在ASP.NET Core中使用返回URL

Question

We are trying to redirect the user(using return URL) to the login page if the user is not authenticated/authorized while accessing the particular URL. However, we are not able to add the custom parameters(clientname in this case) in route while redirecting the user to the login page. We are using asp.net identity core framework.

In Startup.cs we have defined the below route which will be applicable to all.

app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "Edge",
                    template: "{clientname}/{controller}/{action}");
            });

also added below the line of code to ensure that all URLs required authentication

services.AddMvc(o =>
{
   o.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()));
})

and configured the IdentityOptions for redirecting to the login page as follows

services.Configure<IdentityOptions>(opt =>
{
  opt.Cookies.ApplicationCookie.LoginPath = new PathString("/Account/Login");
});

and in Account Controller below is the login method

[HttpGet]
[AllowAnonymous]
public IActionResult Login(string returnUrl = null)
{
    this.ViewData["ReturnUrl"] = returnUrl;
    return View();
}

If the user tries to access any URL without authentication it should redirect to login page. Consider below Index method from Home Controller as an example.

public IActionResult Index()
{
    return View();
}

But whenever we try to redirect the user to login page it does not append the client name in the URL. It forms below the URL where clientname is missing in /Account/Login

http://localhost:5002/Account/Login?ReturnUrl=/ClientA/home/index

Because of this, it is resulting in 404 Page not found error.So what changes we need to do for proper redirection.

The Url should be formed as follows

http://localhost:5002/ClientA/Account/Login?ReturnUrl=/ClientA/home/index

Answer 1

您将在身份验证选项上专门设置LoginPath。默认情况下，无论您尝试获得何种资源，未经身份验证时，它将始终将您定向到该位置。我相信您可能必须替换或继承/替代某些内部方法，才能使LoginPath基于您请求的资源而动态化。我不确定动态本地登录路径是否受本机支持吗？我可能是错的。

在不相关的安全说明上，您应该在尝试使用ReturnUrl中的资源对应用程序而言是本地的，甚至返回应用程序的主页。否则，格式错误的URL可能会将重定向位置欺骗到旨在模仿实际外观但故意带有恶意的资源。

if (Url.IsLocalUrl(returnUrl))
    return Redirect(returnUrl);
else
    return RedirectToAction("Index", "Home");

Answer 2

看来他们在.Net Core MVC中更改了它

它如何为我工作：

public async Task<IActionResult> Login(LoginViewModel model, string returnUrl = "")
{
    ....... other codes

    if (!String.IsNullOrEmpty(returnUrl) && Url.IsLocalUrl(returnUrl))
       return Redirect(returnUrl);
    else
       return RedirectToAction("Index", "Home");
}

现在转到HTML Razor Code：

@{
    ViewData["Title"] = "Login";
    Layout = "~/Views/Shared/_Layout.cshtml";
    var returnUrl = @Context.Request.Query["returnurl"];
}

<form asp-action="Login" asp-route-returnurl="@returnUrl">
   <!--Rest of your login page HTML -->
</form>

现在，它运行顺利！