Suppose, I have two models:
class Customer {
public GUID CustomerID { get; set; }
public IEnumerable<User> SubscribedUsers { get; set; }
//other fields
}
and
class User {
public GUID UserID { get; set; }
//other fields
}
I want to implement BL with ASP.NET Identity for limitation of auhorization: if user is in SubscribedUsers - Access is granted else - denied.
I dont ask you to implement it for me. Just give me best practice how can I do it and where I can weite this wrap of business logic...
I think I have to implement custom OAuthAuthorizationServerProvider
, have I?
I think the easiest way is, to add a new Claim ( https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims ). Call it SubscribedOnly and add this claim to the specified user ( How to add claims in ASP.NET Identity )
In general I would try to find a built-in possibility to solve youre problem, before you try to overwrite something.
The authorization-logic will be placed in your controller. You can put this attribute [Authorize] on top of your Controller (which means that every ActionMethod is only available for logged in users) or on top of every ActionMethod which access should be secured.
Working with this attribute is very easy and straightforward for a wide range of implementations!!
If you´re looking for a good ressource to understand identity or to customize it, i´ll recommend John Attens blog: http://johnatten.com/?s=identity
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.