asp.net-mvc - 用户不担任角色时的ASP.NET登录重定向循环

Question

我在实现ASP.NET MVC 5中的角色方面有些困惑。我试图以没有访问我要访问的应用程序区域所需的角色的用户身份登录。在这种情况下，我期望的是，我将再次重定向到登录页面，直到输入一组具有访问权限的凭据或导航到应用程序的另一个区域为止。

实际发生的情况是该应用程序似乎进入了登录重定向循环，通过调试发现该登录操作被多次调用。

这是登录操作:

[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
    ViewBag.ReturnUrl = returnUrl;
    return View();
}

这将导致IIS生成错误:

HTTP Error 404.15 - Not Found
The request filtering module is configured to deny a request where the query string is too long.

查询字符串如下所示:

http://localhost/MyApplication/Account/Login?ReturnUrl=%2FMyApplication%2FAccount%2FLogin%3FReturnUrl%3D%252FMyApplication%252FAccount%252FLogin%253FReturnUrl%253D%25252FMyApplication%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FMyApplication%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FMyApplication%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FMyApplication%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FMyApplication%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FMyApplication%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FMyApplication%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FMyApplication%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FMyApplication%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FMyApplication%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FMyApplication%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FMyApplication%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FMyApplication%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FMyApplication%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FMyApplication%252525252525252525252525252525252F

从有效的解决方案(尽管没有基于角色的授权)到当前的崩溃情况，我所做的唯一更改是在成功登录后重定向到的 Controller 上方添加了以下内容:

[Authorize(Roles = "Staff")]

就像我之前说过的那样，我所登录的用户不是该角色，但是我希望可以进行一次明智的单次重定向到Login，而不会造成循环。

编辑:请求bu @dima，通过过滤器应用的授权的详细信息...我有以下内容:

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(new HandleErrorAttribute());
        filters.Add(new AuthorizeAttribute());
    }
}

但是，我已经测试了有无此行的应用程序，并且重定向循环继续保持不变。

Answer 1

虽然这个问题很旧，但我遇到了同样的问题并找到了解决方案。

最初，我添加了相同的AuthorizationAttribute过滤器，并发现自己处于同一循环中。然后，我拿走了它，开始将authorize属性添加到各个 Controller ，发现无限循环仅在将authorize属性添加到我的家庭 Controller 时发生。原来我的HomeController在之后被称为。

问题

在我的AccountController中，我调用了以下命令:

@Html.Action("LeftNav", "Home")

布局页面可以正确渲染主体，但是当到达该主体页面时，它正在命中具有授权属性的 Controller 方法。这导致重定向到_Layout.cshtml。

将Account/Login属性添加到AllowAnonymous操作可以解决此问题。

解决方案

确保您的LeftNav View 和布局不调用任何具有authorize属性的 Action 。

自发现这一点以来，我为未经授权的请求创建了一个自定义布局，以避免出现更多此类潜在问题。