您的位置: 首页  >  技术问答  >  你如何处理Ajax请求时,用户没有通过验证?

你如何处理Ajax请求时,用户没有通过验证?

分类: 技术问答 2022-03-23 12:19:46

你如何处理Ajax请求时,用户没有通过验证?

问题描述:

你是如何处理Ajax请求时,用户没有通过验证?

How do you handle ajax requests when user is not authenticated?

有人进入页面,离开房间一个小时,退货,补充注释,去throuh AJAX使用jQuery在页面上( $。交)。由于他未经过验证,方法返回RedirectToRoute结果(重定向到登录页面)。你用它做什么?你如何处理它在客户端,你如何在控制器处理呢?

Someone enters the page, leaves room for an hour, returns, adds comment on the page that goes throuh ajax using jQuery ($.post). Since he is not authenticated, method return RedirectToRoute result (redirects to login page). What do you do with it? How do you handle it on client side and how do you handle it in controller?

编辑:

我写了上面的回答是很久以前的,现在我相信,发送403不正确的路要走。 403具有略微不同的意义,它只是不应使用。

I wrote above answer a long time ago and now I believe that sending 403 is not proper way to go. 403 has slightly different meaning and it just shouldn't be used. This is corrected attribute using 401. It differs only with additional context.HttpContext.Response.End() in Http401Result and different HTTP code:

public class OptionalAuthorizeAttribute : AuthorizeAttribute
{
    private class Http401Result : ActionResult
    {
        public override void ExecuteResult(ControllerContext context)
        {
            // Set the response code to 401.
            context.HttpContext.Response.StatusCode = 401;
            context.HttpContext.Response.Write(CTRes.AuthorizationLostPleaseLogOutAndLogInAgainToContinue);
            context.HttpContext.Response.End();
        }
    }

    private readonly bool _authorize;

    public OptionalAuthorizeAttribute()
    {
        _authorize = true;
    }

    //OptionalAuthorize is turned on on base controller class, so it has to be turned off on some controller. 
    //That is why parameter is introduced.
    public OptionalAuthorizeAttribute(bool authorize)
    {
        _authorize = authorize;
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        //When authorize parameter is set to false, not authorization should be performed.
        if (!_authorize)
            return true;

        var result = base.AuthorizeCore(httpContext);

        return result;
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest())
        {
            //Ajax request doesn't return to login page, it just returns 401 error.
            filterContext.Result = new Http401Result();
        }
        else
            base.HandleUnauthorizedRequest(filterContext);
    }
}

OLD答:

虽然我喜欢张贴在其他答案的想法(我有大约提前一个想法),我需要code样本。在这里,他们是:

While I like the ideas posted in other answers (which I had an idea about earlier), I needed code samples. Here they are:

修改授权属性:

public class OptionalAuthorizeAttribute : AuthorizeAttribute
{
    private class Http403Result : ActionResult
    {
        public override void ExecuteResult(ControllerContext context)
        {
            // Set the response code to 403.
            context.HttpContext.Response.StatusCode = 403;
            context.HttpContext.Response.Write(CTRes.AuthorizationLostPleaseLogOutAndLogInAgainToContinue);
        }
    }

    private readonly bool _authorize;

    public OptionalAuthorizeAttribute()
    {
        _authorize = true;
    }

    //OptionalAuthorize is turned on on base controller class, so it has to be turned off on some controller. 
    //That is why parameter is introduced.
    public OptionalAuthorizeAttribute(bool authorize)
    {
        _authorize = authorize;
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        //When authorize parameter is set to false, not authorization should be performed.
        if (!_authorize)
            return true;

        var result = base.AuthorizeCore(httpContext);

        return result;
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest())
        {
            //Ajax request doesn't return to login page, it just returns 403 error.
            filterContext.Result = new Http403Result();
        }
        else
            base.HandleUnauthorizedRequest(filterContext);
    }
}

HandleUnauthorizedRequest 被覆盖,所以它返回 Http403Result 时,使用Ajax。 Http403Result 改变状态code至403,并返回信息给用户的响应。有一个在属性(批准参数)一些额外的逻辑,因为我打开 [授权] 在基本控制器和在某些页面禁用它。

HandleUnauthorizedRequest is overridden, so it returns Http403Result when using Ajax. Http403Result changes StatusCode to 403 and returns message to the user in response. There is some additional logic in attribute (authorize parameter), because I turn on [Authorize] in the base controller and disable it in some pages.

另一个重要的部分是在客户端此响应的全球性的处理。这是我摆在的Site.Master:

The other important part is global handling of this response on client side. This is what I placed in Site.Master:

<script type="text/javascript">
    $(document).ready(
        function() {
            $("body").ajaxError(
                function(e,request) {
                    if (request.status == 403) {
                        alert(request.responseText);
                        window.location = '/Logout';
                    }
                }
            );
        }
    );
</script>

我把一个全局AJAX错误处理程序,并当过 $。交失败,出现403错误,响应消息提醒,用户被重定向到注销页。现在,我没有来处理每一个 $。交请求错误,因为它是全球范围内进行处理。

I place a GLOBAL ajax error handler and when ever $.post fails with a 403 error, the response message is alerted and the user is redirected to logout page. Now I don't have to handle the error in every $.post request, because it is handled globally.

为什么403,而不是401? 401内部由MVC框架来处理(这就是为什么重定向到登录页面做失败后,授权)。

Why 403, and not 401? 401 is handled internally by MVC framework (that is why redirection to login page is done after failed authorization).

你怎么想的呢?

相关推荐