我正在使用jquery对asp.net mvc控制器动作进行ajax调用:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult GetWeek(string startDay)
{
var daysOfWeek = CompanyUtility.GetWeek(User.Company.Id, startDay);
return Json(daysOfWeek);
}
当会话超时时,此调用将失败,因为User对象存储在会话中。我创建了一个自定义authorize属性,以检查会话是否丢失并重定向到登录页面。这适用于页面请求,但它不适用于ajax请求,因为您无法从ajax请求重定向:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class AuthorizeUserAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (!httpContext.Request.IsAjaxRequest())
{//validate http request.
if (!httpContext.Request.IsAuthenticated
|| httpContext.Session["User"] == null)
{
FormsAuthentication.SignOut();
httpContext.Response.Redirect("~/?returnurl=" + httpContext.Request.Url.ToString());
return false;
}
}
return true;
}
}
我在另一个线程上读到,当用户未经过身份验证并且你发出ajax请求时,你应该将状态代码设置为401(未授权),然后在js中检查它并将它们重定向到登录页面。但是,我无法做到这一点:
protected override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (Request.IsAjaxRequest() && (!Request.IsAuthenticated || User == null))
{
filterContext.RequestContext.HttpContext.Response.StatusCode = 401;
}
else
{
base.OnActionExecuting(filterContext);
}
}
基本上,它会将它设置为401,但随后它将继续进入控制器操作并抛出一个对象引用未设置为对象错误的实例,然后将错误500返回给客户端js 。如果我更改自定义Authorize属性以验证ajax请求并为未经过身份验证的那些返回false,则会使ajax请求返回我的登录页面,这显然不起作用。
我该如何运作?
答案 0 :(得分:84)
您可以编写一个自定义[Authorize]属性,该属性将返回JSON,而不是在未经授权的访问时抛出401异常,这将允许客户端脚本优雅地处理该方案:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class MyAuthorizeAttribute : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
filterContext.Result = new JsonResult
{
Data = new
{
// put whatever data you want which will be sent
// to the client
message = "sorry, but you were logged out"
},
JsonRequestBehavior = JsonRequestBehavior.AllowGet
};
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
}
然后用它和客户端装饰你的控制器/动作:
$.get('@Url.Action("SomeAction")', function (result) {
if (result.message) {
alert(result.message);
} else {
// do whatever you were doing before with the results
}
});
答案 1 :(得分:37)
我不会将JsonRequestBehavior更改为AllowGet。相反,我建议:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public sealed class MyAuthorizeAttribute : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
OnAuthorizationHelp(filterContext);
}
internal void OnAuthorizationHelp(AuthorizationContext filterContext)
{
if (filterContext.Result is HttpUnauthorizedResult)
{
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
filterContext.HttpContext.Response.StatusCode = 401;
filterContext.HttpContext.Response.End();
}
}
}
}
并添加全局js ajax错误处理程序:
$(document).ajaxError(function (xhr, props) {
if (props.status === 401) {
location.reload();
}
}
答案 2 :(得分:8)
即使这已经过去了,但我认为如果您使用的是.NET 4.5,这是最简短最甜蜜的答案。添加了名为SuppressFormsAuthenticationRedirect的小属性。设置为true,它不会执行302重定向登录页面。
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AjaxAuthorizeAttribute : AuthorizeAttribute
{
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
// returns a 401 already
base.HandleUnauthorizedRequest(filterContext);
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
// we simply have to tell mvc not to redirect to login page
filterContext.HttpContext.Response.SuppressFormsAuthenticationRedirect = true;
}
}
}
假设你计划处理ajax请求失败/错误回调,你将获得401 Unauthorized。
答案 3 :(得分:5)
在Master页面上添加此jquery脚本------------
<script type="text/javascript">
$.ajaxSetup({
statusCode: {
403: function () {
window.location.reload();
}
}
});
OR
$.ajaxSetup({
error: function (x, e) {
if (x.status == 403) {
window.location.reload();
}
}
});
</script>
在项目中添加一个以TraceFilter命名的cs文件,并编写一个继承ActionFilterAttribute的封闭类TraceFilterAttribute。 通过写下面的行,在项目的App_Start文件夹中的FilterConfig.cs中添加TraceFilterAttribute类。
filters.Add(new TraceFilterAttribute());
在TraceFilterAttribute类中重写方法OnActionExecuting()。这将自动检查会话,如果找到会话null,则调用母版页中可用的脚本,然后您可以转到您的选择页面。
[AttributeUsage(AttributeTargets.All)]
public sealed class TraceFilterAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (filterContext != null)
{
HttpSessionStateBase objHttpSessionStateBase = filterContext.HttpContext.Session;
var userSession = objHttpSessionStateBase["etenetID"];
if (((userSession == null) && (!objHttpSessionStateBase.IsNewSession)) || (objHttpSessionStateBase.IsNewSession))
{
objHttpSessionStateBase.RemoveAll();
objHttpSessionStateBase.Clear();
objHttpSessionStateBase.Abandon();
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
filterContext.HttpContext.Response.StatusCode = 403;
filterContext.Result = new JsonResult { Data = "LogOut" };
}
else
{
filterContext.Result = new RedirectResult("~/Admin/GoToLogin");
}
}
}
}
}
答案 4 :(得分:4)
我遇到了类似的问题,发现this
在发回响应之前,不要返回任何JSON,而是强制ASP.NET返回401代码。在Global.asax:
protected void Application_EndRequest()
{
var context = new HttpContextWrapper(Context);
if (context.Request.IsAjaxRequest() && context.Response.StatusCode == 302)
{
Context.Response.Clear();
Context.Response.Write("**custom error message**");
Context.Response.StatusCode = 401;
}
}
然后你可以让客户端用JavaScript / jQuery或者你正在使用的任何东西来处理它
答案 5 :(得分:1)
这里是我如何在我的自定义授权中以如此简单的方式处理这个问题,我检查会话是否已经出来并使用布尔值处理未经授权的处理,以检查它是否真的经过身份验证但未经授权(重定向到un-授权页面)或由于会话超时(重定向到登录)而未进行身份验证
private bool ispha_LoggedIn = false;
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
ispha_LoggedIn = false;
var session = httpContext.Session;
bool authorize = false;
if (httpContext.Session["authenticationInfo"] == null)
{
return authorize;
}
using (OrchtechHR_MVCEntities db = new OrchtechHR_MVCEntities())
{
UserAuthenticationController UM = new UserAuthenticationController();
foreach (var roles in userAssignedRoles)
{
authorize = UM.IsUserInRole(httpContext.User.Identity.Name, roles);
if (authorize)
{
return authorize;
}
}
}
ispha_LoggedIn = true;
return authorize;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (ispha_LoggedIn==false)
{
filterContext.Result = new RedirectResult("~/UserAuthentication/LogIn");
}
else
{
filterContext.Result = new RedirectResult("~/Dashboard/UnAuthorized");
}
}
希望如果这可以引导某人,并且如果有评论的话,请欣赏它们。
答案 6 :(得分:0)
你可能想尝试抛出HttpException并在你的javascript中捕获它。
throw new HttpException(401, "Auth Failed")
答案 7 :(得分:-2)
返回类似这样的内容
<script>
$(function(){
location.reload();
});
</script>
哈哈