How to throw ForbiddenException in ASP.NET Core 2 Instead of using AccessDeniedPath

限于喜欢 提交于 2019-12-22 11:27:46

问题


I am working on an ASP.NET Core 2 web application. I am handling Access Denied page for [Authorize (roles OR policies)] pages.

By default, Instead of showing the original URL and returning 403 status, ASP.NET Core 2.0 redirects the request to an AccessDenied page with status is 302 -> This is not what I want.

Instead of redirecting AccessDenied page. I want ASP.NET Core throws my custom ForbiddenException exception so I can handle unauthorized accesses like I do for Unhandled exceptions.

Here is my authentication configuration:

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Cookies
    options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Cookies       
    options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme; // Cookies
})
.AddCookie(options => {

    options.LoginPath = "/Auth/Login/";
    options.LogoutPath = "/Auth/Logout/";

    // I want disable this and throw ForbiddenException instead.
    options.AccessDeniedPath = "/Auth/AccessDenied/";  
});

Anyone has any help? Thank you!


回答1:


The code for redirecting to AccessDeniedPath is handled by CookieAuthenticationEvents.OnRedirectToAccessDenied, included here for completeness:

public Func<RedirectContext<CookieAuthenticationOptions>, Task> OnRedirectToAccessDenied { get; set; } = context =>
{
    if (IsAjaxRequest(context.Request))
    {
        context.Response.Headers["Location"] = context.RedirectUri;
        context.Response.StatusCode = 403;
    }
    else
    {
        context.Response.Redirect(context.RedirectUri);
    }
    return Task.CompletedTask;
};

In order to override this behavior, you can provide your own implementation of OnRedirectToAccessDenied, that can either write to the response or, in your case, throw an exception. To do that, you can use something like the following:

services.AddAuthentication(...)
    .AddCookie(options => {
        // ...
        options.Events.OnRedirectToAccessDenied = context => {
            // Your code here.
            // e.g.
            throw new YouAreNotWelcomeHereException();
        };
    });

Here, context is an instance of RedirectContext, which (through its inheritance tree), contains properties such as:

  • HttpContext
  • Request
  • Response
  • Properties (type: AuthenticationProperties)

Using these properties, you can obtain any information you need about the incoming request. You can also write your own response, etc.



来源:https://stackoverflow.com/questions/48466528/how-to-throw-forbiddenexception-in-asp-net-core-2-instead-of-using-accessdeniedp

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!