Mic*_*JDI 12 asp.net-core-mvc asp.net-core
我有一个asp.net5项目设置来使用Windows身份验证.当我设置一个断点并查看用户时,我看到有一个包含Group SID的Claims数组.如何从索赔中获取实际的组名?
我试图限制用户使用他们所属的活动目录组登录的窗口,并且我正在努力设置它.
问题:如何查看登录用户所属的活动目录组?如何将GroupSID转换为组名?我是否需要在startup.cs中包含任何内容以限制某些组进行REST服务调用?
我看到了根据登录用户手动设置声明的示例.我有兴趣使用Windows身份验证用户及其组限制访问.
谢谢
Jos*_*one 22
您实际上仍然可以使用以下方法获取组名:
var test = new System.Security.Principal.SecurityIdentifier("S-1-5-21-3290390516-4063083420-3538132138-1146").Translate(typeof(System.Security.Principal.NTAccount)).ToString();
例如:
var roles = ((ClaimsIdentity)_context.User.Identity).Claims.Where(q => q.Type == ClaimTypes.GroupSid).Select(q => q.Value);
_logger.LogInformation($"Got {roles.Count()} roles");
foreach (var role in roles)
{
var name = new System.Security.Principal.SecurityIdentifier(role).Translate(typeof(System.Security.Principal.NTAccount)).ToString();
_logger.LogInformation($"Got role {name}");
}
输出:
(namespace).Authorization.Handlers.SiteHandler: Information: Got 18 roles
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\Domain Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role Everyone
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted) Backend
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted) Dashboards
(namespace).Authorization.Handlers.SiteHandler: Information: Got role BUILTIN\Performance Log Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role BUILTIN\Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\INTERACTIVE
(namespace).Authorization.Handlers.SiteHandler: Information: Got role CONSOLE LOGON
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\Authenticated Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\This Organization
(namespace).Authorization.Handlers.SiteHandler: Information: Got role LOCAL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\jira-users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\jira-developers
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_DE_ALL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_BE_ALL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)Developers
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_TEST
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_DB_ALL
请注意,填充域角色可能需要一两秒钟.
仅添加答案以帮助澄清最受支持的答案中的某些内容,因为我没有足够的代表来添加评论。
该答案不会打印出实际的 AD 组名称。在 foreach 循环中替换role为name将打印出 AD 组的名称。
var roles = ((ClaimsIdentity)_context.User.Identity).Claims.Where(q => q.Type == ClaimTypes.GroupSid).Select(q => q.Value);
_logger.LogInformation($"Got {roles.Count()} roles");
foreach (var role in roles)
{
var name = new System.Security.Principal.SecurityIdentifier(role).Translate(typeof(System.Security.Principal.NTAccount)).ToString();
_logger.LogInformation($"Got role {name}");
}
你没有.不幸的是,这不是Windows身份验证的工作方式.您只能检查用户是否在角色中(并且有一个策略要求),而不是枚举他们所处的角色 - 这需要目录服务并且尚未移植到核心.
(需要注意的一点是,对于Windows身份,错误,User.IsInRole()现在已被破坏.这将在RC2中修复)
另一种选择(类似于@JosephGarrone的解决方案):
private string[] GetGroups1()
{
var groups = new List<string>();
var wi = (WindowsIdentity)User.Identity;
if (wi.Groups != null)
foreach (var group in wi.Groups)
{
try
{
groups.Add(group.Translate(typeof(NTAccount)).ToString());
} catch (Exception) {
// ignored
}
}
groups.Sort(); // optional
return groups.ToArray();
}
| 归档时间: |
|
| 查看次数: |
5762 次 |
| 最近记录: |