堆栈内存溢出
  简体   繁体   English

ServiceStack - 使用内置身份验证功能时访问请求DTO?

[英]ServiceStack - Access to the request DTO when using the built-in auth feature?

 原文  2016-12-12 05:32:38       c#/ authentication/ servicestack

问题描述

I'm implementing a web service using ServiceStack and have hit a snag with authorization. 我正在使用ServiceStack实现一个Web服务,并且已经获得了授权。

Our auth system provides a "per-organization" list of permissions that a user has, with every request DTO then having a mandatory "OrganizationId" property to which the request pertains. 我们的身份验证系统提供了用户拥有的“每个组织”权限列表,每个请求DTO都具有请求所属的强制“OrganizationId”属性。 That request can only be fulfilled if the user has the corresponding permission for that specific organization. 只有当用户具有该特定组织的相应权限时,才能满足该请求。

The authorization callbacks in ServiceStack (IsAuthorized, HasRole, HasPermission, etc) do not seem to allow for access to the request DTO, which means I cannot pull out the OrganizationId for the auth check. ServiceStack中的授权回调(IsAuthorized,HasRole,HasPermission等)似乎不允许访问请求DTO,这意味着我无法拔出OrganizationId进行身份验证。 The service is running standalone so I cannot access the request DTO through HttpContext, HostContext et al. 该服务是独立运行的,因此我无法通过HttpContext,HostContext等访问请求DTO。

I can implement my own auth layer using a global request filter, but would obviously prefer to re-use what is already there if at all possible. 我可以使用全局请求过滤器来实现我自己的auth层,但显然更愿意重新使用已经存在的内容,如果可能的话。 Is there any way in which I can reliably and safely access the request DTO without having to re-invent the wheel on features that ServiceStack already provides? 有没有什么方法可以可靠,安全地访问请求DTO,而无需重新发明ServiceStack已经提供的功能轮?

The other approach I have looked at is implementing a global request filter in order to add the request DTO to the "Items" property of the request context, which I could then access from the auth callback routines. 我看过的另一种方法是实现一个全局请求过滤器,以便将请求DTO添加到请求上下文的“Items”属性,然后我可以从auth回调例程访问它。 It's not the most elegant approach and feels a little dirty, but if it gets the job done I'll grit my teeth and implement it. 这不是最优雅的方法,感觉有点脏,但如果它完成了工作,我会咬紧牙关并实施它。 I'm hoping there is a better way. 我希望有更好的方法。

1 个解决方案

解决方案1
 0  2016-12-12 06:10:54

You can get the current Request DTO from the IRequest.Dto property but this isn't injected in the UserSession HasRole()/HasPermission() APIs. 您可以从IRequest.Dto属性获取当前的Request DTO,但这不会在UserSession HasRole()/HasPermission() API中注入。

The Users Session should setup the necessary information required for that User so ideally the Organization Id would be added as a Custom UserSession property. 用户会话应设置该用户所需的必要信息,因此理想情况下,组织ID将添加为自定义UserSession属性。 But if you have additional requirements that require inspecting each Request DTO than you would need to add your own Custom Logic either in a Global Request Filter or Filter Attribute . 但是,如果您需要检查每个Request DTO,那么您需要在全局请求筛选器筛选器属性中添加自己的自定义逻辑。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ServiceStack请求DTO设计 - ServiceStack Request DTO design 在请求过滤器中结束响应时,ServiceStack设置响应DTO - ServiceStack set Response DTO when ending the response in Request Filter Servicestack-多个IReturn on Request DTO - Servicestack - Multiple IReturn on Request DTO 当对DTO数组使用servicestack deserializationToString时,空对象位于列表的末尾 - When using servicestack deserializationToString to a DTO array, a null object is at the end of the list ServiceStack遍历所有请求/响应DTO - ServiceStack iterate through all request/response DTO 筛选器操作后,ServiceStack原始请求DTO - ServiceStack original Request DTO after Filter manipulation 使用 GET 进行身份验证时,Servicestack 向我发送错误 - Servicestack is sending me an error when using GET for Auth 内置类型,何时(不)使用? - Built-in types, when (not) to use? 在ServiceStack服务请求和响应DTO中隐藏一些公共属性 - Hide some public properties in ServiceStack service Request and Response DTO's ServiceStack:如果类型为抽象,则请求DTO中的属性为null - ServiceStack: Property in request DTO becomes null if type is abstract
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM