【发布时间】:2010-10-07 22:24:47
【问题描述】:
如何创建自定义属性来扩展 MVC 中现有的 Authorize 属性?
【问题讨论】:
-
请添加更多详细信息,您到底想扩展什么?
-
现在我只想重定向到正确的页面而不是默认的主页。
-
你可以更新你的问题,这样每个人都可以知道你需要什么。
标签: asp.net asp.net-mvc attributes
【发布时间】:2010-10-07 22:24:47
【问题描述】:
从 AuthorizeAttribute 派生您的类。覆盖 OnAuthorization 方法。添加并设置一个 CacheValidationHandler。
public void CacheValidationHandler( HttpContext context,
object data,
ref HttpValidationStatus validationStatus )
{
validationStatus = OnCacheAuthorization( new HttpContextWrapper( context ) );
}
public override void OnAuthorization( AuthorizationContext filterContext )
{
if (filterContext == null)
{
throw new ArgumentNullException( "filterContext" );
}
if (AuthorizeCore( filterContext.HttpContext ))
{
... your custom code ...
SetCachePolicy( filterContext );
}
else if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
// auth failed, redirect to login page
filterContext.Result = new HttpUnauthorizedResult();
}
else
{
... handle a different case than not authenticated
}
}
protected void SetCachePolicy( AuthorizationContext filterContext )
{
// ** IMPORTANT **
// Since we're performing authorization at the action level, the authorization code runs
// after the output caching module. In the worst case this could allow an authorized user
// to cause the page to be cached, then an unauthorized user would later be served the
// cached page. We work around this by telling proxies not to cache the sensitive page,
// then we hook our custom authorization code into the caching mechanism so that we have
// the final say on whether a page should be served from the cache.
HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
cachePolicy.SetProxyMaxAge( new TimeSpan( 0 ) );
cachePolicy.AddValidationCallback( CacheValidationHandler, null /* data */);
}
【讨论】:
-
如何使用 Roles 进行这项工作?它现在工作正常,但似乎角色不起作用。即使用户经过身份验证,AuthorizeCore 也会不断返回 false,这意味着 SetCachePolicy() 永远不会被执行。
-
@Nick - 我已经写过关于改进缓存处理方面的博客:farm-fresh-code.blogspot.com/2011/03/…
你不需要扩展这个属性,web.config 就足够了。请阅读forms Element for authentication。请注意 defaultUrl。这是你需要的东西。
<system.web>
<authentication mode="Forms">
<forms defaultUrl="YourUrlGoesHere"/>
</authentication>
</system.web>
【讨论】:
-
但这不是动态的。网址更改。
-
嗯,为什么不在给出解决方案之前指定所有要求?
-
呃-哦。如果该博客条目的开头图表中的断言是正确的,您可能应该减少损失并删除答案。
public class CoolAuthorizeAttribute : AuthorizeAttribute
{
}
【讨论】:
我建议如果您只是想扩展当前的 AuthorizeAttribute 并在其之上添加您自己的授权,而不是覆盖 OnAuthorization 只需覆盖 AuthorizeCore 并将您的 MyCustomAuthorizationHolds 条件添加到它。
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
// This method must be thread-safe since it is called by the thread-safe OnCacheAuthorization() method.
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (base.AuthorizeCore(httpContext) && MyCustomAuthorizationHolds)
return true;
return false;
}
}
【讨论】: