sna*_*nap 3 c# asp.net authorization controller
要将控制器标记为需要授权,通常可以像这样装饰它:
[Authorize]
public class MyController : Controller
我们的身份验证是通过第三方提供商进行的,并且考虑到它的设置方式,我们只希望它在我们的生产环境中实际生效,我们不希望它在 QA 环境中处于活动状态。在 Startup.cs 文件中关闭环境很容易,但是有没有办法有条件地装饰控制器?我开始研究政策和角色,看起来可能会被黑客入侵,但有更好的方法吗?
如果您使用的是 Asp.NET Core,请遵循此处的文档:
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.1 https://learn.microsoft.com/en-us/aspnet/core/security/authorization /dependencyinjection?view=aspnetcore-2.1
您可以像这样制定自定义策略:
public class EnvironmentAuthorize : IAuthorizationRequirement
{
public string Environment { get; set; }
public EnvironmentAuthorize(string env)
{
Environment = env;
}
}
public class EnvironmentAuthorizeHandler : AuthorizationHandler<EnvironmentAuthorize>
{
private readonly IHostingEnvironment envionment;
public EnvironmentAuthorizeHandler(IHostingEnvironment env)
{
envionment = env;
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, EnvironmentAuthorize requirement)
{
if (requirement.Environment != envionment.EnvironmentName)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
在 Startup.cs 中:
services.AddAuthorization(options =>
{
options.AddPolicy("ProductionOnly", policy =>
policy.Requirements.Add(new EnvironmentAuthorize("Production")));
});
services.AddSingleton<IAuthorizationHandler, EnvironmentAuthorizeHandler>();
在控制器中:
[Authorize(Policy = "ProductionOnly")]
public class MyController : Controller
虽然这是可能的,但我不建议这样做,因为在不同的环境中具有不同的行为确实是一场噩梦。
| 归档时间: |
|
| 查看次数: |
806 次 |
| 最近记录: |