![](/img/trans.png)
[英]Troubleshooting ASP.NET Core Role-based Authorization with Windows Authentication
[英]Windows Authentication Asp.net core 2 database role authorization
我正在使用一個將使用Asp.Net Core 2.1和Windows身份驗證的Intranet應用程序。 我正好從IIS獲得通過,但我想使用存儲在數據庫中的角色進行授權。
我有一個IClaimsTransformeration類,它從基於LAN Id的數據庫中獲取角色,並使用角色鍵將它們添加到聲明列表中。
public class MyClaimsTransformer : IClaimsTransformation
{
private readonly IUnitOfWorkMtuSecurity _unitOfWork;
public MyClaimsTransformer(IUnitOfWorkMtuSecurity unitOfWork)
{
_unitOfWork = unitOfWork;
}
// Each time HttpContext.AuthenticateAsync() or HttpContext.SignInAsync(...) is called the claims transformer is invoked. So this might be invoked multiple times.
public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
var identity = principal.Identities.FirstOrDefault(x => x.IsAuthenticated);
if (identity == null) return principal;
//var user = await _userManager.GetUserAsync(principal);
var user = identity.Name;
if (user == null) return principal;
//Get user with roles from repository.
var dbUser = _unitOfWork.UserInformations.GetUserWithRoles(user);
// Inject DbRoles into Claims list
foreach (var role in dbUser.UserInformationUserRoles.Select((r=>r.UserRole)))
{
var claim = new Claim(ClaimTypes.Role, role.Name);
identity.AddClaim(claim);
}
return new ClaimsPrincipal(identity);
}
}
我在startup.cs中將IClaimsTransformation添加到了我的服務中
services.AddScoped<IClaimsTransformation, MyClaimsTransformer>();
然后我將屬性添加到我的控制器
[Authorize(Roles = "Administrator")]
當我運行我的應用程序時,我收到以下錯誤:
處理請求時發生未處理的異常。 InvalidOperationException:未指定authenticationScheme,並且未找到DefaultForbidScheme。 Microsoft.AspNetCore.Authentication.AuthenticationService.ForbidAsync(HttpContext context,string scheme,AuthenticationProperties properties)
在startup.cs中,我將以下內容添加到服務中
services.AddAuthentication(IISDefaults.AuthenticationScheme);
這擺脫了錯誤,但無論我得到403錯誤。
您無權查看此頁面。 HTTP錯誤403
當我從MyClaimsTransformer觀察返回值時,我可以看到管理員的角色已添加到聲明列表中,但無論我得到403錯誤。
有沒有人建議我缺少什么?
如果我在視圖中使用以下語法,它在視圖級別工作:
@if (User.HasClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Administrator"))
{
<li><a asp-area="" asp-controller="UserInformationAdmin" asp-action="Index">Admin</a></li>
}
我必須指定整個架構URL。
ClaimIdentity的RoleClaimType為“ http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid ”
它需要是一個RoleClaimType“ http://schemas.microsoft.com/ws/2008/06/identity/claims/role ”
由於這是一個只讀屬性,因此我更改了TransformAsync方法以創建新的ClaimsPrincipal,而不是嘗試將數據庫角色添加到現有聲明中。 我的應用程序不需要任何AD組,因此它僅使用Windows進行身份驗證。 下面的代碼似乎有效。
public class MyClaimsTransformer : IClaimsTransformation
{
private readonly IUnitOfWorkSecurity _unitOfWork;
public MyClaimsTransformer(IUnitOfWorkSecurity unitOfWork)
{
_unitOfWork = unitOfWork;
}
// Each time HttpContext.AuthenticateAsync() or HttpContext.SignInAsync(...) is called the claims transformer is invoked. So this might be invoked multiple times.
public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
var identity = principal.Identities.FirstOrDefault(x => x.IsAuthenticated);
if (identity == null) return principal;
var user = identity.Name;
if (user == null) return principal;
//Get user with roles from repository.
var dbUser = _unitOfWork.UserInformations.GetUserWithRoles(user);
var claims = new List<Claim>();
//The claim identity uses a claim with the claim type below to determine the name property.
claims.Add(new Claim(@"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", user, "Name"));
//todo: We should probably create a cache for this
// Get User Roles from database and add to list of claims.
foreach (var role in dbUser.UserInformationUserRoles.Select((r=>r.UserRole)))
{
claims.Add(new Claim(ClaimTypes.Role, role.Name));
}
var newClaimsIdentity = new ClaimsIdentity(claims,"Kerberos","", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role");
var newClaimsPrincipal = new ClaimsPrincipal(newClaimsIdentity);
return new ClaimsPrincipal(newClaimsPrincipal);
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.