我试图编写自己的IAuthenticationFilter实现，但是我可能很难搞清楚。

问题：

人们可以访问他们不应该访问的页面！

我如何实现安全性

如前所述，我想编写自己的IAuthenticationFilter属性实现，以修饰整个MVC应用程序中的几乎所有方法和/或控制器。例如，AdminController就是这样

[UserHandler(roles: new Role[] { Role.ADMIN })]
public class AdminController : Controller
{
    ... 
}

Role对象是Enum，并具有其他值（READ，WRITE和SUPERVISOR）。

现在，这是我对身份验证过滤器的实际实现：

[OutputCache(Duration = 0)]
public class UserHandler : actionFilterAttribute,IAuthenticationFilter
{
    private bool AppOffline;
    private bool isAuthenticated = false;
    private bool isAuthorized = false;
    private bool isAdmin = false;

    public UserHandler(Role[] roles = null)
    {
        string userID = HttpContext.Current.User.Identity.Name.Substring(7,7);

        // creates a users repository
        UsersRepository repository = new UsersRepository(User.GetUserHandler());
        // search the user ID within the database
        // it's basically an encapsulated .Where(u => u.ID == userID)
        isAuthenticated = repository.IsAuthenticated(userID);

        if (isAuthenticated)
        {
            // search the roles associated to the user
            isAdmin = repository.IsAuthorized(userID,new Role[] { Role.ADMIN });

            // this is where the authorization is done:
            // the roles array in the constructor parameter is 
            // intersected with the roles array coming from the 
            // database: if any(),the user is authorized.
            isAuthorized = repository.IsAuthorized(userID,roles);
        }
    }

    [OutputCache(Duration = 0)]
    void IAuthenticationFilter.OnAuthentication(AuthenticationContext filterContext)
    {
        AppStatus m = new AppStatus();
        AppOffLine = m.IsOffline

        if (!isAuthenticated || (AppOffline && !isAdmin) || !isAuthorized)
        {
            filterContext.Result = new HttpUnauthorizedResult();
        }
    }

    [OutputCache(Duration = 0)]
    void IAuthenticationFilter.OnAuthenticationChallenge(AuthenticationChallengeContext filterContext)
    {
        if (!isAuthenticated)
        {
            filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary(
                new { action = "UtenteNonPresente",controller = "Errori" }));
        }
        else if (AppOffline && !isAdmin)
        {
            filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary(
                new { action = "ManutenzioneAttiva",controller = "Errori" }));
        }
        else if (!isAuthorized)
        {
            filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary(
                new { action = "OperazioneNonConsentita",controller = "Errori" }));
        }
    }
}

我看不出问题出在哪里，但我认为是有关缓存“ isAuthorized”布尔值的事情，因为例如，我看到刷新页面不会调用UserHandler构造函数。

另一个大问题是，我看到问题不时发生，但是我找不到真正的方法来进行调试。不过，在大多数情况下，从IIS面板重新启动站点会使它消失，这就是让我考虑缓存问题的原因。