[授权] 属性是好的，方便的MS发明，我希望它可以解决我现在的问题

[Authorize] attribute is nice and handy MS invention, and I hope it can solve the issues I have now

要更具体：

在当前客户端未通过身份验证 - [授权] 从保护的动作重定向到登录页面，登录后成功 - 使用户返回，这是件好事

When current client isn't authenticated - [Authorize] redirects from secured action to logon page and after logon was successful - brings user back, this is good.

但是，当目前的客户端已经通过身份验证，但无权运行的具体行动 - 我需要的是只显示我一般403页

But when current client already authenticated but not authorized to run specific action - all I need is to just display my general 403 page.

是否有可能在无控制器的身体的移动授权逻辑？

Is it possible without moving authorization logic within controller's body?

更新： 我需要的应该是语义上的行为等于这个小品：

Update: The behavior I need in should be semantically equals to this sketch:

public ActionResult DoWork()
{
    if (!NotAuthorized())
    {
        // this should be not redirect, but forwarding 
        return RedirectToAction("403");         
    }

    return View();
}

让 - 应该没有任何重定向和URL应该保持不变，但页面内容应改为403页

so - there should no any redirect and url should be stay the same, but contents of the page should be replaced with 403-page

更新2 ：我以这种方式实现的草图：

Update 2: I implemented sketch in this way:

[HandleError]
public class HomeController : Controller
{
    public ActionResult Index()
    {
        ViewData["Message"] = "Welcome to ASP.NET MVC!";

        return View();
    }

    [CustomActionFilter]
    public ActionResult About()
    {
        return View();
    }

    public ActionResult Error_403()
    {
        return Content("403");
    }
}

public class CustomActionFilter : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        filterContext.Result = new ContentResult { Content = "403" };
    }
}

和不能得到如何正确执行前进到HomeController.Action_403（），所以它显示403。

And can't get how to properly forward execution to HomeController.Action_403() so it display 403.

更新3

filterContext.Result = new ViewResult() { ViewName = "Error_403" };

所以这是如何呈现的特定视图模板的一个答案......但仍然不知道如何运行另一个控制器 - 无论如何，这是不够好的解决办法

so this is an answer on how to render specific view template... but still have no idea how to run another controller - anyway, it's enough good solution.

推荐答案

您应该能够创建自己的类派生自AuthorizeAttribute并覆盖AuthorizeCore方法来提供所需的授权机制，这样就可以通过使用属性，而不是移动到控制器应用您的自定义授权code。

You should be able to create your own class that derives from AuthorizeAttribute and override the AuthorizeCore method to provide the authorization mechanism that you want, so that you can apply your custom authorization code by using an attribute instead of moving it into the controller.

如果您通过授权需要更细粒度的控制，那么我建议你创建的实施IActionFilter接口（一个属性，然后应用属性的方法）。这将允许您拦截来电，他们去到控制器之前，并提供其他操作的在的控制器方法被调用。

If you need more fine-grained control over authorization, then I recommend that you create an implementation of the IActionFilter interface (on an attribute, then apply the attribute to your methods). This will allow you to intercept calls before they go to the controller, and provide alternate actions before your controller method is called.

这是实施OnActionExecuting法中的 IActionFilter 接口。如果你的逻辑判断，你不应该拨打电话到控制器的一切，你要提供一个ActionResult要处理，而不是，那么你会设置Result在ActionExecutingContext例如传入方法。通过这样做，那的ActionResult 被处理的将控制器的方法来获得，而不是一个的ActionResult 。

This is achieved by implementing the OnActionExecuting method on the IActionFilter interface. If your logic determines that you should not make the call to the controller at all, and you want to provide an ActionResult to be processed instead, then you would set the Result property on the ActionExecutingContext instance passed into the method. By doing this, that ActionResult is processed instead of going to the controller method to get an ActionResult.

如果你想返回403错误code，那么你就不能使用 ContentResult类型类。你必须创建自己的类派生自的ActionResult 并重写ExecuteResult方法来设置Status$c$c在Htt$p$psponseBase 403，像这样：

If you want to return a 403 error code, then you can't use the ContentResult class. You will have to create your own class that derives from ActionResult and override the ExecuteResult method to set the StatusCode property on the HttpResponseBase to 403, like so:

internal class Http403Result : ActionResult
{
    public override void ExecuteResult(ControllerContext context)
    {
        // Set the response code to 403.
        context.HttpContext.Response.StatusCode = 403;
    }
}

public class CustomActionFilter : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        filterContext.Result = new Http403Result();
    }
}

当然，你也可以概括 Http403Result 类取一个构造函数，接受要返回状态code，但概念是相同的

Of course, you can generalize the Http403Result class to take a constructor which will accept the status code that you want to return, but the concept remains the same.