asp.net-mvc ASP.NET MVC 使用自定义角色提供程序重定向到拒绝访问的页面
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1279643/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
ASP.NET MVC redirect to an access denied page using a custom role provider
提问by AndreMiranda
I'm creating a custom role provider and I set a Authorize attribute specifying a role in my controller and it's working just fine, like this:
我正在创建一个自定义角色提供程序,并设置了一个 Authorize 属性来指定我的控制器中的一个角色,它工作得很好,如下所示:
[Authorize(Roles="SuperAdmin")]
public class SuperAdminController : Controller
...
But when an user doens't have access to this controller, he's redirected to login page. How can I redirect him to a "AcessDenied.aspx" page?
但是当用户无权访问此控制器时,他将被重定向到登录页面。如何将他重定向到“AcessDenied.aspx”页面?
回答by eu-ge-ne
[AccessDeniedAuthorize(Roles="SuperAdmin")]
public class SuperAdminController : Controller
AccessDeniedAuthorizeAttribute.cs:
AccessDeniedAuthorizeAttribute.cs:
public class AccessDeniedAuthorizeAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
if(filterContext.Result is HttpUnauthorizedResult)
{
filterContext.Result = new RedirectResult("~/AcessDenied.aspx");
}
}
}
回答by Matt Frear
Here's my solution, based on eu-ge-ne's answer. Mine correctly redirects the user to the Login page if they are not logged in, but to an Access Denied page if they are logged in but are unauthorized to view that page.
这是我的解决方案,基于 eu-ge-ne 的回答。如果用户未登录,我的正确将用户重定向到登录页面,但如果用户已登录但无权查看该页面,则重定向到访问被拒绝页面。
[AccessDeniedAuthorize(Roles="SuperAdmin")]
public class SuperAdminController : Controller
AccessDeniedAuthorizeAttribute.cs:
AccessDeniedAuthorizeAttribute.cs:
public class AccessDeniedAuthorizeAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
filterContext.Result = new RedirectResult("~/Account/Logon");
return;
}
if (filterContext.Result is HttpUnauthorizedResult)
{
filterContext.Result = new RedirectResult("~/Account/Denied");
}
}
}
AccountController.cs:
账户控制器.cs:
public ActionResult Denied()
{
return View();
}
Views/Account/Denied.cshtml: (Razor syntax)
Views/Account/Denied.cshtml:(Razor 语法)
@{
ViewBag.Title = "Access Denied";
}
<h2>@ViewBag.Title</h2>
Sorry, but you don't have access to that page.
回答by KP.
Take a look at tvanfosson's Answerfrom this very similar question, This is what I am doing(Thanks to tvanfosson), so now I just have to say:
从这个非常相似的问题中查看tvanfosson的答案,这就是我正在做的事情(感谢 tvanfosson),所以现在我只能说:
[MyAuthorize(Roles="SuperAdmin",ViewName="AccessDenied")]
public class SuperAdminController : Controller
...
If the user is not in the role, they will get thew view specified by ViewName.
如果用户不在角色中,他们将获得由 ViewName 指定的视图。
回答by devi
Redirect is not always the best solution
重定向并不总是最好的解决方案
Use standard http code 403:
使用标准的 http 代码 403:
return new HttpStatusCodeResult(HttpStatusCode.Forbidden);
回答by Vic Alcazar
A slight improvement to Matt's answer by avoiding the need to hard-code the Logon page and optionally setting the access denied view within the attribute:
通过避免对登录页面进行硬编码并可选择在属性中设置拒绝访问视图,对马特的回答进行了轻微改进:
public class AccessDeniedAuthorizeAttribute : AuthorizeAttribute
{
public string AccessDeniedViewName { get; set; }
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
if (filterContext.HttpContext.User.Identity.IsAuthenticated &&
filterContext.Result is HttpUnauthorizedResult)
{
if (string.IsNullOrWhiteSpace(AccessDeniedViewName))
AccessDeniedViewName = "~/Account/AccessDenied";
filterContext.Result = new RedirectResult(AccessDeniedViewName);
}
}
}
回答by Cynninge
I had similar issue. No matter what role I had, I was always redirected to LogIn page instead of AccessDenied. The fix was unbelievably easy, but it might not work in all cases. So it turned out, that I had wrong order in Startup.cs of these two lines:
我有类似的问题。无论我担任什么角色,我总是被重定向到登录页面而不是 AccessDenied。修复非常简单,但可能并非在所有情况下都有效。所以结果是,我在 Startup.cs 的这两行中有错误的顺序:
app.UseAuthentication();
app.UseAuthorization();
Make sure if app.UseAuthentication(); is BEFOREapp.UseAuthorization();
确保 app.UseAuthentication(); 是BEFOREapp.UseAuthorization();
In other words, ask "Who are you?" first, and then "Are you allowed here?", not the other way.
换句话说,问“你是谁?” 首先,然后是“你可以在这里吗?”,而不是相反。
回答by Yuriy
public class AccessDeniedAuthorizeAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
if (filterContext.Result is HttpUnauthorizedResult && WebSecurity.IsAuthenticated)
{
filterContext.Result = new RedirectResult("~/Account/AccessDenied");
}
}
}
回答by Farinha
I've built on Vic's answer to allow me to have a different Access Denied page for each of the application's areas. Did it by returning a RedirectToRouteResultinstead, which instead of redirecting to a URL relative to the root of the application it redirects to the current area's controller and action:
我已经建立在 Vic 的回答上,允许我为应用程序的每个区域有一个不同的拒绝访问页面。是通过返回一个RedirectToRouteResult替代来实现的,它不是重定向到相对于应用程序根目录的 URL,而是重定向到当前区域的控制器和操作:
public class AccessDeniedAuthorizeAttribute : AuthorizeAttribute
{
public string AccessDeniedController { get; set; }
public string AccessDeniedAction { get; set; }
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
if (filterContext.HttpContext.User.Identity.IsAuthenticated &&
filterContext.Result is HttpUnauthorizedResult)
{
if (String.IsNullOrWhiteSpace(AccessDeniedController) || String.IsNullOrWhiteSpace(AccessDeniedAction))
{
AccessDeniedController = "Home";
AccessDeniedAction = "AccessDenied";
}
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { Controller = AccessDeniedController, Action = AccessDeniedAction }));
}
}
}
回答by True Solutions
Just a small update to Vic Alcazar, Added details of the request url in redirect So that can log the details of the access denied and by who if want
只是对 Vic Alcazar 的一个小更新,在重定向中添加了请求 url 的详细信息,以便可以记录拒绝访问的详细信息以及需要的访问者
public class AccessDeniedAuthorizeAttribute : AuthorizeAttribute
{
public string AccessDeniedViewName { get; set; }
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
if (filterContext.HttpContext.User.Identity.IsAuthenticated &&
filterContext.Result is HttpUnauthorizedResult)
{
if (string.IsNullOrWhiteSpace(AccessDeniedViewName))
AccessDeniedViewName = "~/Account/AccessDenied";
var requestUrl = filterContext.HttpContext.Request.Url;
filterContext.Result = new RedirectResult(String.Format("{0}?RequestUrl={1}", AccessDeniedViewName, requestUrl));
}
}
}
