Here is the code for my base controller, the idea is that if the Authorization string is not in the HTTP Headers we kick them out. I swear it was working properly and now suddenly it does not work. Strangely when I debug it is actually stepping INTO the if statement so it is indeed true that the HTTP Header I am requesting is a NULL OR EMPTY string, HOWEVER, it is not exiting early and returning 403 Access Denied anymore... it was working fine and suddenly it is just ignoring the entire thing and eventually crashing later on in the app when I try to parse the Authorization String that WAS 开发者_开发技巧NOT ACTUALLY FOUND.
public class AuthController : Controller
{
protected int AccountID;
protected override void OnAuthorization(AuthorizationContext filterContext)
{
//if no authorization string is provided, access denied
if (string.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"]))
{
filterContext.Result = Content("Access Denied", "text/plain");
filterContext.HttpContext.Response.StatusCode = 403; //forbidden
base.OnAuthorization(filterContext);
}
//otherwise grab the authorization string and validate it
string authString = filterContext.HttpContext.Request.Headers["Authorization"];
string urlPath = string.IsNullOrEmpty(filterContext.HttpContext.Request.Path) ? "" : filterContext.HttpContext.Request.Path;
int getAccountID = 0;
//if authorization fails...
if (!AuthCore.Authorize(authString, urlPath, ref getAccountID))
{
filterContext.Result = Content("Access Denied", "text/plain");
filterContext.HttpContext.Response.StatusCode = 403; //forbidden
base.OnAuthorization(filterContext);
}
//AccountID will never be zero at this point
AccountID = getAccountID;
//carry on with Controller Action, request is valid and AccountID is known
base.OnAuthorization(filterContext);
}
UPDATE: Just tried filterContext.Result = new HttpUnauthorizedResult(); instead, same results. Controller action continues and throws error when trying to parse the header string that was not found.
UPDATE 2: Added "return;" after each of the base.OnAuthorization() calls besides the last one, now when it fails I get a 302 moved from MVC followed by a 404, which turns out is the app trying to redirect to a default login page URL that does not actually exist... could this be good enough? Maybe but I'd rather block it straight out rather than letting some wonky redirect happen as the way of blocking them, doesn't feel secure to me.
AH HA!
I was calling the base.OnAuthorization() too many times, apparently it's not actually a permanent goodbye from the thread... not sure why I thought it was now that I think about it... here is the working code:
protected override void OnAuthorization(AuthorizationContext filterContext)
{
int getAccountID = 0;
//if no authorization string is provided, access denied
if (string.IsNullOrEmpty(filterContext.HttpContext.Request.Headers["Authorization"]))
{
filterContext.Result = Content("Access Denied", "text/plain");
filterContext.HttpContext.Response.StatusCode = 403; //forbidden
}
else
{
//otherwise grab the authorization string and validate it
string authString = filterContext.HttpContext.Request.Headers["Authorization"];
string urlPath = string.IsNullOrEmpty(filterContext.HttpContext.Request.Path) ? "" : filterContext.HttpContext.Request.Path;
//if authorization fails...
if (!AuthCore.Authorize(authString, urlPath, ref getAccountID))
{
filterContext.Result = Content("Access Denied", "text/plain");
filterContext.HttpContext.Response.StatusCode = 403; //forbidden
}
}
//AccountID will never be zero at this point
AccountID = getAccountID;
//carry on with Controller Action, request is valid and AccountID is known
base.OnAuthorization(filterContext);
}
I think you should check out this post: Securing your ASP.NET MVC 3 Application
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论