[英]Role based authorization in ASP.Core 3: how to grant access everywhere to certain role?
I am writing a ABAC system in which I will decide if a user can access to certain data based on some roles/atributes/etc.我正在编写一个 ABAC 系统,我将在其中决定用户是否可以根据某些角色/属性/等访问某些数据。 However, there is a special kind of user (something like superadministrator) who should be able to access everything, everywhere, always.但是,有一种特殊类型的用户(类似于超级管理员)应该能够随时随地访问所有内容。 I don't want to go through all policies, controllers, actions and methods and add a check on this specific role.我不想检查所有策略、控制器、操作和方法,并添加对这个特定角色的检查。 Is there a way to do it in a more centralized way?有没有办法以更集中的方式做到这一点? (for example: in the startup
). (例如:在startup
)。
If it is not possible to add it to a global place, I was thinking on adding it at least globally on a controller level: I was looking here and I saw that the decorator [Authorize(Roles = "Administrator")]
lets you restrict the access to a certain method/class just to Administrator users.如果不可能将它添加到全局位置,我正在考虑至少在控制器级别全局添加它:我在看这里,我看到装饰器[Authorize(Roles = "Administrator")]
允许您限制只有管理员用户才能访问某个方法/类。 However, I want kind of "the opposite".但是,我想要一种“相反的”。 I mean something like an AuthorizeAlways
that had the following behaviour:我的意思是像AuthorizeAlways
那样具有以下行为:
[AuthorizeAlways(Roles = "SuperAdministrator")]
public class ControlPanelController : Controller
{
[Authorize(Roles = "SetterUser")]
public ActionResult SetTime()
{
}
[Authorize(Roles = "PowerUser")]
[MinimumAgeAuthorize(50)]
public ActionResult ShutDown()
{
}
}
In this case I'd like that SuperAdministrator
(even if they are 49 years old) has access to everywhere.在这种情况下,我希望SuperAdministrator
(即使他们已经 49 岁)可以访问任何地方。 A SetterUser
has access only to SetTime
and only a PowerUser
who is older than 50 years old can access ShutDown
.一个SetterUser
只能访问SetTime
,只有PowerUser
谁是年龄超过50岁即可进入ShutDown
。
I don't know if this makes much sense.我不知道这是否有意义。 Is it possible?是否可以? Where could I do it?我在哪里可以做? Thanks!谢谢!
This blog post provides a good tutorial for how to implement custom authorization: https://seanspaniel.wordpress.com/2019/12/13/custom-authorization-in-asp-net-core-3/这篇博文提供了一个关于如何实现自定义授权的好教程: https : //seanspaniel.wordpress.com/2019/12/13/custom-authorization-in-asp-net-core-3/
From that tutorial, in the CustomAuthorizationMiddleware class you could check for the "SuperAdministrator" role and grant access to every endpoint.在该教程中,在 CustomAuthorizationMiddleware 类中,您可以检查“超级管理员”角色并授予对每个端点的访问权限。
public static class CustomAuthorizationMiddleware
{
public static async Task Authorize(HttpContext httpContext, Func next)
{
var endpointMetaData = httpContext.GetEndpoint().Metadata;
bool hasCustomAuthorizeAttribute = endpointMetaData.Any(x => x is CustomAuthorizeAttribute);
if (!hasCustomAuthorizeAttribute)
{
await next.Invoke();
return;
}
CustomAuthorizeAttribute customAuthorizeAttribute = endpointMetaData
.FirstOrDefault(x => x is CustomAuthorizeAttribute) as CustomAuthorizeAttribute;
// Check if user has allowed role or super administrator role
bool isAuthorized = customAuthorizeAttribute.AllowedUserRoles
.Any(allowedRole => httpContext.User.IsInRole(allowedRole))
|| httpContext.User.IsInRole("SuperAdministrator");
if (isAuthorized)
{
await next.Invoke();
return;
}
httpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
await httpContext.Response.WriteAsync("unauthorized");
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.