堆栈内存溢出
  简体   繁体   English

如何保护 Razor Class 库中的控制器

[英]How can I secure Controllers in a Razor Class Library

 原文  2021-03-08 23:20:54       c#/ asp.net-core/ razor

问题描述

I have developed some Admin functionality (EF logic, Controller, and Razor UI for Audit Logs actually) that I've packaged into a Razor Class Library (RCL) and created a NuGet package. I have developed some Admin functionality (EF logic, Controller, and Razor UI for Audit Logs actually) that I've packaged into a Razor Class Library (RCL) and created a NuGet package. I want this functionality available to users of the package, but I want to allow them to control the access security.我希望 package 的用户可以使用此功能,但我希望允许他们控制访问安全性。 I would usually decorate the Controller with an Authorize Attribute, something like:我通常会用授权属性装饰 Controller,例如:

[Area("MyAuditLogPackage")]
[Authorize(Roles = "Admin")]
public class AuditLogController : Controller
...

But I don't want to presume the client's security policy and Audit Logs are sensitive data.但我不想假设客户的安全策略和审计日志是敏感数据。

They could derive their own controller from mine, but the original Route would still be in their default Area Mappings.他们可以从我的那里得到他们自己的 controller,但原来的路线仍然在他们的默认区域映射中。

How can I give full control of this over to the package clients?我怎样才能将这个完全控制权交给 package 客户端?

2 个解决方案

解决方案1
 1 已采纳  2021-03-09 13:46:23

Rather than authorizing by Role, you could require that people using your code create custom security policies that are defined on startup.您可以要求使用您的代码的人创建在启动时定义的自定义安全策略,而不是按角色授权。 This would result in something like这将导致类似

[Area("MyAuditLogPackage")]
[Authorize(Policy= "AuditControllerPolicy")]
public class AuditLogController : Controller
...

The policy approach is extremely flexible so the policy might be a requirement that a user be in role Admin.该策略方法非常灵活,因此该策略可能要求用户具有管理员角色。 It could also require other claims be present in the token, including custom claims.它还可能要求令牌中存在其他声明,包括自定义声明。 Check out Policy-based Authorization in Asp.Net Core .查看Asp.Net Core 中基于策略的授权

This approach gives a user of your NuGet package complete flexibility, but many might find it burdensome.这种方法为 NuGet package 的用户提供了完全的灵活性,但许多人可能会觉得它很麻烦。 You might want to canvas a few to get their opinion first.您可能想先 canvas 几个以获得他们的意见。

解决方案2
 1  2022-08-23 15:01:32

You can create a extension method to dynamically secure your Razor Class Library routes.您可以创建扩展方法来动态保护您的 Razor Class 库路由。

Definition:定义:

    internal static class IEndpointConventionBuilderExtensions
    {
        public static TBuilder AddAuthorization<TBuilder>(this TBuilder builder, AuthorizeAttribute? metadata = null)
            where TBuilder : IEndpointConventionBuilder
        {
            if(metadata != null)
            {
                builder.WithMetadata(metadata);
            }

            return builder;
        }
    }

Usage:用法:

        app.MapControllerRoute(
                name: "MasterData",
                pattern: "{culture}/{area:exists}/{controller=Log}/{action=Index}/{dictionaryName?}/")
    .AddAuthorization(new AuthorizeAttribute("MasterData"));

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何运行单个 Razor Class 库 - How can I run Single Razor Class Library 如何使公共静态类“安全”? - How can I make a public static class “secure”? Razor 类库中的图像 - Images in Razor Class Library 如何将类库包含到(非MVC)ASP.net Razor网站中,以便我不必使用using语句? - How can I include a class library into a (non MVC) ASP.net Razor website so that I don't have to use the using statement? 无法在.NetFramework 的 Class 库中创建 razor 视图 - Can't create razor views in Class Library in .NetFramework 您可以直接从 Razor 类库发布吗? - Can you publish directly from a Razor Class Library? 我怎么用&#39;!&#39; 用剃刀 - How can i use'!' in razor 类库中的剃刀,缺少intellisense - Razor in class library, missing intellisense 引用Razor类库中的类 - Referencing classes in a Razor Class Library 在类库中获取Razor模板 - Getting the Razor templates in a class library
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM