1. 技术文章
  2. Attribute inheriting from AuthorizeAttribute not working

Attribute inheriting from AuthorizeAttribute not working

帅比萌擦擦* 提交于 2019-12-21 17:56:46

问题


I'm currently trying to implement security in a new ASP MVC 5 application, based on user roles. The goal is to prevent users from accessing certain controllers or controller methods if they don't have a certain role (or higher). Based on what I've read on the question so far, I created an attribute that inherits AuthorizeAttribute which looks like this (MyAppRole is an enum, btw) :

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public sealed class AuthorizeRoleOrSuperiorAttribute : AuthorizeAttribute
{
    private MyAppRole _authorizedRole;

    public AuthorizeRoleOrSuperiorAttribute(MyAppRole authorizedRole)
    { //Breakpoint here
        _authorizedRole = authorizedRole;
    }

    public override void OnAuthorization(HttpActionContext actionContext)
    { //Breakpoint here
        base.OnAuthorization(actionContext);

        if (!UserInfo.GetUserRoles().Any(r => (int)r >= (int)_authorizedRole))
            throw new UnauthorizedAccessException(ErrorsModule.RoleMissing);
    }
}

And I call it this way on methods and/or controllers :

[AuthorizeRoleOrSuperior(MyAppRole.Admin)]
public class MyController : Controller
{
    [AuthorizeRoleOrSuperior(MyAppRole.Admin)]
    public ViewResult Index()
    {
        [...]
    }

    [...]
}

I placed a breakpoint on the constructor and the OnAuthorization method but, when I launch the app and call the concerned controller or method, I never hit any of them and the action is called, even though I'm not even logged in.

Note : the AuthorizeAttribute is working properly when I use it.

Any idea what could prevent the attribute to work and filter accesses ?


回答1:


Are you inheriting the attribute from System.Web.Http.AuthorizeAttribute? It works differently than System.Web.Mvc.AuthorizeAttribute.

Try inheriting from System.Web.Mvc.AuthorizeAttribute instead.

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public sealed class AuthorizeRoleOrSuperiorAttribute : System.Web.Mvc.AuthorizeAttribute
{
    private MyAppRole _authorizedRole;

    public AuthorizeRoleOrSuperiorAttribute(MyAppRole authorizedRole)
    { //Breakpoint here
        _authorizedRole = authorizedRole;
    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    { //Breakpoint here
        base.OnAuthorization(filterContext);

        if (!UserInfo.GetUserRoles().Any(r => (int)r >= (int)_authorizedRole))
            throw new UnauthorizedAccessException(ErrorsModule.RoleMissing);
    }
}

That should at least make you hit the breakpoint.

Note parameter difference in: OnAuthorization(AuthorizationContext filterContext) and public override void OnAuthorization(HttpActionContext actionContext)

You can also set filterContext.Result = new HttpUnauthorizedResult(); to get the correct 401 http status code.



来源:https://stackoverflow.com/questions/41121851/attribute-inheriting-from-authorizeattribute-not-working

标签
c#
.net
asp.net-mvc-5
authorize-attribute
asp.net-roles
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!