I am using ASP.NET Core 2.1 with policy based authorization against Active Directory groups configured in appsettings.json
. I have several calls to configure each policy similar to the following:
services.AddAuthorization(options =>
{
options.AddPolicy("UserGroup"), policy =>
{
policy.RequireAuthenticatedUser();
policy.RequireRole(jsonAuthSection.UserGroup);
});
});
I decorate various API controllers with different policies as needed as follows:
[Authorize("UserGroup")]
However, I now have models where some properties require administrative membership to change. To facilitate this, I use nullable types and when the property is bound (implying a change / value was specified) I need to check for additional permissions:
AuthorizationResult isAdmin = await this.authorizationService.AuthorizeAsync(this.User, "AdminGroup");
if (updateModel.Locked != null && !isAdmin.Succeeded)
{
return this.StatusCode(StatusCodes.Status401Unauthorized, "some message");
}
// More checks...
Users are prompted for credentials instead of simply failing. What is a more appropriate strategy for accomplishing this?
您应该返回403-禁止 。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.