编辑:
我很久以前就写了以上答案,现在我认为发送403不是正确的方法。403的含义略有不同,因此不应使用。这是使用401纠正的属性。只有
context.HttpContext.Response.End()Http401Result中的其他属性和不同的HTTP代码不同:
public class OptionalAuthorizeAttribute : AuthorizeAttribute{ private class Http401Result : ActionResult { public override void ExecuteResult(ControllerContext context) { // Set the response pre to 401. context.HttpContext.Response.StatusCode = 401; context.HttpContext.Response.Write(CTRes.AuthorizationLostPleaseLogOutAndLogInAgainToContinue); context.HttpContext.Response.End(); } } private readonly bool _authorize; public OptionalAuthorizeAttribute() { _authorize = true; } //OptionalAuthorize is turned on on base controller class, so it has to be turned off on some controller. //That is why parameter is introduced. public OptionalAuthorizeAttribute(bool authorize) { _authorize = authorize; } protected override bool AuthorizeCore(HttpContextbase httpContext) { //When authorize parameter is set to false, not authorization should be performed. if (!_authorize) return true; var result = base.AuthorizeCore(httpContext); return result; } protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest()) { //Ajax request doesn't return to login page, it just returns 401 error. filterContext.Result = new Http401Result(); } else base.HandleUnauthorizedRequest(filterContext); }}老答案:
虽然我喜欢其他答案中发布的想法(我以前有一个想法),但我需要代码示例。他们来了:
修改的授权属性:
public class OptionalAuthorizeAttribute : AuthorizeAttribute{ private class Http403Result : ActionResult { public override void ExecuteResult(ControllerContext context) { // Set the response pre to 403. context.HttpContext.Response.StatusCode = 403; context.HttpContext.Response.Write(CTRes.AuthorizationLostPleaseLogOutAndLogInAgainToContinue); } } private readonly bool _authorize; public OptionalAuthorizeAttribute() { _authorize = true; } //OptionalAuthorize is turned on on base controller class, so it has to be turned off on some controller. //That is why parameter is introduced. public OptionalAuthorizeAttribute(bool authorize) { _authorize = authorize; } protected override bool AuthorizeCore(HttpContextbase httpContext) { //When authorize parameter is set to false, not authorization should be performed. if (!_authorize) return true; var result = base.AuthorizeCore(httpContext); return result; } protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) { if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest()) { //Ajax request doesn't return to login page, it just returns 403 error. filterContext.Result = new Http403Result(); } else base.HandleUnauthorizedRequest(filterContext); }}HandleUnauthorizedRequest被覆盖,因此
Http403Result在使用Ajax时返回。
Http403Result将StatusCode更改为403,并作为响应将消息返回给用户。属性(
authorize参数)中还有一些附加逻辑,因为我
[Authorize]在基本控制器中打开了该功能,并在某些页面中将其禁用了。
另一个重要部分是在客户端全局处理此响应。这是我放在Site.Master中的内容:
<script type="text/javascript"> $(document).ready( function() { $("body").ajaxError( function(e,request) { if (request.status == 403) { alert(request.responseText); window.location = '/Logout'; } } ); } );</script>我放置了一个GLOBAL
ajax错误处理程序
$.post,一旦失败并出现403错误,就会警告响应消息,并将用户重定向到注销页面。现在,我不必处理每个
$.post请求中的错误,因为它是全局处理的。
为什么是403,而不是401?401由MVC框架在内部处理(这就是为什么在授权失败后重定向到登录页面的原因)。
你怎么看待这件事?
