我实现了自定义的AuthorizationHandler。 在那我检查我用户可以解决并处于活动状态。
如果用户不活跃,那么我想返回403状态。
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, ValidUserRequirement requirement)
{
var userId = context.User.FindFirstValue( ClaimTypes.NameIdentifier );
if (userId != null)
{
var user = await _userManager.GetUserAsync(userId);
if (user != null)
{
_httpContextAccessor.HttpContext.AddCurrentUser(user);
if (user.Active)
{
context.Succeed(requirement);
return;
}
else
{
_log.LogWarning(string.Format("User ´{1}´ with id: ´{0} isn't active", userId, user.UserName), null);
}
}
else
{
_log.LogWarning(string.Format("Can't find user with id: ´{0}´", userId), null);
}
} else
{
_log.LogWarning(string.Format("Can't get user id from token"), null);
}
context.Fail();
var response = _httpContextAccessor.HttpContext.Response;
response.StatusCode = 403;
}
但是我收到401。您能帮我吗?
答案 0 :(得分:3)
您能否在功能结束时检查一下?在某些情况下,我在自定义中间件中使用它来将状态代码重写为401,但在您的情况下也可以使用
var filterContext = context.Resource as AuthorizationFilterContext;
var response = filterContext?.HttpContext.Response;
response?.OnStarting(async () =>
{
filterContext.HttpContext.Response.StatusCode = 403;
//await response.Body.WriteAsync(message, 0, message.Length); only when you want to pass a message
});
答案 1 :(得分:1)
根据单一职责原则,我们不应使用HandleRequirementAsync()方法来重定向响应,而应使用中间件或Controller来做到这一点。如果将重定向逻辑放在HandleRequirementAsync()中,那么是否要在“查看”页面中使用重定向逻辑呢?
您可以将与重定向相关的代码删除到其他地方(外部),现在您注入IAuthorizationService来进行任意授权,甚至是基于资源的授权:
public class YourController : Controller{
private readonly IAuthorizationService _authorizationService;
public YourController(IAuthorizationService authorizationService)
{
this._authorizationService = authorizationService;
}
[Authorize("YYY")]
public async Task<IActionResult> Index()
{
var resource /* = ... */ ;
var x = await this._authorizationService.AuthorizeAsync(User,resource , "UserNameActiveCheck");
if (x.Succeeded)
{
return View();
}
else {
return new StatusCodeResult(403);
}
}
}