不是401
在MVC5中,我重写Javascript 未经授权的AJAX请求返回状态码200而不是401,javascript,ajax,asp.net-mvc,authentication,asp.net-mvc-5,Javascript,Ajax,Asp.net Mvc,Authentication,Asp.net Mvc 5,在MVC5中,我重写HandleUnauthorizedRequest(),并检查请求是否来自AJAX 我还注册了一个全局ajaxComplete,用于处理401个AJAX请求,但在HandleUnauthorizedRequest()中,状态代码仍然是200 问题:我是否必须在函数HandleUnauthorizedRequest()的filterContext中手动更改状态码 检测到未经授权的AJAX请求 protected override void HandleUnauthorizedR
HandleUnauthorizedRequest()
,并检查请求是否来自AJAX
我还注册了一个全局ajaxComplete
,用于处理401个AJAX请求,但在HandleUnauthorizedRequest()
中,状态代码仍然是200
问题:我是否必须在函数HandleUnauthorizedRequest()
的filterContext
中手动更改状态码
检测到未经授权的AJAX请求
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
// <-- in here
filterContext.Result = new JsonResult
{
Data = new
{
returnUrl = "foo"
},
JsonRequestBehavior = JsonRequestBehavior.AllowGet
};
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
isAuthorized = function (result) {
try {
var obj = JSON && JSON.parse(result) || $.parseJSON(result);
// Here, obj can still be a parsed JsonResult, from when getting GetDatatableRows(), so we also need to check on returnUrl which is distinct
// obj will only contain returnUrl if the JSON was returned from Shield validation
if (obj && obj.returnUrl) {
window.location.replace(urlHelper.getUrlNotAuthorized() + '?returnUrl=' + encodeURIComponent(obj.returnUrl));
return false;
}
} catch (e) {
}
return true;
};
“在我找到ajaxComplete解决方案之前,我一直在使用黑客破解的解决方案。
它会检查用户请求是否已授权。缺点是我必须检查isAuthorized()
检查用户的AJAX请求是否已授权
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
// <-- in here
filterContext.Result = new JsonResult
{
Data = new
{
returnUrl = "foo"
},
JsonRequestBehavior = JsonRequestBehavior.AllowGet
};
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
isAuthorized = function (result) {
try {
var obj = JSON && JSON.parse(result) || $.parseJSON(result);
// Here, obj can still be a parsed JsonResult, from when getting GetDatatableRows(), so we also need to check on returnUrl which is distinct
// obj will only contain returnUrl if the JSON was returned from Shield validation
if (obj && obj.returnUrl) {
window.location.replace(urlHelper.getUrlNotAuthorized() + '?returnUrl=' + encodeURIComponent(obj.returnUrl));
return false;
}
} catch (e) {
}
return true;
};
结果为部分视图或JSON的AJAX请求
partialViewService.changePartialViewService(url, data)
.done(function (result) {
if (isAuthorized(result)) {
// use result
}
});
是-我没有检查此项,但请尝试添加指示的行。指定代码401不会过滤到所需的结果。(我怀疑这是因为身份拦截代码401):
受保护的覆盖无效HandleUnauthorizedRequest(授权上下文筛选器上下文)
{
if(filterContext.HttpContext.Request.IsAjaxRequest())
{
//添加此项(代码401不起作用)
filterContext.HttpContext.Response.StatusCode=412;
//事实上,这就是我刚才尝试的(有两行和没有两行额外的代码)filterContext.HttpContext.Response.StatusCode=401;filterContext.HttpContext.Response.End();filterContext.HttpContext.Response.Close()我很困惑。我会再为你检查一次。我仍然得到了“200”:xhr.status:“200”和xhr.statusCode()。status:“200”嗯。这段代码应该封装在如下内容中:公共类CustomAuthorizeAttribute:AuthorizeAttribute{}-然后你必须确保你的操作被[customauthorized]修饰-在基本控制器、控制器或单个操作上-如果不添加此项,自定义代码将不会生效。您是否检查过您的操作是否用等效[]修饰?是的,我在所有控制器上都有“[ShieldAuthorization,ShieldWebUserCmpBu,ShieldWebUserRight]”。ShieldAuthorization是我的“CustomAuthorization属性”.I override AuthorizeCore:“受保护的override bool AuthorizeCore(HttpContextBase httpContext){var authorized=base.AuthorizeCore(httpContext);if(!authorized){return false;//用户未授权=>无需进一步}返回true;}”感谢您的帮助。同时,我添加了一个正在运行但已被黑客攻击的版本,该版本尚未使用ajaxComplete。在这里,我可以在“returnUrl”而不是状态码上询问,但问题是我必须记住在每个位置调用验证方法,这在某些时候肯定会失败。