[Authorize]属性来防止没有正确用户角色的用户,但如何实现自己的属性来阻止不符合自定义要求的用户执行操作,而无需在每个操作内部编写手动检查?Authorize属性,并覆盖AuthorizeCore方法,在该方法中放置自定义的授权逻辑:public class MyAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var authroized = base.AuthorizeCore(httpContext);
if (!authroized)
{
return false;
}
// at this stage the base authorization process has passed.
// now implement your custom authorization logic and return true or false
// here you have access to the HttpContext and as a consequence to all
// request and route parameters so you could implement any
// authorization logic you want
// And of course if you want a completely custom authorization logic
// ignoring the base functionality don't call the base method above
// but completely override anything here
}
}
[Authorize(Roles="Admin, SuperUser")]
FilterAttribute派生会有问题吗? - Jonathan WoodFilterAttribute派生,并通过将自定义授权逻辑放在OnAuthorization方法中实现IAuthorizationFilter接口。 - Darin Dimitrov