ASP.NET Web API中基于角色的授权-如何在主体上设置角色?
[英]Role-based authorization in ASP.NET Web API - how to set roles on the principal?
问题描述
I am using recipe 10-3 in the newly released book ASP.NET Web Api 2 Recipes to support basic authentication in my Web API. 
我在新发行的《 ASP.NET Web Api 2食谱》中使用食谱10-3,以支持Web API中的基本身份验证。 This recipe utilizes a 3rd party library from Thinktecture. 该食谱使用了Thinktecture的第3方库。 As seen from the below code, I am authentication the user against my own account service. 从下面的代码可以看出,我正在根据自己的帐户服务对用户进行身份验证。
using Thinktecture.IdentityModel.WebApi.Authentication.Handler;
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
...
var authenticationConfiguration = new AuthenticationConfiguration();
var accountService = ServiceLocator.Get<AccountService>();
authenticationConfiguration.AddBasicAuthentication((userName, password) => accountService.Authenticate(userName, password));
config.MessageHandlers.Add(new AuthenticationHandler(authenticationConfiguration));
...
}
}
Now I want to make role-based authorization in my controllers using the Authorize attribute: 现在,我想使用Authorize属性在控制器中进行基于角色的授权:
[Authorize(Roles="administrator")]
public IHttpActionResult Get()
{
...
}
My account service obviously knows about the users and their assigned roles, but this information is not available to the Authorize attibute (the roles are not set on the principal). 我的帐户服务显然知道用户及其分配的角色,但是“授权”权限不可用此信息(角色未在主体上设置)。
How do I accomplish this? 我该如何完成? Can the Thinktecture authentication handler be configured to set the roles on the principal? 是否可以将Thinktecture身份验证处理程序配置为在主体上设置角色? Or should I make my own custom Authorize attribute (deriving from the Authorize attribute)? 还是我应该制作自己的自定义Authorize属性(从Authorize属性派生)? And if so, should I override the OnAuthorization method to create and set the principal using my account service? 如果是这样,我是否应该重写OnAuthorization方法来使用我的帐户服务创建和设置主体? Or maybe override the IsAuthorized method directly? 还是直接重写IsAuthorized方法? Or maybe something else... 也许还有别的...
2 个解决方案
解决方案1
3 2014-08-30 09:09:20
The AuthenticationHandler only does authentication. AuthenticationHandler仅执行身份验证。 You'd need to set the roles in a separate step (eg in a delegating handler). 您需要在单独的步骤中设置角色(例如,在委派处理程序中)。
If you are on Web API v2 - I'd rather recommend switching to the basic auth OWIN middleware 如果您使用的是Web API v2,则建议您切换到基本的auth OWIN中间件
https://github.com/thinktecture/Thinktecture.IdentityModel/tree/master/source/Thinktecture.IdentityModel.Owin.BasicAuthentication https://github.com/thinktecture/Thinktecture.IdentityModel/tree/master/source/Thinktecture.IdentityModel.Owin.BasicAuthentication
This gives you full control over the principal that gets created. 这使您可以完全控制要创建的主体。
https://github.com/thinktecture/Thinktecture.IdentityModel/blob/master/samples/OWIN/AuthenticationTansformation/KatanaAuthentication/Startup.cs https://github.com/thinktecture/Thinktecture.IdentityModel/blob/master/samples/OWIN/AuthenticationTansformation/KatanaAuthentication/Startup.cs
There is also a nuget. 还有一个小事。
解决方案2
2 已采纳 2014-08-30 22:27:31
I found out that the AddBasicAutentication method actually has an overload that takes a delegate for providing the roles. 我发现AddBasicAutentication方法实际上有一个重载,该重载需要委托来提供角色。 This is exactly what I was looking for. 这正是我想要的。 So now the call to AddBasicAuthentication looks like this, and everything works like a charm: 因此,现在对AddBasicAuthentication的调用看起来像这样,并且一切工作都像一个超级按钮:
authenticationConfiguration.AddBasicAuthentication((userName, password) => accountService.Authenticate(userName, password), (username) => accountService.GetRoles(username));
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.