In our ASP.NET MVC application, we automatically redirect users to a log-on page via the <authentication> section of <system.web> when they attempt to access an authorized-only page. The problem is that one action in the middle of the application, designed to be used by a tool, needs to return a straight-up HTTP 401 response on bad access. How can I return a real HTTP 401 code without the redirect for this specific action?
在我们的ASP.NET MVC应用程序中,当用户尝试访问仅授权页面时,我们会自动通过
3 个解决方案
#1
6
The following solution works, although I'm not at all sure it's optimal:
以下解决方案有效,但我不确定它是否是最佳的:
public class HttpAuthenticationRequiredResult : ActionResult
{
public override void ExecuteResult(ControllerContext context)
{
var response = context.HttpContext.Response;
response.StatusCode = 401;
response.AddHeader("WWW-Authenticate", "Basic realm=\"whatever\"");
response.Flush();
response.Close();
}
}
You can then return the above result instead of an HttpUnauthorizedResult to generate the required 401 code. This feels quite klugy to me, however.
然后,您可以返回上述结果而不是HttpUnauthorizedResult来生成所需的401代码。然而,这对我来说非常麻烦。
#2
4
You can have separate <system.web> sections for separate paths. Here's an example:
您可以为单独的路径分别使用
<configuration>
<location path="Foo/Bar.aspx">
<system.web>
<authorization>
<allow roles="GoodGuys" />
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
In this case, the page "Foo/Bar.aspx" is allowed to folks with the GoodGuys role, but denied to all others.
在这种情况下,允许具有GoodGuys角色的人员使用页面“Foo / Bar.aspx”,但拒绝所有其他人。
In your case, you might want to allow all without authentication:
在您的情况下,您可能希望允许所有未经身份验证:
<configuration>
<location path="Foo/Bar.aspx">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
#3
0
Had a similar case where I needed to return back something that triggered an undesired redirect (basically a message about how authentication failed and it was redirecting to the login screen without the error information).
有一个类似的情况,我需要返回一些触发不需要的重定向的东西(基本上是一个关于身份验证失败的信息,并且它没有错误信息重定向到登录屏幕)。
This solved the problem:
这解决了这个问题:
Response.SuppressFormsAuthenticationRedirect = true;
#1
6
The following solution works, although I'm not at all sure it's optimal:
以下解决方案有效,但我不确定它是否是最佳的:
public class HttpAuthenticationRequiredResult : ActionResult
{
public override void ExecuteResult(ControllerContext context)
{
var response = context.HttpContext.Response;
response.StatusCode = 401;
response.AddHeader("WWW-Authenticate", "Basic realm=\"whatever\"");
response.Flush();
response.Close();
}
}
You can then return the above result instead of an HttpUnauthorizedResult to generate the required 401 code. This feels quite klugy to me, however.
然后,您可以返回上述结果而不是HttpUnauthorizedResult来生成所需的401代码。然而,这对我来说非常麻烦。
#2
4
You can have separate <system.web> sections for separate paths. Here's an example:
您可以为单独的路径分别使用
<configuration>
<location path="Foo/Bar.aspx">
<system.web>
<authorization>
<allow roles="GoodGuys" />
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
In this case, the page "Foo/Bar.aspx" is allowed to folks with the GoodGuys role, but denied to all others.
在这种情况下,允许具有GoodGuys角色的人员使用页面“Foo / Bar.aspx”,但拒绝所有其他人。
In your case, you might want to allow all without authentication:
在您的情况下,您可能希望允许所有未经身份验证:
<configuration>
<location path="Foo/Bar.aspx">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
#3
0
Had a similar case where I needed to return back something that triggered an undesired redirect (basically a message about how authentication failed and it was redirecting to the login screen without the error information).
有一个类似的情况,我需要返回一些触发不需要的重定向的东西(基本上是一个关于身份验证失败的信息,并且它没有错误信息重定向到登录屏幕)。
This solved the problem:
这解决了这个问题:
Response.SuppressFormsAuthenticationRedirect = true;