如何根据声明授权访问static个文件
[英]How to authorize access to static files based on claims
问题描述
Static files can require the user to be authenticated as per documentation 
Static 文件可能需要根据文档对用户进行身份验证
I have not been able to find any info on restricting authorized access to static files, according to specific claims.根据具体声明,我无法找到任何有关限制对 static 文件的授权访问的信息。
Eg users with claims "A" and "B" have access to folder A and B, where as users with only claim "B" only have access to folder B例如,声明为“A”和“B”的用户可以访问文件夹 A 和 B,而只有声明“B”的用户只能访问文件夹 B
How would I accomplish this "as easy as possible" with .NET 6.0 / webAPI / static files?我将如何使用 .NET 6.0 / webAPI / static 文件“尽可能简单地”完成此操作?
2 个解决方案
解决方案1
1 2022-05-04 05:39:00
From the linked example;来自链接示例;
builder.Services.AddAuthorization(options =>
{
options.FallbackPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
});
You could build any policy you want, by calling any of the .Require... methods.您可以通过调用任何.Require...方法来构建您想要的任何策略。 eg;例如;
builder.Services.AddAuthorization(options =>
{
options.FallbackPolicy = new AuthorizationPolicyBuilder()
.RequireClaim("name", "value")
.Build();
});
Note that the fallback policy applies to all endpoints that don't have any [Authorize] metadata.请注意,回退策略适用于所有没有任何[Authorize]元数据的端点。
Instead, you will probably need to write some middleware to check your authorization rule for each path.相反,您可能需要编写一些中间件来检查每个路径的授权规则。 Perhaps based on this sample .也许基于这个样本。
The linked example demonstrates an interesting concept.链接示例演示了一个有趣的概念。 Authorisation is based on endpoints, but the static file middleware just takes over the response without using endpoint routing.授权是基于端点的,但是 static 文件中间件只是接管了响应,没有使用端点路由。 So what if we generated our own endpoint metadata based on the file provider;那么如果我们根据文件提供者生成我们自己的端点元数据呢?
.Use((context, next) => { SetFileEndpoint(context, files, null); return next(context); });
That's doable, but what if we just defined a fake endpoint?这是可行的,但是如果我们只是定义了一个假端点呢?
app.UseAuthentication();
app.UseAuthorization();
app.UseStaticFiles();
app.UseEndpoints(endpoints => {
endpoints.MapGet("static/pathA/**",
async (context) => context.Response.StatusCode = 404)
.RequireAuthorization("PolicyA");
});
Of course you could map that dummy path to a controller.当然,您可以通过 map 到 controller 的虚拟路径。
解决方案2
1 已采纳 2022-05-04 08:25:29
Currently there is no built-in way to secure wwwroot directories, I think you can expose an endpoint, and then make judgments in the endpoint, This is a very simple method as you expected, in your question, you want to access static file A only user with claims A ,I write a similar demo here, hope it can help you to solve your problem.目前没有内置的方法来保护 wwwroot 目录,我认为你可以暴露一个端点,然后在端点中进行判断,这是一个非常简单的方法,如你所料,在你的问题中,你想访问 static 文件A only user with claims A ,我在这里写了一个类似的demo,希望它能帮助你解决你的问题。
First I have a static file named "AAA" in wwwroot .首先,我在wwwroot中有一个名为“AAA”的 static 文件。
I use Asp.Net Core Identity here, Now I am logged in as a user, Then I add claim to this user.我在这里使用Asp.Net Core Identity ,现在我以用户身份登录,然后我向该用户添加声明。
//the claim's type and value is the same with static file name
Claim claim = new Claim("AAA", "AAA");
await _userManager.AddClaimAsync(user,claim);
Then I expose an endpoint to get the static path then do judgments:然后我暴露一个端点来获取static路径然后做判断:
//Add [Authorize] attribute, the controller can only be accessed when the user is logged in
[Authorize]
public class TestController : Controller
{
//Pass in the name of the static file that needs to be accessed, and then use claim to authorize
public IActionResult Find(string path)
{
var value = IHttpContextAccessor.HttpContext.User.Claims.Where(e => e.Type == path ).Select(e => e.Value).FirstOrDefault();
if(value !=null && value == path) {
//authorize success
//read the static file and do what you want
}else{
//authorize fail
}
}
}
View看法
//use asp-route-path="AAA" to pass the value of path
<a asp-controller="Test" asp-action="Find" asp-route-path="AAA">AAA</a>
<a asp-controller="Test" asp-action="Find" asp-route-path="BBB">BBB</a>
//.......
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.