根據用戶聲明授權對控制器的訪問
[英]Authorizing access to controller based on user claims
問題描述
我知道我可以通過使用AuthorizeAttribute()裝飾它來限制對控制器(或其成員)的訪問。
隨着 ASP 身份的出現並朝着更加“基於聲明”的世界邁進,我想找到等效的屬性。 就像是:
[ClaimAuthorize(Permission="CanCreateCustomer")]
public ActionResult CreateCustomer()
{
return View();
}
雖然我確信這會內置到身份中,但我所有的搜索都陷入了空白。
如果它不存在,我該如何推出自己的?
2 個解決方案
解決方案1
1 2016-10-11 14:57:54
你必須自己滾動。 從那時起,您可以根據需要自定義它。
您必須擴展授權屬性。
public class ClientAuthorize : AuthorizeAttribute
{
public new String Roles { get; set; }
public String RequiredRights { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return CustomAuthorizeLogicReturnsBool(Roles, RequiredRights);
}
protected override void HandleUnauthorizedRequest(System.Web.Mvc.AuthorizationContext filterContext)
{
if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
//filterContext.Result = new HttpUnauthorizedResult();
base.HandleUnauthorizedRequest(filterContext);
}
else
{
filterContext.Result = new System.Web.Mvc.HttpStatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
}
}
}
用法
[ClientAuthorize(Roles = "ClientUser", RequiredRights = "SaveAdmin,KillAdmin")]
public class AdminController : Controller
{
}
解決方案2
0 2016-10-11 14:54:10
您可能應該為此提交文檔請求,但要開始使用,您可以實現IAuthenticationFilter ,注冊它,然后使用以下內容裝飾您的控制器: [Authorize(Roles = "CanCreateCustomer")]
public class CustomAuthenticationAttribute : Attribute, System.Web.Http.Filters.IAuthenticationFilter
{
public bool AllowMultiple
{
get
{
return true;
}
}
public async Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
{
context.Principal = //get principal here, based on your implementation
}
public async Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken)
{
await Task.FromResult(0);
}
}
注冊它:
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
// Web API routes
config.MapHttpAttributeRoutes();
config.Filters.Add(new CustomAuthenticationAttribute ());
}
}
確定用戶是否可以基於角色訪問給定的Controller Action
[英]Determine if a user will have access to a given Controller Action based on Role
用戶對客戶端的同意與api可以訪問的聲明有關嗎?
[英]Is user's consent towards a client relevant to the claims an api has access to?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.