问题
i have a project using ASP.Net MVC3 and using membership for roles. i use authorize in every controller. eg:
[Authorize(Roles = "Administrator")]
public ActionResult Index(string q, int i)
{
return View(model);
}
if someone doesnt have role for administrator, then it will redirect to login page by default. how to change it,so it will redirect into Views/Shared/UnAuthorize.cshtml ? or maybe if someone doesnt have role for administrator, it will show message box (alert) ?
thanks in advance.
回答1:
Just change the page that have to be shown in the web.config (check that the route exists)
<authentication mode="Forms">
<forms loginUrl="~/UnAuthorize" timeout="2880" />
</authentication>
If you, instead, want to redirect to a specific path for every roles you can extend the AuthorizeAttribute with your own. Something like this (not tested, I write this to give you an idea)
public class CheckAuthorize : ActionFilterAttribute
{
public Roles[] Roles { get; set; }
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
//Your code to get the user
var user = ((ControllerBase)filterContext.Controller).GetUser();
if (user != null)
{
foreach (Role role in Roles)
{
if (role == user.Role)
return;
}
}
RouteValueDictionary redirectTargetDictionary = new RouteValueDictionary();
if user.Role==Role.Administrator
{
redirectTargetDictionary.Add("action", "Unauthorized");
redirectTargetDictionary.Add("controller", "Home");
}
else
{
redirectTargetDictionary.Add("action", "Logon");
redirectTargetDictionary.Add("controller", "Home");
}
filterContext.Result = new RedirectToRouteResult(redirectTargetDictionary);
}
}
回答2:
i solved my problem. i only do this :
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
public class MyAuthorize : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
//you can change to any controller or html page.
filterContext.Result = new RedirectResult("/cpanel/roles/unauthorize");
}
}
and apply MyAuthorize to class or action:
[MyAuthorize]
public class AdminController :Controller
{
}
thats it.
回答3:
Well, you can inherit from AuthorizeAttribute
and override HandleUnauthorizedRequest
which is responsible for redirection of unauhorized/unauthenticated requests. i think this question will be helpful to you
回答4:
My own version, based on ntep vodka's:
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if(IsUserAuthenticated(filterContext.HttpContext))
{
filterContext.Result = new RedirectResult("/Account/InvalidRole");
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
private bool IsUserAuthenticated(HttpContextBase context)
{
return context.User != null && context.User.Identity != null && context.User.Identity.IsAuthenticated;
}
}
This way I get standard redirect to login page for not authenticated users, and custom redirect for users that are authenticated but don't have the appropriate role for the action.
回答5:
The code below helped and here is the reference in stackoverflow ASP.NET MVC 4 custom Authorize attribute - How to redirect unauthorized users to error page?
public class CustomAuthorize: AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if(!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
base.HandleUnauthorizedRequest(filterContext);
}
else
{
filterContext.Result = new RedirectToRouteResult(new
RouteValueDictionary(new{ controller = "Error", action = "AccessDenied" }));
}
}
}
回答6:
I use this method and it is very easy to implement.
Securing Asp.net MVC3
Change your default route to logon page in global.asax
来源:https://stackoverflow.com/questions/7656163/asp-net-mvc-3-redirect-unauthorized-user-not-to-loginurl