代码顺序为:OnAuthorization-->AuthorizeCore-->HandleUnauthorizedRequest
如果AuthorizeCore返回false时,才会走HandleUnauthorizedRequest 方法,并且Request.StausCode会返回401,401错误又对应了Web.config中
所有,AuthorizeCore==false 时,会跳转到 web.config 中定义的 loginUrl="login/login"
AuthorizeAttribute的OnAuthorization方法内部调用了AuthorizeCore方法,这个方法是实现验证和授权逻辑的地方,如果这个方法返回true,表示授权成功,如果返回false, 表示授权失败,会给上下文设置一个HttpUnauthorizedResult,这个ActionResult执行的结果是向浏览器返回一个401状态码(未授权),但是返回状态码没什么意思,通常是跳转到一个登录页面,可以重写AuthorizeAttribute的HandleUnauthorizedRequest
<authentication mode="Forms">
<forms loginUrl="login/login" timeout="2880" />
</authentication>public class UserAuthorizeAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var user = (SysUser)httpContext.Session["CurrentUser"];
return user != null;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
var a = new JsonResult();
a.Data = new AjaxResult() { Message = "会话已过期,请重新登录" };
filterContext.Result = a;
return;
}
filterContext.Result = new RedirectResult("/Login/Login?url=" + filterContext.HttpContext.Request.Url);
}
}