堆栈内存溢出
  简体   繁体   English

asp.net核心中的授权类型

[英]Authorization types in asp.net core

 原文  2019-01-12 10:24:27       c#/ asp.net-core/ authorization

问题描述

I am confusing on use of which type of authorization in project: claim based or policy based authorization. 我对在项目中使用哪种类型的授权感到困惑:基于声明或基于策略的授权。 is this dependent on the project's security design?or they are the same? 这取决于项目的安全设计吗?或者它们是相同的? according to microsoft doc we can config and use claims as follows: 根据microsoft doc我们可以配置和使用声明如下: 

private async Task CreateUserAndClaim(IServiceProvider serviceProvider) 
{
var claimList = (await UserManager.GetClaimsAsync(user)).Select(p => p.Type);  
if (!claimList.Contains("DateOfJoing")){  
    await UserManager.AddClaimAsync(user, new Claim("DateOfJoing", "09/25/1984"));  
}  
}

and then use of this claim as follows: 然后使用这项索赔如下: 

public void ConfigureServices(IServiceCollection services) 
{
 services.AddAuthorization(options =>  
{  
    options.AddPolicy("IsAdminClaimAccess", policy => policy.RequireClaim("DateOfJoing")); 
}

[Authorize(Policy = "IsAdminClaimAccess")]  
public IActionResult TestMethod1(){}

and config and use policy as follows: 并配置和使用如下策略: 

public class MinimumTimeSpendRequirement: IAuthorizationRequirement  
{
public MinimumTimeSpendRequirement(int noOfDays)  
{  
    TimeSpendInDays = noOfDays;  
}  

protected int TimeSpendInDays { get; private set; }  
}

public class MinimumTimeSpendHandler : AuthorizationHandler<MinimumTimeSpendRequirement>
{
...
var dateOfJoining = Convert.ToDateTime(context.User.FindFirst(  
        c => c.Type == "DateOfJoining").Value);  
}

public void ConfigureServices(IServiceCollection services)  
{
services.AddAuthorization(options =>  
 {  
    ...  
    ...  
    options.AddPolicy("IsAdminPolicyAccess", policy => policy.Requirements.Add(new MinimumTimeSpendRequirement(365)));  
 } 
}

and then use of this policy same as claim in my controller. 然后在我的控制器中使用与此声明相同的此政策。 as you see,both do one thing.controll user join date.which is better?is attention for better speed and security? 如你所见,两者都做了一件事。控制用户加入日期。哪个更好?注意是为了更好的速度和安全性? or it looks both are same? 或者看起来两者都一样?

1 个解决方案

解决方案1
 3 已采纳  2019-01-12 10:44:49

Claims are something that define the user, it's a key - value pair. 声明是定义用户的东西,它是键值对。

Age : 30 | 年龄 :30 | Sex : Male | 性别 :男性| Name : Bob Marley | 姓名 :Bob Marley | Email : foo@kek.com 电子邮件 :foo@kek.com

You get the picture. 你得到了照片。 You can then implement an authorization check based on the claim and value. 然后,您可以根据声明和值实施授权检查。

Further 进一步

You can define a policy, policy is something you need to abide by in order to get access. 您可以定义策略,您需要遵守策略才能获得访问权限。 It can consist of multiple claim checks. 它可以包含多个索赔检查。

So you can make a policy: IsMaleAndOver18, would require the user to have 2 claims: Age where the value is over 18 and where Sex is Male. 所以你可以制定一个政策:IsMaleAndOver18,要求用户有2个声明: 年龄超过18岁, 性别是男性。

When implementing they may look similar in code but in reality they are very different. 在实现时,它们在代码中可能看起来相似,但实际上它们是非常不同的。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 授权令牌在ASP.NET Core中未绑定 - Authorization token not binding in ASP.NET Core ASP.NET Core中基于声明的授权 - Claims based authorization in ASP.NET Core 自定义授权属性asp.net core - Custom Authorization attribute asp.net core 无法使用 asp.net core 实现授权 - Unable to implement authorization with asp.net core ASP.NET Core中基于声明的授权 - Claim based authorization in ASP.NET Core asp.net core 2授权注销MVC - asp.net core 2 authorization Logout MVC Asp.Net Core 3.0 授权和认证 - Asp.Net Core 3.0 Authorization and Authentication 覆盖 ASP.NET Core 3 中的授权策略 - Override authorization policy in ASP.NET Core 3 ASP.Net Core 5.0 身份验证和授权 - ASP.Net Core 5.0 Authentication and Authorization ASP.NET Core MVC中的自定义授权 - custom authorization in asp.net core mvc
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM