MVC中使用AuthorizeAttribute做身份验证操作

代码顺序为：OnAuthorization-->AuthorizeCore-->HandleUnauthorizedRequest

假设AuthorizeCore返回false时，才会走HandleUnauthorizedRequest 方法，而且Request.StausCode会返回401，401错误又相应了Web.config中

的

<authentication mode="Forms">

<forms loginUrl="~/" timeout="2880" />

</authentication>

全部，AuthorizeCore==false 时，会跳转到 web.config 中定义的 loginUrl="~/"

public class CheckLoginAttribute : AuthorizeAttribute

{

protected override bool AuthorizeCore(HttpContextBase httpContext) {

bool Pass = false;

if (!CheckLogin.AdminLoginCheck())

{

httpContext.Response.StatusCode = 401;//无权限状态码

Pass = false;

}

else

{

Pass = true;

}

return Pass;

}

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)

{

if(filterContext.HttpContext.Request.IsAjaxRequest())

{

if (!App.AppService.IsLogon)

{

filterContext.Result = new JsonResult

{

Data = new {IsSuccess = false, Message = "不好意思,登录超时,请又一次登录再操作!"},

JsonRequestBehavior = JsonRequestBehavior.AllowGet

};

return;

}

}

if (App.AppService.IsLogon)

{

return;

}

base.HandleUnauthorizedRequest(filterContext);

if (filterContext.HttpContext.Response.StatusCode == 401)

{

filterContext.Result = new RedirectResult("/");

}

}

}

AuthorizeAttribute的OnAuthorization方法内部调用了AuthorizeCore方法，这种方法是实现验证和授权逻辑的地方，假设这种方法返回true，

表示授权成功，假设返回false， 表示授权失败, 会给上下文设置一个HttpUnauthorizedResult，这个ActionResult运行的结果是向浏览器返回

一个401状态码（未授权）,可是返回状态码没什么意思，一般是跳转到一个登录页面，能够重写AuthorizeAttribute的

HandleUnauthorizedRequest

protected override void HandleUnauthorizedRequest(AuthorizationContext context)

{

if (context == null)

{

throw new ArgumentNullException("filterContext");

}

else

{

string path = context.HttpContext.Request.Path;

string strUrl = "/Account/LogOn?returnUrl={0}";

context.HttpContext.Response.Redirect(string.Format(strUrl, HttpUtility.UrlEncode(path)), true);

}

}