C# MVC: How to override configured authentication

2019-04-23 03:22发布

问题:

I have an MVC application with the following block inside in Web.config:

<authentication mode="Forms">
    <forms loginUrl="~/Login" timeout="2880" />
</authentication>

So, if a user requests a page and authorization fails, they will be redirected to ~/Login.

That's fine, and I need it for most of my controllers. However, I have a controller which I'd like to bypass this rule with. How can I allow specific controllers to ignore this rule?

My problem is that in my MVC application (which has several controllers), I have a certain controller which hosts a REST interface (not meant for browser use). Since this controller isn't meant for browser-consumption, I don't want it sending back an entire login page, (or any page whatsoever actually, just strings or partial views.)

Note that I'm using custom [Authorize...] attributes on my actions, and when THESE fail, they redirect to an Error action--but, unfortunately, my Error action (which returns a short string) is being redirected to the Login page because of this configuration setting!

I'm getting dizzy trying to figure this out, what am I doing wrong? I can provide more details if necessary.

回答1:

You could extend the AuthorizeAttribute class and override HandleUnauthorizedRequest, you may want to return a Forbidden http status code rather than a custom message.

public class CustomAuthorizationAttribute : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        // You need to set this action result to something other than a HttpUnauthorizedResult, 
        // this result will cause the redirection to the login page

        // Forbidden request... does not redirect to login page
        // filterContext.Result = new HttpStatusCodeResult(403);

        filterContext.Result = new ErrorActionResult { ErrorMessage = "Unauthorized Access" };
    }
}

public class ErrorActionResult : ActionResult
{
    public string ErrorMessage { get; set; }

    public override void ExecuteResult(ControllerContext context)
    {
        context.HttpContext.Response.Write(this.ErrorMessage);
    }
}


回答2:

Add the following after your system.web element in Web.config:

<location path="home">
<system.web>
    <authorization>
        <allow users="*" />
    </authorization>
</system.web>
</location>

This will allow unauthenticated users access to "/home" and thus any actions on the HomeController.



回答3:

Phil Haack has a pretty thorough blog post on this exact subject: Prevent Forms Authentication Login Page Redirect When You Don’t Want It