问题
I am working on an ASP.NET Core 2 web application. I am handling Access Denied page for [Authorize (roles OR policies)] pages.
By default, Instead of showing the original URL and returning 403 status, ASP.NET Core 2.0 redirects the request to an AccessDenied page with status is 302 -> This is not what I want.
Instead of redirecting AccessDenied page. I want ASP.NET Core throws my custom ForbiddenException exception so I can handle unauthorized accesses like I do for Unhandled exceptions.
Here is my authentication configuration:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Cookies
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Cookies
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Cookies
})
.AddCookie(options => {
options.LoginPath = "/Auth/Login/";
options.LogoutPath = "/Auth/Logout/";
// I want disable this and throw ForbiddenException instead.
options.AccessDeniedPath = "/Auth/AccessDenied/";
});
Anyone has any help? Thank you!
回答1:
The code for redirecting to AccessDeniedPath
is handled by CookieAuthenticationEvents.OnRedirectToAccessDenied, included here for completeness:
public Func<RedirectContext<CookieAuthenticationOptions>, Task> OnRedirectToAccessDenied { get; set; } = context =>
{
if (IsAjaxRequest(context.Request))
{
context.Response.Headers["Location"] = context.RedirectUri;
context.Response.StatusCode = 403;
}
else
{
context.Response.Redirect(context.RedirectUri);
}
return Task.CompletedTask;
};
In order to override this behavior, you can provide your own implementation of OnRedirectToAccessDenied
, that can either write to the response or, in your case, throw an exception. To do that, you can use something like the following:
services.AddAuthentication(...)
.AddCookie(options => {
// ...
options.Events.OnRedirectToAccessDenied = context => {
// Your code here.
// e.g.
throw new YouAreNotWelcomeHereException();
};
});
Here, context
is an instance of RedirectContext, which (through its inheritance tree), contains properties such as:
HttpContext
Request
Response
Properties
(type: AuthenticationProperties)
Using these properties, you can obtain any information you need about the incoming request. You can also write your own response, etc.
来源:https://stackoverflow.com/questions/48466528/how-to-throw-forbiddenexception-in-asp-net-core-2-instead-of-using-accessdeniedp