ASP.NET MVC Futures RequireSSL属性和授权属性在一起

Is anyone successfully using both the Authorize and RequireSSL (from MVC futures) attributes together on a controller? I have created a controller for which I must enforce the rule that the user must be logged in and using a secure connection in order to execute. If the user is not on a secure connection, I want the app to redirect to https, thus I am using Redirect=true on the RequireSSL attribute. The code looks something like (CheckPasswordExpired is my homegrown attribute):

是否有人在控制器上成功同时使用Authorize和RequireSSL(来自MVC期货)属性?我已经创建了一个控制器,我必须强制执行用户必须登录并使用安全连接才能执行的规则。如果用户没有安全连接,我希望应用程序重定向到https,因此我在RequireSSL属性上使用Redirect = true。代码看起来像(CheckPasswordExpired是我自己开发的属性):

[Authorize]
[RequireSsl(Redirect = true)]
[CheckPasswordExpired(ActionName = "ChangePassword",
    ControllerName = "Account")]
[HandleError]
public class ActionsController : Controller
{
    ....
}

mysite.com/Actions/Index is the default route for the site and also the default page to redirect to for forms authentication.

mysite.com/Actions/Index是网站的默认路由,也是重定向到表单身份验证的默认页面。

When I browse to http://mysite.com, what I want to get is the user redirected to a secure connection, and because they are not authenticated yet, to the login page. What I get is an HTTP 400 error (Bad Request). If I navigate to http://mysite.com/Account/Login, the redirect works, but neither my Account controller nor Login action method have the [Authorize] attribute.

当我浏览到http://mysite.com时,我想要的是用户被重定向到安全连接,并且因为他们尚未经过身份验证,所以登录页面。我得到的是HTTP 400错误(错误请求)。如果我导航到http://mysite.com/Account/Login,重定向可以正常工作,但我的帐户控制器和登录操作方法都没有[授权]属性。

Anyone have any experience with using these two attributes together to achieve my objective?

任何人都有使用这两个属性来实现我的目标的经验吗?

Thanks!

1 个解决方案

#1

I'm using both of them with success. Do you have the attributes on your default action?

我正在使用他们两个成功。您是否拥有默认操作的属性?

public class HomeController : BaseController
{
  [Authorize]
  [RequireSsl]
  public ActionResult Index ()
  {
  }
}

BTW I'm using a slightly modified version than the futures so that I can disable SSL globally:

顺便说一句,我使用的是比期货略有修改的版本,以便我可以全局禁用SSL:

[AttributeUsage (AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
public sealed class RequireSslAttribute : FilterAttribute, IAuthorizationFilter
{
    public RequireSslAttribute ()
    {
        Redirect = true;
    }

    public bool Redirect { get; set; }

    public void OnAuthorization (AuthorizationContext filterContext)
    {
        Validate.IsNotNull (filterContext, "filterContext");

        if (!Enable)
        {
            return;
        }

        if (!filterContext.HttpContext.Request.IsSecureConnection)
        {
            // request is not SSL-protected, so throw or redirect
            if (Redirect)
            {
                // form new URL
                UriBuilder builder = new UriBuilder
                {
                    Scheme = "https",
                    Host = filterContext.HttpContext.Request.Url.Host,
                    // use the RawUrl since it works with URL Rewriting
                    Path = filterContext.HttpContext.Request.RawUrl
                };
                filterContext.Result = new RedirectResult (builder.ToString ());
            }
            else
            {
                throw new HttpException ((int)HttpStatusCode.Forbidden, "Access forbidden. The requested resource requires an SSL connection.");
            }
        }
    }

    public static bool Enable { get; set; }
}

#1