更新时间:2023-02-15 23:15:37
对于我的场景来说,***的解决方案似乎是完全绕过基本的 OnAuthorization.由于我每次都必须对 cookie 和缓存进行身份验证,因此该原理没有多大用处.所以这是我想出的解决方案:
The best solution for my scenario appears to be bypass the base OnAuthorization completely. Since I have to authenticate each time cookies and caching the principle are not of much use. So here is the solution I came up with:
public override void OnAuthorization(HttpActionContext actionContext)
{
string username;
string password;
if (GetUserNameAndPassword(actionContext, out username, out password))
{
if (Membership.ValidateUser(username, password))
{
if (!isUserAuthorized(username))
actionContext.Response =
new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
}
else
{
actionContext.Response =
new HttpResponseMessage(System.Net.HttpStatusCode.Unauthorized);
}
}
else
{
actionContext.Response =
new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest);
}
}
我开发了自己的方法来验证名为 isUserAuthorized 的角色,我不再使用基本的 OnAuthorization,因为它检查了当前的原则 查看它是否已认证.IsAuthenticated 只允许获取,所以我不确定如何设置它,而且我似乎不需要当前的原则.对此进行了测试,效果很好.
I developed my own method for validating the roles called isUserAuthorized and I am not using the base OnAuthorization any more since it checks the current Principle to see if it isAuthenticated. IsAuthenticated only allows gets so I am not sure how else to set it, and I do not seem to need the current Principle. Tested this out and it works fine.
如果有人有更好的解决方案或可以看到此解决方案的任何问题,仍然感兴趣.
Still interested if anyone has a better solution or can see any issues with this this one.