從ASP.NET Core 2.1遷移到.NET 6后如何處理授權錯誤？

Question

我已將我的項目從 asp.net 核心 2.1 遷移到 .NET 6，現在我面臨一個錯誤， context.Resource as AuthorizationFilterContext返回 NULL。

我已經使用 AuthorizationFilterContext 實現了自定義的基於策略的身份驗證，似乎.NET 6 不支持AuthorizationFilterContext請幫助我如何將以下代碼從 asp.net 核心 2.1 修改為 .NET6。 謝謝你。

這是此行中的錯誤消息var mvcContext = context.Resource as AuthorizationFilterContext;

mvcContext == NULL

下面是AuthorizationHandler和AuthorizationHandlerContext的實現代碼

public class HasAccessRequirment : IAuthorizationRequirement { }
    public class HasAccessHandler : AuthorizationHandler<HasAccessRequirment>
    {
        public readonly HoshmandDBContext _context;
        public HasAccessHandler(HoshmandDBContext context)
        {
            _context = context;
        }
        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, HasAccessRequirment requirement)
        {
            Contract.Ensures(Contract.Result<Task>() != null);
            List<int?> userGroupIds = new List<int?>();
            // receive the function informations

            var mvcContext = context.Resource as AuthorizationFilterContext;
            if ((mvcContext != null) && !context.User.Identity.IsAuthenticated)
            {
                mvcContext.Result = new RedirectToActionResult("UserLogin", "Logins", null);
                return Task.FromResult(Type.Missing);
            }
            if (!(mvcContext?.ActionDescriptor is ControllerActionDescriptor descriptor))
            {
                return Task.FromResult(Type.Missing);
            }
            var currntActionAddress = descriptor.ControllerName + "/" + descriptor.ActionName;
            // finding all information about controller and method from Tables 
            // check user has access to current action which is being called
            //allActionInfo = ListAcctionsFromDatabase;
            //bool isPostBack = allActionInfo.FirstOrDefault(a => a.action == currntActionAddress)?.IsMenu ?? true;
            bool isPostBack = false;
            if (!isPostBack)
            {
                mvcContext.Result = new RedirectToActionResult("AccessDenied", descriptor.ControllerName, null);
                context.Succeed(requirement);
                return Task.CompletedTask;
            }
            else
            {
                mvcContext.Result = new RedirectToActionResult("AccessDeniedView", descriptor.ControllerName, null);
                context.Succeed(requirement);
                return Task.CompletedTask;
            }

        }
    }

這是我的 Program.cs 代碼：

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("HasAccess", policy => policy.AddRequirements(new HasAccessRequirment()));
});

builder.Services.AddTransient<IAuthorizationHandler, HasAccessHandler>();

這是 Controller 代碼：

   [Authorize(policy: "HasAccess")]
    public class HomeController : BaseController
    {
    }

Answer 1

自 .net 核心 3 以來，關於 AuthorizationFilterContext 有一些變化：
A. MVC 不再將 AuthorizeFilter 添加到 ActionDescriptor，ResourceInvoker 將不會調用 AuthorizeAsync()。
B. 它將 Filter 作為元數據添加到端點。 此外，在 .net 5 中，它將context.Resource更改為 DefaultHttpContext 的類型。

所以這是新方法：

public class MyAuthorizationPolicyHandler : AuthorizationHandler<OperationAuthorizationRequirement>
{

    public MyAuthorizationPolicyHandler()
    {
    }

    protected async override Task HandleRequirementAsync(AuthorizationHandlerContext context, OperationAuthorizationRequirement requirement)
    {
        var result = false;

        if (context.Resource is Microsoft.AspNetCore.Http.DefaultHttpContext httpContext)
        {
            var endPoint = httpContext.GetEndpoint();
            if (endPoint != null)
            {
                var attributeClaims = endPoint.Metadata.OfType<MyAuthorizeAttribute>()
                //TODO: Add your logic here
            }

            if (result)
            {
                context.Succeed(requirement);
            }
        }
    }

請參考這個討論： "context.Resource as AuthorizationFilterContext" returning null in ASP.NET Core 3.0