基于资源的ASP.NET授权FormsAuthentication和WebApi
[英]Resource based ASP.NET Authorization FormsAuthentication and WebApi
问题描述
Using webapi with formsauthentication (i know may sound weird, but it exactly what I need). 
使用带有表单身份验证的webapi(我知道这听起来很奇怪,但这正是我所需要的)。
I have a route like : 我有一条路线像:
[Route("{application}/orders}"]
public IHttpActionResult Get(string application) {
var orders = OrderService.GetOrders(application); // return list of orders of applicaiton.
return Ok(orders);
}
Example scenario : User John has permission to see orders for application "CoolApp" User Leia has permission to see orders for application "Robin" user Tristan doesn't have permission to see orders. 示例场景:John用户有权查看应用程序“ CoolApp”的订单Leia用户有权查看应用程序“ Robin”的订单,用户Tristan无权查看命令。
On the DB is like a Role - Resource relationship. 在数据库上就像角色-资源关系。 UserRole: UserRole的:
User - Role - Application
=====================================
John - OrdersManager - CoolApp
Leia - OrdersManager - Robin
Tristan - OtherRole - Robin
I want that route to check if the user has permission to get orders of that specific application. 我希望该路线检查用户是否有权获取该特定应用程序的订单。
I read this: Resource based authorization in .net and looks promising. 我读到以下内容: .net中基于资源的授权 ,看起来很有希望。
First thing is I'm not sure if I should extend using AuthorizeAttribute , AuthorizationFilterAttribute or IAuthorizationFilter as briefly explained here http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api unfortunately, is not of much information. 第一件事是我不确定是否应该使用AuthorizeAttribute , AuthorizationFilterAttribute或IAuthorizationFilter扩展, IAuthorizationFilter简要说明的http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-不幸的是, web-api的信息并不多。
Second I read that binding happens AFTER the authorization so I don't know how to get the values from the RouteData since I have the {application} defined on the route data I guess I should be able to access it. 其次,我读到绑定是在授权后发生的,所以我不知道如何从RouteData获取值,因为我在路由数据上定义了{application},我想我应该可以访问它。 There are few examples for MVC, but was not able to get one for web api and with object like request and context all over the actionContext object I'm not sure where to get it and how in a proper way. MVC的例子很少,但是无法为Web api获取一个例子,并且在整个actionContext对象上都没有诸如请求和上下文之类的对象,我不确定从何处以及如何正确获取它。
And last but not least, what method of the chosen extension point(s) should I override. 最后但并非最不重要的一点是,我应该覆盖所选扩展点的哪种方法。 If it have both async and sync, should I override both ? 如果它既有异步又有同步,是否应该同时覆盖这两个?
BONUS: Since the authorize will have a dependency on my repository , would be great to know how to inject that into the filter if that's even possible. 奖励:由于授权将依赖于我的repository ,因此,即使有可能,知道如何将其注入过滤器也将是一件很棒的事情。 (I'm not using any IoC container). (我没有使用任何IoC容器)。
1 个解决方案
解决方案1
1 已采纳 2014-07-22 18:40:37
Overriding AuthorizationFilterAttribute would probably be the better route. 覆盖AuthorizationFilterAttribute可能是更好的方法。 What you'd want to do is pass the attributes you want to check for: 您想要做的就是传递要检查的属性:
public class MyAuthorizeAttribute : AuthorizeAttribute
{
string role;
string application
public MyAuthorizeAttribute (string role, string application){
this. role = roles;
this.application = application;
}
protected override bool IsAuthorized(HttpActionContext actionContext) {
var routeData = actionContext.ControllerContext.RouteData;
//do your checks
}
}
you can get access to routedata from the HttpActionContext in the IsAuthorized method. 您可以通过IsAuthorized方法中的HttpActionContext访问routedata。 Now you can attach the attribute to your ApiController or Action Method. 现在,您可以将属性附加到ApiController或Action Method。
I'd suggest using an IoC container is you want to do DI with an Web API ActionFilter 我建议使用IoC容器是否要使用Web API ActionFilter进行DI
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.