如何指定AuthenticationScheme是Windows并检查用户是否是广告组的成员?
How do I specify that the AuthenticationScheme is Windows and check that the user is a member of an AD Group?
当我指定AuthenticationScheme时,设置Roles不再有效,为什么不呢?以及我该如何解决?
When I specify the AuthenticationScheme, setting the Roles no longer works, why not? And how do I fix that?
public class SomeController : Controller { //this works [Authorize(Roles = @"SOME.DOMAIN\SOME GROUP")] public IActionResult SomeAction(){ ... } //this works [Authorize(AuthenticationSchemes = "Windows")] //this doesn't work //[Authorize(Roles = @"SOME.DOMAIN\SOME GROUP", AuthenticationSchemes = "Windows")] public ActionResult SomeAction2(){ ... } }完整GitHub上的示例
某些背景
我们有一个名为SOME GROUP的广告组,该用户必须是执行某些操作的成员.在网络应用的其他部分,我们正在使用cookie auth,因此我需要在此特定控制器中指定身份验证方法.
We have an AD Group called SOME GROUP that the user must be a member of to execute certain actions. In other parts of the web app, we're using cookie auth so I need to specify the authentication method in this particular controller.
参考:使用ASP.NET中的特定方案进行授权核心
推荐答案事实证明,WindowsIdentity被保留在HttpContext.User对象中,允许我们检查组/角色成员身份.
Turns out, the WindowsIdentity is preserved in the HttpContext.User object allowing us to check the group/role membership.
内联示例
using System.Security.Principal; [Authorize(AuthenticationSchemes = IISServerDefaults.AuthenticationScheme)] public ActionResult SomeAction() { var windowsIdentity = HttpContext.User.Identity as WindowsIdentity; var windowsUser = new WindowsPrincipal(windowsIdentity); var role = "[MY-COMPUTER-NAME || AD GROUP NAME]\\[GROUP NAME]"; var inInRole = windowsUser.IsInRole(role); // todo: if not allowed write code to handle it return View(); }完整来源
政策示例
//AuthorizationHandler<T> protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, RoleRequirement requirement) { if (!(context.User.Identity is WindowsIdentity windowsIdentity)) return Task.CompletedTask; var windowsUser = new WindowsPrincipal(windowsIdentity); try { var hasRole = windowsUser?.IsInRole(requirement.GroupName) ?? false; if (hasRole) context.Succeed(requirement); } catch (Exception ex) { logger.LogError(ex, "Unable to check groups the user belongs too"); } return Task.CompletedTask; } //IAuthorizationRequirement public class RoleRequirement : IAuthorizationRequirement { public RoleRequirement(string groupName) { GroupName = groupName; } /// <summary> /// The Windows / AD Group Name that is allowed to call the OMS API /// </summary> public string GroupName { get; } } //action protected with the policy [Authorize("Super User Role")] public IActionResult Contact() { return View(); } //startup.cs public void ConfigureServices(IServiceCollection services) { //pull group name from the config var securityOptions = Configuration.GetSection("Security").Get<SecurityOptions>(); services.AddAuthentication(IISDefaults.AuthenticationScheme); services.AddAuthorization(options => { options.AddPolicy("Super User Role", policy => { policy.Requirements.Add(new RoleRequirement(securityOptions.AllowedGroup)); policy.AddAuthenticationSchemes("Windows"); }); }); services.AddSingleton<IAuthorizationHandler, RoleHandler>(); // ... }完整来源
更多推荐
指定Windows身份验证方案和角色不起作用
发布评论