[英]ASP.NET MVC Authorization - Customize?
I have a requirement for a new ASP.NET MVC application. 我需要一个新的ASP.NET MVC应用程序。 When a user is logged into the site there is a black box that we need to call into to see if the user is allowed to use the Controller/Action. 当用户登录到站点时,我们需要调用一个黑框,以查看是否允许该用户使用Controller / Action。
All our controllers have the [Authorize] attribute by default (except Login), but some of the actions can only be called if a black box says the user can. 默认情况下,我们所有的控制器都具有[Authorize]属性(“登录”除外),但是某些操作只有在黑框表明用户可以使用时才能调用。
How would I get the MVC sub system (I'm guessing thru something like a custom [Authorize?]) to respond with an unauthorized response when a logged in user tries to access a Controller Action which the black box says they can't. 当登录的用户尝试访问控制器动作(黑匣子说不能)时,我将如何使MVC子系统(通过自定义[Authorize?]之类的东西)响应未授权的响应。
Here's the way we call the BlackBox: 这是我们称为BlackBox的方式:
bool canAccess = BlackBox.HasAccess(controllerName, ActionName, userGuid);
I suggest a custom Authorize
attribute (as you already guessed). 我建议使用自定义的Authorize
属性(您已经猜到了)。
Here is an example below: 下面是一个示例:
public class BlackBoxAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool authorized = base.AuthorizeCore(httpContext);
if (authorized)
{
var routeData = httpContext.Request.RequestContext.RouteData;
var controller = routeData.GetRequiredString("controller");
var action = routeData.GetRequiredString("action");
bool canAccess = BlackBox.HasAccess(controller, action, userGuid);
if (!canAccess)
{
httpContext.Items["BlackBoxError"] = true;
return false;
}
return true;
}
else
{
return authorized;
}
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
bool blackBoxError = filterContext.HttpContext.Items["BlackBoxError"] != null && Convert.ToBoolean(filterContext.HttpContext.Items["BlackBoxError"].ToString());
if (blackBoxError)
{
//change the controler name and action name accordingally as needed.
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary
{
{ "controller", "Error" },
{ "action", "BlackBoxError" }
}
);
}
base.HandleUnauthorizedRequest(filterContext);
}
}
With this in place you'll have to replace all AuthorizeAttribute
annotations with BlackBoxAuthorizeAttribute
. 使用此功能后,您将必须用BlackBoxAuthorizeAttribute
替换所有AuthorizeAttribute
批注。 Or even better: remove AuthorizeAttribute
from your controllers and register a global attribute in app_start. 甚至更好:从控制器中删除AuthorizeAttribute
并在app_start中注册一个全局属性。
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new BlackBoxAuthorizeAttribute());
}
Hope this helps! 希望这可以帮助!
Regards, Uros 问候,Uros
You can try inheriting from AuthorizeAttribute and create you own attribute. 您可以尝试从AuthorizeAttribute继承并创建您自己的属性。
public class BlackboxAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
//write here custom authorization logic
}
protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
{
}
}
And then use your custom authorize attribute on your controller action. 然后在您的控制器操作上使用您的自定义授权属性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.