问题
I have created a custom AuthorizationAttribute which I'm placing on my controllers. I followed this article. I've implemented custom authorization logic in the OnAuthorization method and this works fine. When the user fails authorization I'm currently doing the following:
// if authorization check fails...
filterContext.Result = new HttpUnauthorizedResult();
This displays a username/password prompt.
My question is what is the recommended way send the user to a "Access Is Denied" type page when they fail authorization?
I am using MVC3.
回答1:
On the login page, you can check if the user is already logged in and display an access denied message instead of the login prompt.
回答2:
In the end I went for a straight redirect:
public override void OnAuthorization(AuthorizationContext filterContext)
...
// if authorization check fails...
filterContext.Result = new RedirectResult(AccessDeniedPage);
Edit: Rob Conery has a very good article describing this in detail with ASP.NET MVC: Securing Your Controller Actions
回答3:
you can throw HttpException with error code 401
来源:https://stackoverflow.com/questions/6329524/redirect-to-accessdenied-page-when-user-is-not-authorized