我在 Global.asax 的Application_Error()中管理所有应用错误:
protected void Application_Error(object sender, EventArgs e)
{
Exception exception = Server.GetLastError();
Log.LogException(exception);
Response.Clear();
HttpException httpException = exception as HttpException;
RouteData routeData = new RouteData();
routeData.Values.Add("controller", "Erro");
if (httpException == null)
{
routeData.Values.Add("action", "Index");
}
else //It's an Http Exception
{
switch (httpException.GetHttpCode())
{
case 404:
//Page not found
routeData.Values.Add("action", "HttpError404");
break;
case 500:
//Server error
routeData.Values.Add("action", "HttpError500");
break;
// Here you can handle Views to other error codes.
// I choose a General error template
default:
routeData.Values.Add("action", "General");
break;
}
}
//Pass exception details to the target error View.
routeData.Values.Add("error", exception);
//Clear the error on server.
Server.ClearError();
//Avoid IIS7 getting in the middle
Response.TrySkipIisCustomErrors = true;
//Call target Controller and pass the routeData.
IController errorController = new ErroController();
errorController.Execute(new RequestContext(new HttpContextWrapper(Context), routeData));
}
所以,我的应用程序中有一个处理未授权请求的自定义授权属性,我想重定向到Application_Error()来操纵它。
所以,我这样做:
protected override void HandleUnauthorizedRequest(AuthorizationContext context)
{
if (context.HttpContext.Request.IsAuthenticated)
{
throw new HttpException(403, "Forbidden Access.");
}
else
{
base.HandleUnauthorizedRequest(context);
}
}
以这种方式调用Application_Error(),但是直接调用异常对我来说似乎很难看,存在另一种方式吗?你觉得怎么样?
答案 0 :(得分:2)
因为默认情况下Unauthorized 不是错误!
只需将此方法添加到global.asax
protected void Application_EndRequest(object sender, EventArgs e) {
if (Context.Response.StatusCode == 401 || Context.Response.StatusCode == 403) {
// this is important, because the 401 is not an error by default!!!
throw new HttpException(401, "You are not authorised");
}
}
答案 1 :(得分:2)
您不应在AuthorizeAttribute内引发异常,因为这可能会导致依赖AuthorizeAttribute进行授权检查的代码出现性能问题。 AuthorizeAttribute用于检查授权是否有效,而不是基于此信息采取操作。这就是原始代码不直接抛出异常的原因 - 它将任务委托给HttpUnauthorizedResult类。
相反,您应该创建一个自定义处理程序(类似于HttpUnauthorizedResult)来引发异常。这将彻底区分检查授权的逻辑,并根据未经授权的行为采取行动到两个不同的类别。
public class HttpForbiddenResult : HttpStatusCodeResult
{
public HttpForbiddenResult()
: this(null)
{
}
// Forbidden is equivalent to HTTP status 403, the status code for forbidden
// access. Other code might intercept this and perform some special logic. For
// example, the FormsAuthenticationModule looks for 401 responses and instead
// redirects the user to the login page.
public HttpForbiddenResult(string statusDescription)
: base(HttpStatusCode.Forbidden, statusDescription)
{
}
}
然后在您的自定义AuthorizeAttribute中,您只需要在HandleUnauthorizedRequest中设置新的处理程序。
protected override void HandleUnauthorizedRequest(AuthorizationContext context)
{
if (context.HttpContext.Request.IsAuthenticated)
{
// Returns HTTP 403 - see comment in HttpForbiddenResult.cs.
filterContext.Result = new HttpForbiddenResult("Forbidden Access.");
}
else
{
base.HandleUnauthorizedRequest(context);
}
}
如果需要执行与抛出HttpException不同的操作,则应该继承ActionResult并在ExecuteResult方法中实现该操作,或者使用一个继承ActionResult的内置类。
答案 2 :(得分:1)
你的代码很好。默认情况下,如果您调用base.HandleUnauthorizedRequest,它会抛出401异常,该异常由表单身份验证模块拦截,您将被重定向到登录页面(这可能不是所需的行为)。所以你的方法是正确的。
另一种可能性是,如果您不想通过Application_Error,则直接呈现相应的错误视图:
protected override void HandleUnauthorizedRequest(AuthorizationContext context)
{
if (context.HttpContext.Request.IsAuthenticated)
{
context.Result = new ViewResult
{
ViewName = "~/Views/Shared/Forbidden.cshtml"
};
}
else
{
base.HandleUnauthorizedRequest(context);
}
}