asp.net-mvc 在 ASP.NET MVC 中自定义授权
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/427598/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Customizing authorization in ASP.NET MVC
提问by FantaMango77
My Controller class is decorated with an AuthorizeAttribute to protect the actions:
我的 Controller 类装饰有 AuthorizeAttribute 以保护操作:
[Authorize(Roles = "User Level 2")]
public class BuyController : Controller
{
...
}
Anytime an action is invoked but the user is not in at least the role "User Level 2" he is automatically redirected to the login page with a url like this:
每当调用操作但用户至少不是“用户级别 2”角色时,他会自动重定向到登录页面,网址如下:
http://localhost:1436/Account/Login?ReturnUrl=%2fBuy
http://localhost:1436/Account/Login?ReturnUrl=%2fBuy
If the user is already logged in, but doesn't have the right security level, this is not an optimal behavior! It would make more sense to display a page which informs the user about the missing level instead of showing the login page.
如果用户已经登录,但没有正确的安全级别,这不是最佳行为!显示一个页面来通知用户缺少的级别而不是显示登录页面会更有意义。
What can I do to customize this behavior? Is it possible to pass the required user level to the Login action somehow?
我该怎么做才能自定义此行为?是否可以以某种方式将所需的用户级别传递给登录操作?
回答by Trevor de Koekkoek
You can build your own authorize attribute like this:
您可以像这样构建自己的授权属性:
public class ClubAuthorizeAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
if (filterContext.Cancel && filterContext.Result is HttpUnauthorizedResult)
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary {
{ "clubShortName", filterContext.RouteData.Values[ "clubShortName" ] },
{ "controller", "Account" },
{ "action", "Login" },
{ "ReturnUrl", filterContext.HttpContext.Request.RawUrl }
});
}
}
}
I used this to redirect to a specific club in a club membership site I am building. You could adapt this to your need. BTW, in my case I do redirect to the login page, but I check to see if the user is authorized and if so, display a message that they don't have the correct permissions. No doubt you could also add something to ViewData or TempData to display on the page, but I haven't tried that
我用它重定向到我正在建立的俱乐部会员网站中的特定俱乐部。您可以根据自己的需要进行调整。顺便说一句,在我的情况下,我确实重定向到登录页面,但我检查用户是否已获得授权,如果是,则显示一条消息,表明他们没有正确的权限。毫无疑问,您还可以向 ViewData 或 TempData 添加一些内容以显示在页面上,但我还没有尝试过
EDITAuthorizationContext.Cancel doesn't exist anymore in RC. "filterContext.Result is HttpUnauthorizedResult" seems to be enough : What happened to filterContext.Cancel (ASP.NET MVC)
编辑AuthorizationContext.Cancel 在 RC 中不再存在。“filterContext.Result is HttpUnauthorizedResult”似乎就足够了:filterContext.Cancel (ASP.NET MVC) 发生了什么
回答by David Brossard
Time has long passed since the last answer.
距离上次回答已经过去很久了。
Since 2009, a lot of progress has been made in the authorization space. In particular, OASIS (the ones behind SAML) have standardized XACML, the eXtensible Access Control Markup Language.
自 2009 年以来,授权领域取得了很大进展。特别是,OASIS(SAML 背后的那些)已经标准化了 XACML,即可扩展访问控制标记语言。
XACML gives developers:
XACML 为开发人员提供:
- a usage pattern
- an architecture
- a flexible authorization policy language
- 使用模式
- 一种架构
- 灵活的授权策略语言
XACML is in line with attribute-based access control which NIST recommends be adopted in applications nowadays.
XACML 符合 NIST 建议在当今应用程序中采用的基于属性的访问控制。
Have a look at this answerfor more details.
查看此答案以了解更多详细信息。
