简体繁体 English

如何扩展ASP.NET MVC AuthorizeAttribute

[英]How to Extend the ASP.NET MVC AuthorizeAttribute

原文 2010-09-16 12:13:05 5 2 asp.net/ asp.net-mvc

I'm using the asp.net membership provider for authentication of the user. 我正在使用asp.net成员资格提供程序来验证用户。 I have another table with additional user details linked to my aspnet_users table. 我还有另一个表，该表具有链接到我的aspnet_users表的其他用户详细信息。

When a user logs into my site I place what I call their 'UserProfile' into a session variable and I need to check the presence of this Session variable on every call in my controllers (all the controllers behind my login page). 当用户登录到我的站点时，我将所谓的“ UserProfile”放入会话变量中，并且需要在控制器（登录页面后面的所有控制器）中的每次调用中检查此Session变量是否存在。

So my question is this: 所以我的问题是这样的：

I've written an ActionFilter that inherits the AuthorizeAttribute which calls the default base.AuthorizeCore() method and checks for the presence of my Session object (Session["UserProfile"]), I've also created a base controller which holds my object of type UserProfile which all appropriate controller classes inherit from so they have access to my UserProfile. 我编写了一个ActionFilter，它继承了AuthorizeAttribute，后者调用了默认的base.AuthorizeCore（）方法，并检查我的Session对象（Session [“ UserProfile”]）是否存在，我还创建了一个基本控制器来保存我的对象类型为UserProfile的类型，所有适当的控制器类都从该类继承而来，因此它们可以访问我的UserProfile。 How do I use my method in my ActionFilter to set this UserProfile property to the Session variable in my controller? 如何在ActionFilter中使用我的方法将此UserProfile属性设置为控制器中的Session变量？

2 个解决方案

Why can't you simply do that in the base controller? 为什么不能简单地在基本控制器中做到这一点？ That seems like the right place to populate the property. 这似乎是填充该属性的正确位置。 Doing in your custom authorize attribute will create a dependency that needn't exist and lead to more complexity. 在您的自定义授权属性中执行操作将创建一个不需要的依赖项，并导致更多的复杂性。 What I'm saying is the check for the presence of the key in the Session, while related, isn't the same as populating the property. 我的意思是，在会话中检查密钥是否存在，尽管与此相关，但与填充属性不同。 It could, in fact, be very different if you eventually decided, for instance, to store only a DB key in the session and retrieve a more complex profile object from the DB each time. 实际上，如果最终决定（例如）仅在会话中存储数据库密钥并每次从数据库检索更复杂的配置文件对象，则可能会大不相同。 Note also that the authorize attribute could later be applied to simply a method instead of a class -- at that point, you might be performing the population of the property multiple times. 另请注意，稍后可以将authorize属性仅应用于方法而不是类，这时，您可能多次执行属性填充。

If you feel that you must, however, the AuthorizationContext passed to the OnAuthorization method of the attribute contains a reference to the controller. 但是，如果您觉得必须这样做，则传递给属性的OnAuthorization方法的AuthorizationContext包含对控制器的引用。 You could cast this as your base controller (using as syntax and checking for nullity), then access the property directly (if public) or via reflection (if not). 您可以将其转换为基本控制器（ as语法并检查是否为空），然后直接（如果是公共的话）或通过反射（如果不是）来访问该属性。

Same as tvanfosson, don't add a property to your controller base, that depends on an ActionFilter being applied. 与tvanfosson一样，不要向您的控制器库添加属性，这取决于所应用的ActionFilter。

An alternative is moving the code to a separate class that retrieves/checks access to the said property. 一种替代方法是将代码移到一个单独的类，该类检索/检查对所述属性的访问。 Both the ActionFilter and the controller base use said class to retrieve the value. ActionFilter和控制器库都使用所述类来检索值。 The dependency is made explicitly, which makes it a Lot easier to understand for another developer . 显式创建了依赖关系，这使得其他开发人员更容易理解 。