[英]Authorizing access to controller based on user claims
我知道我可以通過使用AuthorizeAttribute()裝飾它來限制對控制器(或其成員)的訪問。
隨着 ASP 身份的出現並朝着更加“基於聲明”的世界邁進,我想找到等效的屬性。 就像是:
[ClaimAuthorize(Permission="CanCreateCustomer")]
public ActionResult CreateCustomer()
{
return View();
}
雖然我確信這會內置到身份中,但我所有的搜索都陷入了空白。
如果它不存在,我該如何推出自己的?
你必須自己滾動。 從那時起,您可以根據需要自定義它。
您必須擴展授權屬性。
public class ClientAuthorize : AuthorizeAttribute
{
public new String Roles { get; set; }
public String RequiredRights { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return CustomAuthorizeLogicReturnsBool(Roles, RequiredRights);
}
protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
{
if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
//filterContext.Result = new HttpUnauthorizedResult();
base.HandleUnauthorizedRequest(filterContext);
}
else
{
filterContext.Result = new System.Web.Mvc.HttpStatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
}
}
}
用法
[ClientAuthorize(Roles = "ClientUser", RequiredRights = "SaveAdmin,KillAdmin")]
public class AdminController : Controller
{
}
您可能應該為此提交文檔請求,但要開始使用,您可以實現IAuthenticationFilter
,注冊它,然后使用以下內容裝飾您的控制器: [Authorize(Roles = "CanCreateCustomer")]
public class CustomAuthenticationAttribute : Attribute, System.Web.Http.Filters.IAuthenticationFilter
{
public bool AllowMultiple
{
get
{
return true;
}
}
public async Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
{
context.Principal = //get principal here, based on your implementation
}
public async Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken)
{
await Task.FromResult(0);
}
}
注冊它:
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
// Web API routes
config.MapHttpAttributeRoutes();
config.Filters.Add(new CustomAuthenticationAttribute ());
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.