未经授权的AJAX请求返回状态码200,而不是401
[英]Unauthorized AJAX requests returning statuscode 200 instead of 401
问题描述
In MVC 5, I override HandleUnauthorizedRequest() and check if the request is from AJAX. 
在MVC 5中,我重写HandleUnauthorizedRequest()并检查请求是否来自AJAX。
I have also registrated a Global ajaxComplete , for handeling 401 AJAX requests, but the status code is still 200 after being in HandleUnauthorizedRequest() . 我还注册了Global ajaxComplete来处理401 AJAX请求,但是在HandleUnauthorizedRequest()后,状态代码仍为200。
Question: Do I have to manually change the statuscode in filterContext in the function HandleUnauthorizedRequest() ? 问:我必须手动更改的StatusCode在filterContext在功能HandleUnauthorizedRequest()
Unauthorized AJAX request detected 检测到未经授权的AJAX请求
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
// <-- in here
filterContext.Result = new JsonResult
{
Data = new
{
returnUrl = "foo"
},
JsonRequestBehavior = JsonRequestBehavior.AllowGet
};
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
Global ajaxComplete registration 全局ajax完成注册
$(document).ajaxComplete(function (e, xhr, settings) {
console.log('xhr.status: "' + xhr.status +'"'); // 200 - i want 401
if(xhr.status === 401) {
window.location.replace(urlHelper.getUrlNotAuthorized());
}
});
"Working but hacked solution until I find a solution with ajaxComplete. “在我找到ajaxComplete的解决方案之前,该解决方案一直有效,但一直受到黑客攻击。
It check if the Users request was authorized. 它检查用户请求是否被授权。 Downside is that I have to check isAuthorized() everyway i make a request. 缺点是我isAuthorized()发出请求都必须检查isAuthorized() 。 That's why I would like to use a global ajaxComplete, so I never miss one.": 这就是为什么我想使用全局ajaxComplete,所以我永远不会错过一个。”:
Check if the Users AJAX request was authorized 检查用户AJAX请求是否已授权
isAuthorized = function (result) {
try {
var obj = JSON && JSON.parse(result) || $.parseJSON(result);
// Here, obj can still be a parsed JsonResult, from when getting GetDatatableRows(), so we also need to check on returnUrl which is distinct
// obj will only contain returnUrl if the JSON was returned from Shield validation
if (obj && obj.returnUrl) {
window.location.replace(urlHelper.getUrlNotAuthorized() + '?returnUrl=' + encodeURIComponent(obj.returnUrl));
return false;
}
} catch (e) {
}
return true;
};
AJAX request where result is either a Partial View or JSON AJAX请求,结果为部分视图或JSON
partialViewService.changePartialViewService(url, data)
.done(function (result) {
if (isAuthorized(result)) {
// use result
}
});
1 个解决方案
解决方案1
4 已采纳 2016-03-08 10:15:38
Yes - I haven't checked this, but try adding the line indicated. 是的-我还没有检查,但是尝试添加指示的行。 Specifying code 401 does not filter through to the result you want. 指定代码401不会过滤到所需结果。 (I suspect this is due to Identity intercepting code 401 specifically): (我怀疑这是由于身份截获代码401引起的):
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
// Add this (code 401 does not work)
filterContext.HttpContext.Response.StatusCode = 412;
// <-- in here
filterContext.Result = new JsonResult
{
Data = new
{
returnUrl = "foo"
},
JsonRequestBehavior = JsonRequestBehavior.AllowGet
};
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.