我正在尝试在 ASP.NET Core 中创建自定义授权属性.在以前的版本中,可以覆盖 bool AuthorizeCore(HttpContextBase httpContext).但这在 AuthorizeAttribute 中不再存在一>.
I'm trying to make a custom authorization attribute in ASP.NET Core. In previous versions it was possible to override bool AuthorizeCore(HttpContextBase httpContext). But this no longer exists in AuthorizeAttribute.
目前制作自定义 AuthorizeAttribute 的方法是什么?
What is the current approach to make a custom AuthorizeAttribute?
我要完成的任务:我在标头授权中收到一个会话 ID.根据该 ID,我将知道某个特定操作是否有效.
What I am trying to accomplish: I am receiving a session ID in the Header Authorization. From that ID I'll know whether a particular action is valid.
推荐答案ASP.Net Core 团队推荐的方法是使用完整记录的新策略设计 此处.新方法背后的基本思想是使用新的 [Authorize] 属性来指定一个策略".(例如,[Authorize(Policy = "YouNeedToBe18ToDoThis")] 在应用程序的 Startup.cs 中注册策略以执行一些代码块(即确保用户有年龄要求为 18 岁或以上).
The approach recommended by the ASP.Net Core team is to use the new policy design which is fully documented here. The basic idea behind the new approach is to use the new [Authorize] attribute to designate a "policy" (e.g. [Authorize( Policy = "YouNeedToBe18ToDoThis")] where the policy is registered in the application's Startup.cs to execute some block of code (i.e. ensure the user has an age claim where the age is 18 or older).
策略设计是对框架的一个很好的补充,ASP.Net 安全核心团队的引入值得表扬.也就是说,它并不适合所有情况.这种方法的缺点是它无法为最常见的简单断言给定控制器或动作需要给定声明类型的需求提供方便的解决方案.在应用程序可能有数百个离散权限来管理对单个 REST 资源(CanCreateOrder"、CanReadOrder"、CanUpdateOrder"、CanDeleteOrder"等)的 CRUD 操作的情况下,新方法要么需要重复策略名称和声明名称之间的一对一映射(例如 options.AddPolicy("CanUpdateOrder", policy => policy.RequireClaim(MyClaimTypes.Permission, "CanUpdateOrder));),或者编写一些代码来在运行时执行这些注册(例如,从数据库中读取所有声明类型并在循环中执行上述调用).在大多数情况下,这种方法的问题在于它是不必要的开销.
The policy design is a great addition to the framework and the ASP.Net Security Core team should be commended for its introduction. That said, it isn't well-suited for all cases. The shortcoming of this approach is that it fails to provide a convenient solution for the most common need of simply asserting that a given controller or action requires a given claim type. In the case where an application may have hundreds of discrete permissions governing CRUD operations on individual REST resources ("CanCreateOrder", "CanReadOrder", "CanUpdateOrder", "CanDeleteOrder", etc.), the new approach either requires repetitive one-to-one mappings between a policy name and a claim name (e.g. options.AddPolicy("CanUpdateOrder", policy => policy.RequireClaim(MyClaimTypes.Permission, "CanUpdateOrder));), or writing some code to perform these registrations at run time (e.g. read all claim types from a database and perform the aforementioned call in a loop). The problem with this approach for the majority of cases is that it's unnecessary overhead.
虽然 ASP.Net Core 安全团队建议永远不要创建自己的解决方案,但在某些情况下,这可能是最谨慎的选择.
While the ASP.Net Core Security team recommends never creating your own solution, in some cases this may be the most prudent option with which to start.
以下是一个实现,它使用 IAuthorizationFilter 来提供一种简单的方法来表达给定控制器或操作的声明要求:
The following is an implementation which uses the IAuthorizationFilter to provide a simple way to express a claim requirement for a given controller or action:
public class ClaimRequirementAttribute : TypeFilterAttribute { public ClaimRequirementAttribute(string claimType, string claimValue) : base(typeof(ClaimRequirementFilter)) { Arguments = new object[] {new Claim(claimType, claimValue) }; } } public class ClaimRequirementFilter : IAuthorizationFilter { readonly Claim _claim; public ClaimRequirementFilter(Claim claim) { _claim = claim; } public void OnAuthorization(AuthorizationFilterContext context) { var hasClaim = context.HttpContext.User.Claims.Any(c => c.Type == _claim.Type && c.Value == _claim.Value); if (!hasClaim) { context.Result = new ForbidResult(); } } } [Route("api/resource")] public class MyController : Controller { [ClaimRequirement(MyClaimTypes.Permission, "CanReadResource")] [HttpGet] public IActionResult GetResource() { return Ok(); } }更多推荐
如何在 ASP.NET Core 中创建自定义 AuthorizeAttribute?
发布评论