ASP.NET Core MVC Policy Authorization
添加Policy授权验证
此例为检测用户名是否为ms666
否则不允许访问
services.AddAuthorization(options =>
{
//策略名+策略的要求
// options.AddPolicy("查看所有用户", policy => policy.RequireRole("管理员"));
//策略的Claim是一个对(ClaimValue and ClaimType)
// options.AddPolicy("SuperAdmin", policy => policy.RequireClaim("ms666"));
//上述等效于下面的代码
options.AddPolicy("SuperAdmin", policy => policy.RequireAssertion(
new Func<Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext, bool>(context=> {
if (context.User.Identity.Name == "ms666")
{
return true;
}
return false;
})
));
});
//检查该策略下是否有Claims类型为“GetUsers”
options.AddPolicy("CanGetUsers", p => p.RequireAssertion(
new Func<Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext, bool>(context => {
if (context.User.HasClaim(c => c.Type == "GetUsers"))
{
return true;
}
return false;
})
));
});
使用的话直接 [Authorization(Policy="SuperAdmin")]
下面我们用第二种方法实现上述的功能
//添加服务后才可以使用
services.AddSingleton<IAuthorizationHandler, theUserNameIsMe>();
services.AddAuthorization(options =>
{
options.AddPolicy("ms666", policy => policy.Requirements.Add(new UserNameRequirement("ms666")));
//也可以用下面方法添加多个审核
//options.AddPolicy("ms666", policy => policy.AddRequirements(new UserNameRequirement("ms666"),new xxxxxxxx()));
}
下面是UserName Requirement的具体实现记得添加服务
处理器要传入继承 IAuthorizationRequirement的类型的泛型类型
public class UserNameRequirement : IAuthorizationRequirement
{
public string _CurrentUserName { get; set; }
public UserNameRequirement(string UserName)
{
this._CurrentUserName = UserName;
}
}
public class theUserNameIsMe : AuthorizationHandler<UserNameRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, UserNameRequirement requirement)
{
if (context.User.Identity.Name == requirement._CurrentUserName)
{
context.Succeed(requirement);
}
//如果审核通过,就返回审核通过
//不通过则只返回任务Task
return Task.CompletedTask;
}
}
为什么要返回Task.completeTask? 而不是False
因为Claims可以绑定多个验证,其中有一个返回Succeed,而其他没有返回Flase则审核通过
浙公网安备 33010602011771号