[英]How do you create a custom Policy AuthorizeAttribute in ASP.NET Core?
I'm working on an intranet app(login by AD), which need authorize rights by users' department,title,or others information in AD. 我正在开发一个Intranet应用程序(通过AD登录),该应用程序需要按用户部门的授权权限,标题或AD中的其他信息。
In MS Docs, it seems that i should use Claims-based authorization( https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-2.2 ). 在MS Docs中,看来我应该使用基于声明的授权( https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-2.2 )。
As you can image, some page should be authorized by different department, as the link said, what i can do is add several department Policies, but it's boring, because i have dozens of departments. 如您所见,某些页面应由不同部门授权,如链接所示,我可以做的是添加多个部门策略,但这很无聊,因为我有数十个部门。
What can i do to implement like this or something else: 我可以做些什么来实现这样的目标?
[Authorize(Policy = "Department" , Value = "Finance")]
[Authorize(Policy = "Title" , Value = "VP")]
Thanks in advance. 提前致谢。
You're looking for policy-based authorization . 您正在寻找基于策略的授权 。
A policy consists of one or more requirements which you can define by implementing the IAuthorizationRequirement
interface. 一个策略由一个或多个需求组成 ,您可以通过实现
IAuthorizationRequirement
接口来定义。 Then you create an AuthorizationHandler<T>
where you validate the current context against the given requirement. 然后,创建一个
AuthorizationHandler<T>
,在其中根据给定的要求验证当前上下文。 In your case that is validating whether the current user is part of the required department specified in the [Authorization]
attribute. 在您的情况下,这将验证当前用户是否是
[Authorization]
属性中指定的必需部门的一部分。 If you want more control or have more specific authorization logic, you can implement a IAuthorizationHandler
to handle multiple requirements at once. 如果您需要更多控制权或具有更特定的授权逻辑,则可以实现
IAuthorizationHandler
来一次处理多个需求。
I suggest you take a look at the documentation for implementing and registering policies with their requirements and handlers. 我建议您看一下有关实施和注册策略及其要求和处理程序的文档。
In addition to what Henk said, you can use an external policy-based framework such as xacml or alfa . 除了Henk所说的之外,您还可以使用基于外部策略的框架,例如xacml或alfa 。 The end result is similar to what Henk wrote but it's policy-based rather than code-based (using
IAuthorizationRequirement
). 最终结果类似于Henk编写的内容,但它是基于策略的,而不是基于代码的(使用
IAuthorizationRequirement
)。
A policy looks like plain old English. 一项政策看起来像普通的英语。
policyset documents{
target clause objectType == "document"
apply firstApplicable
policy employees{
target clause user.role == "employee"
apply firstApplicable
/**
* Employees can create documents in their own company
*/
rule createDocument{
target clause action.actionId=="create"
condition user.company==resource.company
permit
}
/**
* Employees can delete documents they own
*/
rule allowDelete{
target clause action.actionId == "delete"
condition user.userId == resource.owner
permit
}
}
}
You then need to deploy the policy to your authorization engine / policy decision point and you invoke it from an interceptor within your app. 然后,您需要将策略部署到授权引擎/策略决策点,然后从应用程序内的拦截器中调用它。 Doing it this way keeps business logic (the app) separate from authorization logic (the policies).
这样可以使业务逻辑(应用程序)与授权逻辑(策略)分离。 It also means that you can reuse the same policies / authorization across your apps no matter the language and across your stack (API, app, DB...)
这也意味着您可以在各种应用程序中重复使用相同的策略/授权,无论其语言和堆栈(API,应用程序,数据库...)如何
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.