[英]Force ASP.Net claims validation after they have been changed
I'm developing an ASP.Net application with OWIN and currently I have a problem with claims. 我正在用OWIN开发ASP.Net应用程序,目前我对索赔有疑问。 I have two levels of application: basic and advanced.
我有两个级别的应用程序:基本和高级。 Some features are available for advanced users only.
某些功能仅适用于高级用户。 So I check claims, and if user doesn't have claim
advanced
I return 403. But here I found the workaround which ruins this system: 因此,我检查了索赔,如果用户没有提出
advanced
索赔,则返回403。但是在这里,我发现了变通方法,该系统使该系统崩溃了:
I'm trying to find some fine solution for this situation but I have no ideas except set 1 minute timeout
or always check AspNetUserClaims instead of cookie
and so on, but they don't work in my case because he can activate a lifetime feature in this one minute interval and then use it forever. 我正在尝试为这种情况找到一些好的解决方案,但是除了
set 1 minute timeout
或always check AspNetUserClaims instead of cookie
之外,我没有其他想法,但是在我的情况下它们不起作用,因为他可以激活以下功能:间隔一分钟,然后永久使用。
But i'd like to set some server-side flag like oops, this guy have just changed his cookies, check it from database
or something to lower database roundtrips for common API calls. 但是我想设置一些服务器端标志,例如
oops, this guy have just changed his cookies, check it from database
或者oops, this guy have just changed his cookies, check it from database
以降低通用API调用的数据库往返次数。
Is there any standard default way to do it? 是否有任何标准的默认方法? Or maybe I have just chosen a wrong instrument?
或者也许我只是选择了错误的乐器?
You Need to send update cookies according to your claim value. 您需要根据您的索赔价值发送更新cookie。
Below is code to update your claim value. 以下是更新您的索赔价值的代码。
Inside your action when user disable/enable advanced mode, Then update user claims
. 当用户禁用/启用高级模式时在您的操作内,然后更新用户
claims
。
var isAdvanced= "1";
var identity = (ClaimsIdentity)User.Identity;
// check if claim exist or not.
var existingClaim = identity.FindFirst("IsAdvanced");
if (existingClaim != null)
identity.RemoveClaim(existingClaim);
// add/update claim value.
identity.AddClaim(new Claim("IsAdvanced", isAdvanced));
IOwinContext context = Request.GetOwinContext();
var authenticationContext = await context.Authentication.AuthenticateAsync(DefaultAuthenticationTypes.ExternalCookie);
if (authenticationContext != null)
{
authenticationManager.AuthenticationResponseGrant = new AuthenticationResponseGrant(identity,authenticationContext.Properties);
}
As soon as you will made a redirection, you will get your get updated claim value, hence you don't need to make database round trip. 重定向后,您将获得更新的声明值,因此无需进行数据库往返。
Unfortunly, the only way I found is actually query DB itself and check if user has valid credentials: 不幸的是,我发现的唯一方法实际上是查询数据库本身,并检查用户是否具有有效的凭据:
public bool HasRequiredClaims(string[] requiredClaims)
{
using (var context = new ApplicationDbContext())
{
int actualNumberOfClaims = context.Users
.SelectMany(x => x.Claims)
.Count(c => requiredClaims.Contains(c.ClaimValue)); // claim values are unique per user (in my case) so I don't have to filter on user
return actualNumberOfClaims == claimsValuesToSearch.Length;
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.