[英]User.IsInRole is always false when using IIS Express / Kestrel in ASP.Net 5 with Windows Authentication
I have an ASP.Net 5 application using version 1.0.0-rc1-update1 with Windows Authentication.我有一个 ASP.Net 5 应用程序,使用版本 1.0.0-rc1-update1 和 Windows 身份验证。 I've implemented a custom policy in my Startup.cs file:我在 Startup.cs 文件中实施了自定义策略:
public void ConfigureServices(IServiceCollection services)
{
// ... other configuration code
var viewCharts = new AuthorizationPolicyBuilder()
.AddRequirements(new ViewChartsRequirement())
.Build();
collection.AddAuthorization(opts =>
{
opts.AddPolicy(Policy.ViewCharts, viewCharts);
});
collection.AddTransient<IAuthorizationHandler, ViewChartsHandler>();
// ... other configuration code
}
The ViewChartsHandler
's Handle
method is as follows: ViewChartsHandler
的Handle
方法如下:
protected override void Handle(
AuthorizationContext context,
T requirement)
{
var identities = _securityRepo.GetIdentitiesForPolicy(_policy);
// this returns a result when using a web listener, but
// never finds a match when using IIS Express
var matchingIdentity = identities.FirstOrDefault(role => context.User.IsInRole(role));
if (!string.IsNullOrWhiteSpace(matchingIdentity))
{
context.Succeed(requirement);
}
}
When using a web listener as shown in this answer , the code above works.使用此答案中所示的网络侦听器时,上面的代码有效。 However, when using IIS Express it never finds a matchingIdentity
.但是,在使用 IIS Express 时,它永远找不到matchingIdentity
。
Things to note:注意事项:
Handle
code above, context.User
is an instance of System.Security.Principal.WindowsPrincipal
when using a web listener, but when using IIS Express it is a System.Security.Claims.ClaimsPrincipal
.在上面的Handle
代码中, context.User
在使用 Web 侦听器时是System.Security.Principal.WindowsPrincipal
的实例,但在使用 IIS Express 时它是System.Security.Claims.ClaimsPrincipal
。forwardWindowsAuthToken="true"
set in my web.config.我在 web.config 中设置了forwardWindowsAuthToken="true"
。I think this is a role provider problem, but I am at a loss as to how to correct it.我认为这是角色提供者的问题,但我不知道如何纠正它。
I'm using the following code to successfully check for role membership on RC1, however note that it does not resolve group names (probably due to the problems referred to by @blowdart), I have to supply the group names as SIDs:我正在使用以下代码成功检查 RC1 上的角色成员资格,但请注意,它无法解析组名(可能是由于@blowdart 提到的问题),我必须提供组名作为 SID:
// Set up authorisation policies from the configured AD group lists.
// NOTE: Currently this only works with SIDs if hosting using Kestrel
// behind IIS, not friendly group names.
var viewerGroups = Configuration.GetSection("Groups:Viewer").Value.Split(',');
var adminGroups = Configuration.GetSection("Groups:Admin").Value.Split(',');
services.AddAuthorization(auth =>
{
auth.AddPolicy("viewer", policy =>
{
policy.RequireRole(viewerGroups);
});
auth.AddPolicy("admin", policy =>
{
policy.RequireRole(adminGroups);
});
});
I don't know if this will help you, but I thought I'd offer it up in case!我不知道这是否对你有帮助,但我想我会提供它以防万一!
Did you add the IISPlatformHandler middleware?您是否添加了 IISPlatformHandler 中间件?
app.UseIISPlatformHandler();
This needs to be ran before app.UseMvc(), app.UseStaticFiles() or any other authentication middleware.这需要在 app.UseMvc()、app.UseStaticFiles() 或任何其他身份验证中间件之前运行。
It turns out that User.IsInRole
does not function correctly in RC1.事实证明User.IsInRole
在 RC1 中不能正常工作。 (See @blowdart's comments.) This will be fixed in RC2. (请参阅@blowdart 的评论。)这将在 RC2 中修复。
The original code will work so long as the line below returns the SIDs for each AD group , as opposed to the friendly names.只要下面的行返回每个 AD 组的 SID ,而不是友好名称,原始代码就可以工作。
// This line must return SIDs instead of friendly names
var identities = _securityRepo.GetIdentitiesForPolicy(_policy);
This was fixed in RC2.这是在 RC2 中修复的。 The original code works!原始代码有效!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.