1

我在带有 OWIN 的 ASP.NET MVC 5 应用程序中使用 ASP.NET Identity 2。到目前为止,如果经过身份验证的用户尝试访问他没有角色的操作,他将被重定向到登录页面。在这种情况下,如何使经过身份验证的用户获得 AccessDenied 页面,但未经身份验证的用户仍会被发送到登录页面?

ConfigureAuth 方法如下:

public void ConfigureAuth(IAppBuilder app)
{
    app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
    app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login"),
        Provider = new CookieAuthenticationProvider
        {
        }
    });
    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
    app.UseSaml2Authentication(GetSamlOptions());
}
4

3 回答 3

2

试试这个自定义的授权属性,它不会重定向而是替换内容,所以 url 是完整的,并且还支持 ajax 请求:

    public class AppAuthorizeAttribute : AuthorizeAttribute
    {

        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            var isAuthorized = base.AuthorizeCore(httpContext);
            if (!isAuthorized)
            {
                return false;
            }
            // do another checks here...
        }

        // This will be executed when AuthorizeCore returns false
        protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
        {
            if (filterContext.HttpContext.User.Identity.IsAuthenticated)
            {
                if (filterContext.HttpContext.Request.IsAjaxRequest())
                {
                    var urlHelper = new UrlHelper(filterContext.RequestContext);
                    filterContext.HttpContext.Response.StatusCode = 403;
                    filterContext.Result = new JsonResult
                    {
                        Data = new
                        {
                            ErrorMessage = "Unauthorized"
                        },
                        JsonRequestBehavior = JsonRequestBehavior.AllowGet
                    };
                }
                else
                {
                    filterContext.Result = new ViewResult
                    {
                        ViewName = "~/Views/Error/AccessDenied.cshtml"
                    };
                }
            }
            else
            {
                base.HandleUnauthorizedRequest(filterContext);
            }
        }

    }

全部替换[Authorize]为您的自定义属性[AppAuthorize]

于 2020-03-06T15:04:46.640 回答
0

您可以使用[DataAnnotations]基于角色的自定义来授予某些用户访问权限。就像是:


[OnlyAllowedAttribute("Roles=Admin")]
public IActionResult OnlyAuthenticatedUsers()
{
  return View();
}

public class OnlyAllowedAttribute: AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);

        if(Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated)
        {
          if(filterContext.Result is HttpUnauthorizedResult)
          {
              filterContext.Result = new RedirectResult("~/Account/AcessDenied");
          }
        }
        else
        {
          filterContext.Result = new RedirectResult("~/Account/Login");
        }
    }
}

https://stackoverflow.com/a/1279854/9936356

于 2020-03-06T14:55:21.183 回答
0

我实现了一个自定义授权属性,如下所示:

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = false, AllowMultiple = false)]
public sealed class CustomAuthorizeAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);
        if (filterContext.Result is HttpUnauthorizedResult)
        {
            var route_values = new RouteValueDictionary
            {
                ["controller"] = "Account"
            };
            if (filterContext.HttpContext.User.Identity.IsAuthenticated)
            {
                route_values["action"] = "AccessDenied";
            }
            else
            {
                route_values["action"] = "Login";
                route_values["returnUrl"] = filterContext.HttpContext.Request.Url.PathAndQuery;
            }
            filterContext.Result = new RedirectToRouteResult(route_values);
        }
    }
}

我仍然愿意接受任何利用某些 OWIN 配置值的答案。

感谢所有帮助过的人。

于 2020-03-06T18:11:11.687 回答