ASP.NET Core通过web.config授权AD组

本文介绍了ASP.NET Core通过web.config授权AD组的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

在旧的.NET MVC应用程序中，我可以在IIS中启用Windows身份验证并禁用匿名。然后在我的 web.config 文件中，我只需要输入以下内容：

In my old .NET MVC app, I could enable Windows Authentication in IIS and disable anonymous. Then in my web.config file I just had to put in this:

<authorization> <allow roles="Domain\MyADGroupToHaveAccess" /> <deny users="*" /> </authorization>

在.NET Core 2.0中，此方法不起作用–正确拒绝匿名，但未授权所有用户

In .NET Core 2.0 this will not work – it denies anonymous correctly, but it authorizes all users no matter what.

如果我这样做：

[Authorize(Roles = "Domain\\MyADGroupToHaveAccess")]

在我的 HomeController上，它可以工作，但我不想在我的项目中对此设置进行硬编码，因为在其他环境中需要更改此设置。

on my HomeController, it works, but I don't want to hardcode this setting in my project as it's something that needs to be changed for other environments.

如何使 web.config 与AD授权一起使用？还是有另一种方法不对ASP.NET Core中的设置进行硬编码？

How can I make web.config to work with AD Authorization? Or is there another way to not hardcode this setting in ASP.NET Core?

推荐答案

我通过将其设置为策略来解决此问题可以调用 appsettings.json 。这样，有权访问服务器的其他人便可以将组编辑为自己的组。

I solved this by making it into a policy which is able to call appsettings.json. This way other people who have access to the server can then edit the group to their own.

在 Startup.cs ：

services.AddAuthorization(options => { options.AddPolicy("ADRoleOnly", policy => policy.RequireRole(Configuration["SecuritySettings:ADGroup"])); }); services.AddMvc(config => { var policy = new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .Build(); config.Filters.Add(new AuthorizeFilter(policy)); });

在 appsettings.json 中（或者也许 appsettings.production.json （如果有不同）：

In appsettings.json (or perhaps appsettings.production.json if you have different):

"SecuritySettings": { "ADGroup": "YourDomain\\YourADGroup" }

在您的控制器中，您可以使用以下属性装饰它：

In your controllers you can then decorate it with this attribute:

[Authorize(Policy = "ADRoleOnly")]

希望这可以帮助其他人

我有仍然想弄清楚如何在全球范围内应用此策略，因此不必授权每个控制器，我想它可以在 services.AddMvc 中完成？

I have still to figure out how to apply this policy globally, so I don't have to authorize every controller, I'd figure it can be done in the services.AddMvc somehow?