How to create custom JsonAuthorize Attribute to se

2019-08-07 18:56发布

站内问答 / 后端开发
840 3 4

I was thinking how to correctly secure JsonResult action with custom attribute instead of doing kind of this on each action like saying here ASP.NET MVC JsonResult and AuthorizeAttribute

if (!User.Identity.IsAuthenticated)
    return Json("Need to login");

But the question is how could i create such attribute which would return Json. So i've started from that:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
    public class JsonAuthorizeAttribute : AuthorizeAttribute
    {
        protected override bool AuthorizeCore(HttpContextBase httpContext)
        {
            if (httpContext == null)
            {
                throw new ArgumentNullException("httpContext");
            }
            IPrincipal user = httpContext.User;

            if (!user.Identity.IsAuthenticated)
            { 
               //? 
            }

            //Need to return json somehow ?
        }
    }

Bot how i may return json result from such attribute? any ideas?

3条回答
一夜七次
2楼-- · 2019-08-07 19:21

1 way is to override AuthorizeAttribute.HandleUnauthorizedRequest

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
    throw new CustomUnauthorizedException();
}

... And then in your Global.asax:

protected void Application_Error(object sender, EventArgs e)
{
    Exception error = Server.GetLastError();
    if (error is CustomUnauthorizedException) {
        if (AjaxRequest(Request)) {
            ... return Json response.
        } else {
            ... redirect
        }
    }
}

So you can throw the exception anywhere in your codebase and you've centralized the handling of that exception in Global.asax

查看更多
0人赞 添加讨论(0) 举报
放我归山
3楼-- · 2019-08-07 19:30

Try this.. it works for me

 protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
 {
   dynamic ResponseObj = new JObject();
   ResponseObj.Message = "Authorization has been denied for this request.";
   string jsonString = Newtonsoft.Json.JsonConvert.SerializeObject(ResponseObj);
   actionContext.Response = new HttpResponseMessage
    {
      StatusCode = HttpStatusCode.Unauthorized,
      Content = new StringContent(jsonString, System.Text.Encoding.UTF8,"application/json")
     };
 }
查看更多
0人赞 添加讨论(0) 举报
4楼-- · 2019-08-07 19:33

You can use an ActionFilterAttribute which allows you to return a result without using the httpcontext.response.write or anything.

public class JsonActionFilterAttribute : ActionFilterAttribute {
    public override void OnActionExecuting(ActionExecutingContext filterContext) {
        if (!HttpContext.Current.User.Identity.IsAuthenticated) {
            filterContext.Result = new JsonResult() { Data = "Need to login." };
        }
        base.OnActionExecuting(filterContext);
    }
}
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)