1. 首頁
  2. 問答
  3. 爲什麼我的重寫OnAuthorization沒有返回我設置的filterContext.Result?

爲什麼我的重寫OnAuthorization沒有返回我設置的filterContext.Result?

2011-07-26 46 views
3

這裏是我的基礎控制器的代碼,這個想法是,如果Authorization字符串不在HTTP頭中,我們將它踢出去。我發誓它工作正常,現在突然不起作用。奇怪的是,當我調試它實際上正在步入IN語句,所以它確實是真的,我請求的HTTP頭是一個NULL或EMPTY字符串,但是,它不會提前退出並返回403訪問被拒絕了......它工作很好,突然間,它只是忽略了整個事情,並最終在應用程序後來崩潰,當我試圖解析授權字符串,不實際發現。爲什麼我的重寫OnAuthorization沒有返回我設置的filterContext.Result?

public class AuthController : Controller 
    { 
     protected int AccountID; 

     protected override void OnAuthorization(AuthorizationContext filterContext) 
     { 
      //if no authorization string is provided, access denied 
      if (string.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"])) 
      { 
       filterContext.Result = Content("Access Denied", "text/plain"); 
       filterContext.HttpContext.Response.StatusCode = 403; //forbidden 


       base.OnAuthorization(filterContext); 
      } 

      //otherwise grab the authorization string and validate it 
      string authString = filterContext.HttpContext.Request.Headers["Authorization"]; 
      string urlPath = string.IsNullOrEmpty(filterContext.HttpContext.Request.Path) ? "" : filterContext.HttpContext.Request.Path; 
      int getAccountID = 0; 

      //if authorization fails... 
      if (!AuthCore.Authorize(authString, urlPath, ref getAccountID)) 
      { 
       filterContext.Result = Content("Access Denied", "text/plain"); 
       filterContext.HttpContext.Response.StatusCode = 403; //forbidden 

       base.OnAuthorization(filterContext); 
      } 

      //AccountID will never be zero at this point 
      AccountID = getAccountID; 

      //carry on with Controller Action, request is valid and AccountID is known 
      base.OnAuthorization(filterContext); 
     }

UPDATE:只是試圖filterContext.Result =新HttpUnauthorizedResult();相反,結果相同。當嘗試解析未找到的頭字符串時,控制器操作會繼續併發出錯誤。

UPDATE 2:Added「return;」在除最後一個base.OnAuthorization()之外的每一個調用之後,現在當它失敗時,我得到一個302從MVC移動到404,其結果是應用程序試圖重定向到一個默認的登錄頁面URL,它並不實際存在......這可能夠好嗎?也許,但我寧願直接阻止它,而不是讓一些不可思議的重定向發生作爲阻止它們的方式,對我來說並不安全。

來源

2011-07-26 BigOmega

回答

1

啊哈!

我在調用base.OnAuthorization()的時候太多了,顯然它實際上並不是永久的從線程中告別......不知道爲什麼我現在認爲它現在是我想的......這裏是工作代碼:

protected override void OnAuthorization(AuthorizationContext filterContext) 
{ 
    int getAccountID = 0; 

    //if no authorization string is provided, access denied 
    if (string.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"])) 
    { 
     filterContext.Result = Content("Access Denied", "text/plain"); 
     filterContext.HttpContext.Response.StatusCode = 403; //forbidden 
    } 
    else 
    { 
     //otherwise grab the authorization string and validate it 
     string authString = filterContext.HttpContext.Request.Headers["Authorization"]; 
     string urlPath = string.IsNullOrEmpty(filterContext.HttpContext.Request.Path) ? "" : filterContext.HttpContext.Request.Path; 

     //if authorization fails... 
     if (!AuthCore.Authorize(authString, urlPath, ref getAccountID)) 
     { 
      filterContext.Result = Content("Access Denied", "text/plain"); 
      filterContext.HttpContext.Response.StatusCode = 403; //forbidden 
     } 
    } 

    //AccountID will never be zero at this point 
    AccountID = getAccountID; 

    //carry on with Controller Action, request is valid and AccountID is known 
    base.OnAuthorization(filterContext); 
}

來源

2011-07-26 19:19:55 BigOmega

相關問題

 相關問題