stackoom
  简体   繁体   中英

.Net core web api - Role based authorization (Allow specific domains without asking JWT)

 原文  2019-02-13 12:29:55       authentication/ asp.net-web-api/ asp.net-core/ jwt/ roles

Question

I have an API that uses standard role based authorization and JWT. I need to allow specific domains to use the API without providing JWT while still continue to using role based auth for other users. Is there a way to do this? Can I assign roles to these domains if such a way exists?

1 answers

solution1
 1  2019-02-13 19:16:41

You can use an authorization filter. When authorization is required, the filter is executed. In the filter you can validate the domain an set the current user, including the roles(s): 

//using System;
//using System.Collections.Generic;
//using System.Security.Claims;
//using System.Security.Principal;
//using System.Web;
//using System.Web.Http.Controllers;
//using System.Web.Http.Filters;

public class AddIdentityFilter : AuthorizationFilterAttribute
{
    public override void OnAuthorization(HttpActionContext actionContext)
    {
        var allowedIpAdresses = new List<string> { "127.0.0.1", "" };
        // Replace with your code to test the domain
        var isInDomain = allowedIpAdresses.Contains(GetIp());
        var identity = HttpContext.Current.User.Identity;

        if (!identity.IsAuthenticated && isInDomain)
        {
            // Add the roles to the new Identity
            HttpContext.Current.User = new GenericPrincipal(new GenericIdentity("DomainUser"), new[] { "Admin" });
        }
        base.OnAuthorization(actionContext);
    }

    // Helper to determine the ipaddress
    private string GetIp()
    {
        var context = (HttpContextBase)HttpContext.Current.Items["MS_HttpContext"];
        if (context != null)
            return context.Request.UserHostAddress;

        if (HttpContext.Current != null)
            return HttpContext.Current.Request.UserHostAddress;

        return null;
    }

}

In WebApiConfig.cs add the filter: 

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        // Only needed for Owin
        config.SuppressDefaultHostAuthentication();

        config.Filters.Add(new AddIdentityFilter());

        // ...
    }
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure AD authentication and Custom Role base authorization in Angular 7 and .Net Core Web api Is it Possible to have ASP.NET role based form authentication and authorization without web.sitemap? Authorization with .net core 3.1 with JWT Token response from API Role-based authorization with ASP.NET Core 5.0 .NET core JWT authorization failed? JWT role Based Authorization with Spring Security Jwt Authentication for just web api .net core web api Is there a way to add role-based authentication in ASP.NET Core Web API? Authorization on .NET Core 2.1 Web API built on .NET Framework problem Simple JWT authentication in ASP.NET Core 1.0 Web API
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM