如何在 ASP.Net Core (WebAPI) 中基于 HTTP 动词和其他属性以声明方式指定授权策略
[英]How to declaritively specify authorization policy based on HTTP verb and other attributes in ASP.Net Core (WebAPI)
问题描述
我已经注册了几个授权策略:
ConfigureServices()
{
services.AddAuthorization(authorisationOptions =>
{
authorisationOptions.AddPolicy(StandardAuthorizationPolicy.Name, StandardAuthorizationPolicy.Value);
authorisationOptions.AddPolicy(MutatingActionAuthorizationPolicy.Name, MutatingActionAuthorizationPolicy.Value);
});
}
& 然后我在所有端点上设置默认授权策略:
Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseEndpoints(endpoints =>
{
endpoints
.MapControllers()
.RequireAuthorization(StandardAuthorizationPolicy.Name); // Declaratively require the standard authorization policy on all controller endpoints
});
}
在我要指定变异策略的端点上,我目前执行以下操作:
[HttpPut]
[Authorize(MutatingActionAuthorizationPolicy.Name)] // Because 'PUT'. NOT DECLARATIVE! :-(
public async Task<IActionResult> AddOrUpdateOverride(SourceOverride sourceOverride, CancellationToken cancellationToken)
{
// ..
}
我真正想要的是更多的控制,以声明性地应用基于 HttpVerb 的变异策略(即 POST、PUT、PATCH、DELETE)。
关于如何实现这一目标的任何想法? 允许我在 controller 方法/类上使用其他属性的奖励积分,而不仅仅是[HttpPost]等。
注意:我已经看到涉及投射内容的解决方案(并且似乎围绕单一访问策略)。 我真的宁愿坚持使用多种访问策略。
如果我被卡住了,我可能最终会为它编写一个约定测试。
1 个解决方案
解决方案1
3 已采纳 2021-03-10 22:47:28
您可以实现一个自定义 RequireAuthorization 扩展,该扩展采用 HTTP 动词过滤 function 作为参数,并检查每个端点元数据中的 HttpMethodAttribute
public static class AuthorizationEndpointConventionBuilderExtensions
{
/// <summary>
/// Adds authorization policies with the specified <see cref="IAuthorizeData"/> to the endpoint(s) filtered by supplied filter function
/// </summary>
/// <param name="builder">The endpoint convention builder.</param>
/// <param name="filterOnHttpMethods">Filters http methods that we applying specific policies to</param>
/// <param name="authorizeData">
/// A collection of <paramref name="authorizeData"/>. If empty, the default authorization policy will be used.
/// </param>
/// <returns>The original convention builder parameter.</returns>
public static TBuilder RequireAuthorizationForHttpMethods<TBuilder>(this TBuilder builder, Func<IEnumerable<HttpMethod>, bool> filterOnHttpMethods, params IAuthorizeData[] authorizeData)
where TBuilder : IEndpointConventionBuilder
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
if (authorizeData.Length == 0)
{
authorizeData = new IAuthorizeData[] { new AuthorizeAttribute(), };
}
builder.Add(endpointBuilder =>
{
var appliedHttpMethodAttributes = endpointBuilder.Metadata
.Where(x => x is HttpMethodAttribute)
.Cast<HttpMethodAttribute>();
if (appliedHttpMethodAttributes.Any(x => filterOnHttpMethods(x.HttpMethods
.Select(method => new HttpMethod(method)))))
{
foreach (var data in authorizeData)
{
endpointBuilder.Metadata.Add(data);
}
}
});
return builder;
}
/// <summary>
/// Adds authorization policies with the specified names to the endpoint(s) for filtered endpoints that return for filterOnHttpMethod
/// </summary>
/// <param name="builder">The endpoint convention builder.</param>
/// <param name="filterOnHttpMethods">Filters http methods that we applying specific policies to</param>
/// <param name="policyNames">A collection of policy names. If empty, the default authorization policy will be used.</param>
/// <returns>The original convention builder parameter.</returns>
public static TBuilder RequireAuthorizationForHttpMethods<TBuilder>(this TBuilder builder, Func<IEnumerable<HttpMethod>, bool> filterOnHttpMethods, params string[] policyNames)
where TBuilder : IEndpointConventionBuilder
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
if (policyNames == null)
{
throw new ArgumentNullException(nameof(policyNames));
}
return builder.RequireAuthorizationForHttpMethods(filterOnHttpMethods, policyNames.Select(n => new AuthorizeAttribute(n)).ToArray());
}
}
然后在原始扩展旁边使用此扩展:
app.UseEndpoints(endpoints =>
{
var mutatingHttpMethods = new HashSet<HttpMethod>()
{
HttpMethod.Post,
HttpMethod.Put,
HttpMethod.Delete
};
endpoints
.MapControllers()
.RequireAuthorization(StandardAuthorizationPolicy.Name)
.RequireAuthorizationForHttpMethods(httpMethods =>
httpMethods.Any(httpMethod => mutatingHttpMethods.Contains(httpMethod)),
MutatingActionAuthorizationPolicy.Name);
});
}
如何在 ASP.NET MVC/WebAPI 应用程序中支持 HTTP OPTIONS 动词
[英]How to support HTTP OPTIONS verb in ASP.NET MVC/WebAPI application
如何在 ASP.net core Identity 中实现基于权限的授权?
[英]How to implement permission based authorization in ASP.net core Identity?
基于资源的ASP.NET授权FormsAuthentication和WebApi
[英]Resource based ASP.NET Authorization FormsAuthentication and WebApi
如何在不使用角色的情况下使用ASP.NET WebAPI实现基于声明的授权?
[英]How can I implement Claims-Based Authorization with ASP.NET WebAPI without using Roles?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
使用Asp.Net Core WebAPI进行授权
在ASP.NET WebAPI应用程序中禁用HTTP谓词限制
接受ASP.NET WebAPI中的任何HTTP方法/动词
如何在 ASP.NET MVC/WebAPI 应用程序中支持 HTTP OPTIONS 动词
ASP.Net WebAPI删除动词不起作用
如何在 ASP.net core Identity 中实现基于权限的授权?
基于资源的ASP.NET授权FormsAuthentication和WebApi
ASP.NET Framework中基于自定义策略的授权
如何在不使用角色的情况下使用ASP.NET WebAPI实现基于声明的授权?
ASP.NET Core WebApi
相关标签