AuthorizeAttributeプロパティを使用して、MVCのドメイン間攻撃を簡単に回避

    ---                  ，                    。



           ，ajax                      









[csharp] view plaincopy

01.using System;  

02.using System.Collections.Generic;  

03.using System.Linq;  

04.using System.Web;  

05.using System.Web.Mvc;  

06.  

07.namespace Admin.MyAttribute  

08.{  

09.    [AttributeUsage(AttributeTargets.All, Inherited = true)]  

10.    public class CheckAuthority : AuthorizeAttribute  

11.    {  

12.  

13.        protected override bool AuthorizeCore(HttpContextBase httpContext)  

14.        {  

15.            bool Pass = true;  

16.            Uri UrlReferrer = httpContext.Request.UrlReferrer;//      

17.            if (UrlReferrer == null)  

18.            {  

19.                httpContext.Response.StatusCode = 401;//        

20.  

21.                Pass = false;  

22.            }  

23.            else   

24.            {  

25.                 Uri ThisUrl = httpContext.Request.Url;//     URL  

26.                if (UrlReferrer.Authority  != ThisUrl.Authority)  

27.                {  

28.                    httpContext.Response.StatusCode = 401;//        

29.                    Pass = false;  

30.                }  

31.            }  

32.  

33.  

34.            return Pass;  

35.        }  

36.  

37.         

38.  

39.        protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)  

40.        {  

41.            base.HandleUnauthorizedRequest(filterContext);  

42.            if (filterContext.HttpContext.Response.StatusCode == 401)  

43.                filterContext.Result = new RedirectResult("/");  

44.        }  

45.  

46.         

47.  

48.        

49.    }  

50.}  









[csharp] view plaincopy

01.      









[csharp] view plaincopy

01. [MyAttribute.CheckAuthority]  

02.        public ActionResult Index()  

03.        {  

04.             

05.            return View();  

06.        }