堆栈内存溢出
  简体   繁体   English

.Net核心授权角色从全局到控制器的属性继承

[英].Net core Authorize attribute inheritance of roles from global to controller

 原文  2022-06-10 06:33:00       c#/ asp.net/ authentication

问题描述

As I understand, there are 3 'levels' that I can use the authorise attribute with roles in my web application.据我了解,我可以在我的 Web 应用程序中将授权属性与角色一起使用 3 个“级别”。 The first would be global auth policy for the webapp, like the following:第一个是 webapp 的全局身份验证策略,如下所示:

serviceCollection.AddMvcCore(options =>
            {
                options.Filters.Add(new AuthorizeFilter("MyPolicy"));
            })
            .AddAuthorization(options =>
            {
                options.AddPolicy("MyPolicy", builder =>
                {
                    builder.RequireAuthenticatedUser();
                    builder.RequireRole(new[]{"MyRole1","MyRole2"});
                });
            });

This would mean that only logged in users with MyRole1 or MyRole2 could use the webapp.这意味着只有使用 MyRole1 或 MyRole2 登录的用户才能使用 webapp。

The next two levels would be using an authorisation attribute at the controller level and then at the endpoint level as shown here:接下来的两个级别将在控制器级别使用授权属性,然后在端点级别使用授权属性,如下所示:

[Authorize(Roles = "MyRole3,MyRole4")]
public class MyController : Controller
{
    public MyController(){}

    [HttpGet]
    [Authorize(Roles = "MyRole5,MyRole6")]
    public async Task<IActionResult> Get()
    {
        var result = "something";
        return this.OkOrBadRequest(result);
    }
  }

In this case which roles apply to the endpoint?在这种情况下,哪些角色适用于端点? Are all the roles ORed together all the way down, are all the roles ANDed together all the way down, or is it the case of "most specific first"?是所有的角色一起 ORed 一路下来,所有的角色 ANDed 一路下来,还是“最具体的优先”的情况?

In the case of ORing together all the way down this would mean that any role from MyRole1 to MyRole6 could access the Get endpoint here.在 ORing 一路向下的情况下,这意味着从 MyRole1 到 MyRole6 的任何角色都可以在此处访问 Get 端点。

In the case of ANDing together all the way down this would mean that a user needs (MyRole1 OR MyRole2) AND (MyRole3 OR MyRole4) AND (MyRole5 OR MyRole6) to access the Get endpoint here.在 ANDing 一路向下的情况下,这意味着用户需要 (MyRole1 OR MyRole2) AND (MyRole3 OR MyRole4) AND (MyRole5 OR MyRole6) 在此处访问 Get 端点。

In the case of "most specific first" it would mean that only MyRole5 or MyRole6 could access the endpoint and roles at all other levels are ignored.在“最具体优先”的情况下,这意味着只有 MyRole5 或 MyRole6 可以访问端点,并且忽略所有其他级别的角色。

What would I do if I want to add an AND at a particular level, for example on MyController I want it to be (MyRole3 || MyRole4) && MyRole7?如果我想在特定级别添加 AND,例如在 MyController 上我希望它是 (MyRole3 || MyRole4) && MyRole7,我会怎么做?

1 个解决方案

解决方案1
 1 已采纳  2022-06-10 07:08:58

The authorize attributes are ANDed together.授权属性是 AND 在一起的。 So you should read the Authorization chain as MyRole1 OR MyRole2 AND MyRole3 OR MyRole4 AND MyRole5 OR MyRole6.因此,您应该将授权链解读为 MyRole1 OR MyRole2 AND MyRole3 OR MyRole4 AND MyRole5 OR MyRole6。 From this you should be able to determine how the action will be accessed.由此,您应该能够确定如何访问该操作。

(MyRole1 || MyRole2) && (MyRole3 || MyRole4) && (MyRole5 || MyRole6)

this implies that to access the method you need at least one role from each group.这意味着要访问该方法,您至少需要每个组中的一个角色。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 .Net Core 中的授权/角色属性 - Authorize / Roles attribute in .Net Core ASP.NET Core 2.2 授权角色不工作的属性 - ASP.NET Core 2.2 authorize attribute with roles not working 动态添加角色以授权控制器的属性 - Dynamically add roles to authorize attribute for controller 多角色授权属性 - Authorize Attribute with Multiple Roles 任何角色的授权属性 - Authorize attribute for any roles 使用角色授权属性不起作用? - Authorize Attribute with Roles not working? 授权不使用角色的属性 - Authorize attribute not working with roles ASP.NET Core 2授权属性jwt - ASP.NET Core 2 Authorize attribute jwt 自定义授权属性 - ASP .NET Core 2.2 - Custom Authorize attribute - ASP .NET Core 2.2 在 .Net Core 中绕过发布版本的授权属性 - Bypass Authorize Attribute in .Net Core for Release Version
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM