[英]ASP.NET Core Authorize AD Groups through web.config
In my old .NET MVC app, I could enable Windows Authentication in IIS and disable anonymous.在我旧的 .NET MVC 应用程序中,我可以在 IIS 中启用 Windows 身份验证并禁用匿名。 Then in my web.config
file I just had to put in this:然后在我的web.config
文件中,我只需要输入:
<authorization>
<allow roles="Domain\MyADGroupToHaveAccess" />
<deny users="*" />
</authorization>
In .NET Core 2.0 this will not work – it denies anonymous correctly, but it authorizes all users no matter what.在 .NET Core 2.0 中这是行不通的——它正确地拒绝匿名,但无论如何它都会授权所有用户。
If I do this:如果我这样做:
[Authorize(Roles = "Domain\\MyADGroupToHaveAccess")]
on my HomeController
, it works, but I don't want to hardcode this setting in my project as it's something that needs to be changed for other environments.在我的HomeController
,它可以工作,但我不想在我的项目中硬编码这个设置,因为它需要针对其他环境进行更改。
How can I make web.config
to work with AD Authorization?如何使web.config
与 AD 授权一起使用? Or is there another way to not hardcode this setting in ASP.NET Core?还是有另一种方法可以不在 ASP.NET Core 中硬编码此设置?
I solved this by making it into a policy which is able to call appsettings.json
. 我通过将其变成一个能够调用appsettings.json
的策略来解决这个问题。 This way other people who have access to the server can then edit the group to their own. 这样,有权访问服务器的其他人可以将组编辑为自己的组。
In Startup.cs
: 在Startup.cs
:
services.AddAuthorization(options =>
{
options.AddPolicy("ADRoleOnly", policy => policy.RequireRole(Configuration["SecuritySettings:ADGroup"]));
});
services.AddMvc(config =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
config.Filters.Add(new AuthorizeFilter(policy));
});
In appsettings.json
(or perhaps appsettings.production.json
if you have different): 在appsettings.json
(或者如果你有不同的话,也可能是appsettings.production.json
):
"SecuritySettings": {
"ADGroup": "YourDomain\\YourADGroup"
}
In your controllers you can then decorate it with this attribute: 在您的控制器中,您可以使用以下属性对其进行装饰:
[Authorize(Policy = "ADRoleOnly")]
Hope this can help other people 希望这可以帮助其他人
I have still to figure out how to apply this policy globally, so I don't have to authorize every controller, I'd figure it can be done in the services.AddMvc
somehow? 我还要弄清楚如何在全球范围内应用这个策略,所以我不必授权每个控制器,我想它可以在services.AddMvc
以某种方式完成?
To expand on Morten_564834's answer, here is our approach for this problem. 为了扩展Morten_564834的答案,这是我们处理这个问题的方法。 Create a base controller that all controllers inherit from. 创建一个所有控制器继承的基本控制器。
[Authorize(Policy = "AdUser")]
public class FTAControllerBase : Controller
{
private readonly ApplicationDbContext _db;
private readonly ILogHandler _logger;
public FTAControllerBase(ApplicationDbContext DbContext, ILogHandler Logger, IWindowsAccountLinker WinAccountLinker)
{
_db = DbContext;
_logger = Logger;
/// get registered user via authenticated windows user.
//var user = WinAccountLinker.LinkWindowsAccount();
}
}
Then in your other controllers: 然后在你的其他控制器:
public class LettersController : FTAControllerBase
{ ... }
If you want granular permissions on methods: 如果您想要方法的细化权限:
[Authorize("GenerateLetterAdUser")]
[HttpGet]
public IActionResult Generate()
{
return View();
}
Startup.cs: Startup.cs:
// add authorization for application users
var section = Configuration.GetSection($"AuthorizedAdUsers");
var roles = section.Get<string[]>();
services.AddAuthorization(options =>
{
options.AddPolicy("AdUser", policy => policy.RequireRole(roles));
});
AppSettings.json: AppSettings.json:
"AuthorizedAdUsers": [
"domain\\groupname"
],
I was able to reproduce the web.config settings with the following:我能够使用以下内容重现 web.config 设置:
In Program.cs
:在Program.cs
:
builder.Services.AddAuthorization(options => {
builder.Configuration.GetSection("SecuritySettings").GetChildren().ToList().ForEach(
ss => options.AddPolicy(ss.Key, policy => policy.RequireRole(ss.Value))
);
options.FallbackPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.RequireRole(new string[] { builder.Configuration["SecuritySettings:Access"] })
.Build();
});
In appsettings.json
:在appsettings.json
:
"SecuritySettings": {
"Access": "YourDomain\\YourADGroup"
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.