Luk*_*Led 22 asp.net authentication ajax asp.net-mvc
当用户未经过身份验证时,您如何处理ajax请求?
有人进入页面,离开房间一小时,返回,在使用jQuery($.post)的ajax页面上添加评论.由于未经过身份验证,因此方法返回RedirectToRoute结果(重定向到登录页面).你用它做什么?你如何在客户端处理它,你如何在控制器中处理它?
Luk*_*Led 16
编辑:
我很久以前写过上面的回答,现在我相信发送403不是正确的方法.403具有略微不同的含义,不应该使用它.这是使用401更正的属性.它仅与context.HttpContext.Response.End()Http401Result和不同的HTTP代码中的附加不同:
public class OptionalAuthorizeAttribute : AuthorizeAttribute
{
private class Http401Result : ActionResult
{
public override void ExecuteResult(ControllerContext context)
{
// Set the response code to 401.
context.HttpContext.Response.StatusCode = 401;
context.HttpContext.Response.Write(CTRes.AuthorizationLostPleaseLogOutAndLogInAgainToContinue);
context.HttpContext.Response.End();
}
}
private readonly bool _authorize;
public OptionalAuthorizeAttribute()
{
_authorize = true;
}
//OptionalAuthorize is turned on on base controller class, so it has to be turned off on some controller.
//That is why parameter is introduced.
public OptionalAuthorizeAttribute(bool authorize)
{
_authorize = authorize;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
//When authorize parameter is set to false, not authorization should be performed.
if (!_authorize)
return true;
var result = base.AuthorizeCore(httpContext);
return result;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest())
{
//Ajax request doesn't return to login page, it just returns 401 error.
filterContext.Result = new Http401Result();
}
else
base.HandleUnauthorizedRequest(filterContext);
}
}
老答案:
虽然我喜欢其他答案中发布的想法(我之前有过想法),但我需要代码示例.他们来了:
修改授权属性:
public class OptionalAuthorizeAttribute : AuthorizeAttribute
{
private class Http403Result : ActionResult
{
public override void ExecuteResult(ControllerContext context)
{
// Set the response code to 403.
context.HttpContext.Response.StatusCode = 403;
context.HttpContext.Response.Write(CTRes.AuthorizationLostPleaseLogOutAndLogInAgainToContinue);
}
}
private readonly bool _authorize;
public OptionalAuthorizeAttribute()
{
_authorize = true;
}
//OptionalAuthorize is turned on on base controller class, so it has to be turned off on some controller.
//That is why parameter is introduced.
public OptionalAuthorizeAttribute(bool authorize)
{
_authorize = authorize;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
//When authorize parameter is set to false, not authorization should be performed.
if (!_authorize)
return true;
var result = base.AuthorizeCore(httpContext);
return result;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest())
{
//Ajax request doesn't return to login page, it just returns 403 error.
filterContext.Result = new Http403Result();
}
else
base.HandleUnauthorizedRequest(filterContext);
}
}
HandleUnauthorizedRequest被覆盖,因此Http403Result在使用Ajax时返回.Http403Result将StatusCode更改为403并将消息返回给用户作为响应.属性(authorize参数)中还有一些额外的逻辑,因为我[Authorize]在基本控制器中打开并在某些页面中禁用它.
另一个重要的部分是客户端对此响应的全局处理.这是我在Site.Master中放置的内容:
<script type="text/javascript">
$(document).ready(
function() {
$("body").ajaxError(
function(e,request) {
if (request.status == 403) {
alert(request.responseText);
window.location = '/Logout';
}
}
);
}
);
</script>
我放置了一个GLOBAL ajax错误处理程序,当遇到$.post403错误时,响应消息会被警告,用户将被重定向到注销页面.现在我不必处理每个$.post请求中的错误,因为它是全局处理的.
为什么403,而不是401?401由MVC框架内部处理(这就是为什么在授权失败后重定向到登录页面的原因).
你怎么看待这件事?