创建基于AuthorizeAttribute的自定义授权属性,并覆盖OnAuthorization来执行检查操作的方式。通常,如果授权检查失败,则AuthorizeAttribute会将过滤结果设置为HttpUnauthorizedResult。您可以将其设置为(错误视图的)ViewResult。
编辑 :我有几个博客文章,将更详细地介绍:
- http://farm-fresh-pre.blogspot.com/2011/03/revisiting-custom-authorization-in.html
- http://farm-fresh-pre.blogspot.com/2009/11/customizing-authorization-in-aspnet-mvc.html
例:
[AttributeUsage( AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false )] public class MasterEventAuthorizationAttribute : AuthorizeAttribute { /// <summary> /// The name of the master page or view to use when rendering the view on authorization failure. Default /// is null, indicating to use the master page of the specified view. /// </summary> public virtual string MasterName { get; set; } /// <summary> /// The name of the view to render on authorization failure. Default is "Error". /// </summary> public virtual string ViewName { get; set; } public MasterEventAuthorizationAttribute() : base() { this.ViewName = "Error"; } protected void CachevalidateHandler( HttpContext context, object data, ref HttpValidationStatus validationStatus ) { validationStatus = onCacheAuthorization( new HttpContextWrapper( context ) ); } public override void onAuthorization( AuthorizationContext filterContext ) { if (filterContext == null) { throw new ArgumentNullException( "filterContext" ); } if (AuthorizeCore( filterContext.HttpContext )) { SetCachePolicy( filterContext ); } else if (!filterContext.HttpContext.User.Identity.IsAuthenticated) { // auth failed, redirect to login page filterContext.Result = new HttpUnauthorizedResult(); } else if (filterContext.HttpContext.User.IsInRole( "SuperUser" )) { // is authenticated and is in the SuperUser role SetCachePolicy( filterContext ); } else { ViewDataDictionary viewData = new ViewDataDictionary(); viewData.Add( "Message", "You do not have sufficient privileges for this operation." ); filterContext.Result = new ViewResult { MasterName = this.MasterName, ViewName = this.ViewName, ViewData = viewData }; } } protected void SetCachePolicy( AuthorizationContext filterContext ) { // ** importANT ** // Since we're performing authorization at the action level, the authorization pre runs // after the output caching module. In the worst case this could allow an authorized user // to cause the page to be cached, then an unauthorized user would later be served the // cached page. We work around this by telling proxies not to cache the sensitive page, // then we hook our custom authorization pre into the caching mechanism so that we have // the final say on whether a page should be served from the cache. HttpCachePolicybase cachePolicy = filterContext.HttpContext.Response.Cache; cachePolicy.SetProxyMaxAge( new TimeSpan( 0 ) ); cachePolicy.AddValidationCallback( CachevalidateHandler, null ); } }
