授权Ajax调用

时间:2015-04-10 06:34:03

标签: c# ajax asp.net-mvc

所以我有MVC5项目,当点击一个按钮时我有一些ajax调用,它调用的控制器具有我自定义属性,因此框架可以将某人重定向到类似于非ajax [Authorize]的登录页面。

自定义属性:

public class AjaxAuthorizeAttribute : AuthorizeAttribute
{
    protected override void HandleUnauthorizedRequest(AuthorizationContext context)
    {
        if (context.HttpContext.Request.IsAjaxRequest()) {
            dynamic urlHelper = new UrlHelper(context.RequestContext);
            context.HttpContext.Response.StatusCode = 403;

            context.Result = new JsonResult {
                Data = new {
                    Error = "NotAuthorized",
                    LogOnUrl = urlHelper.Action("Registration", "Membership")
                },
                JsonRequestBehavior = JsonRequestBehavior.AllowGet
            };
        } else {
            base.HandleUnauthorizedRequest(context);
        }
    }
}

控制器:

[HttpPost()]
[AjaxAuthorize()]
public void Test()
{
       //do something
}

Javascript:

    //AJAX AUTHORIZE REDIRECT
    $(document).ajaxError(function (e, xhr) {
        if (xhr.status == 403) {
            var response = $.parseJSON(xhr.responseText);
            window.location = response.LogOnUrl;
        }
    });

它在我的localhost中工作正常,但是当我将它部署到我的网络服务器时它不起作用。我做了一些检查,结果我的jquery脚本中的xhr.responseText有不同的结果,这里是比较:

localhost:

{"Error":"NotAuthorized","LogOnUrl":"/Membership/Registration"} //correct output

网络服务器:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;} 
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;} 
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} 
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>403 - Forbidden: Access is denied.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>

知道为什么会这样吗?

1 个答案:

答案 0 :(得分:1)

方法1 (首选)

您可以为回复设置TrySkipIisCustomErrors为true。像这样:

protected override void HandleUnauthorizedRequest(AuthorizationContext context)
{
    if (context.HttpContext.Request.IsAjaxRequest()) {
        dynamic urlHelper = new UrlHelper(context.RequestContext);

        context.HttpContext.Response.TrySkipIisCustomErrors= true;
        context.HttpContext.Response.StatusCode = 403;

        context.Result = new JsonResult {
            Data = new {
                Error = "NotAuthorized",
                LogOnUrl = urlHelper.Action("Registration", "Membership")
            },
            JsonRequestBehavior = JsonRequestBehavior.AllowGet
        };
    } else {
        base.HandleUnauthorizedRequest(context);
    }
}

方法2 您可以通过从403删除此语句来停止发送结束HTTP状态代码HandleUnauthorizedRequest

context.HttpContext.Response.StatusCode = 403;

这将告诉您的客户端和服务器此请求已成功。在这种情况下,你的javascript代码看起来像这样,

$(document).ajaxSuccess(function (e, xhr) {
    var response = $.parseJSON(xhr.responseText);
    if (typeof(response.Error) !== 'undefined') {
        window.location = response.LogOnUrl;
    }
});