Wil*_*son 5 c# authorization windows-authentication .net-core
以前在 .NET Framework 中,我使用自定义RoleProvider和 Windows 身份验证来针对当前主体提供自定义角色,而不是使用 Active Directory 组。
因此,目标是能够使用装饰[Authorize(Roles="")]属性,其中角色来自数据库而不是活动目录(或者两者的组合都可以)。
为了在核心实现这一点,我相信我需要使用此处IClaimsTransformation讨论的分配角色声明。
在这里,我只是尝试添加一个角色“管理员”,但是当我使用时,[Authorize(Roles = "Admin")]我收到 403 未经授权的响应。
启动.cs
services.AddRazorPages();
services.AddAuthentication(IISDefaults.AuthenticationScheme);
services.AddSingleton<IClaimsTransformation, ClaimsTransformer>();
-------
app.UseAuthorization();
ClaimsTransformer.cs
public class ClaimsTransformer : IClaimsTransformation
{
public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
var identity = (ClaimsIdentity)principal.Identity;
var c = new Claim(identity.RoleClaimType, "Admin");
identity.AddClaim(c);
return await Task.FromResult(principal);
}
}
令人烦恼的是,当我打电话时,这会起作用,User.IsInRole()并且在检查声明时我可以看到该组,因此它被添加,但它不适用于授权属性。任何意见,将不胜感激。
ClaimsTransformer设法与自定义一起解决这个问题TypeFilterAttribute
ClaimsTransformer.cs
public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
var identity = (WindowsIdentity)principal.Identity;
Guid userGuid;
SecurityIdentifier sid = identity.User;
using (DirectoryEntry userDirectoryEntry = new DirectoryEntry("LDAP://<SID=" + sid.Value + ">"))
{
userGuid = userDirectoryEntry.Guid;
}
UserAccount user = null;
if (userGuid != Guid.Empty)
user = await db.UserAccounts.Where(x => x.GUID == userGuid).SingleOrDefaultAsync();
if (user == null)
return principal;
if (user.Historic)
return principal;
var claims = new List<Claim>();
foreach (var role in user?.UserAccountGroups)
{
claims.Add(new Claim(ClaimTypes.GroupSid, role.Group.Name));
};
identity.AddClaims(claims);
return principal;
}
组属性.cs
[AttributeUsage(AttributeTargets.All, Inherited = false, AllowMultiple = true)]
public class GroupsAttribute : TypeFilterAttribute
{
public GroupsAttribute(string groups) : base(typeof(ClaimRequirementFilter))
{
Arguments = new object[] { groups };
}
}
public class ClaimRequirementFilter : IAuthorizationFilter
{
readonly string _groups;
public ClaimRequirementFilter(string groups)
{
_groups = groups;
}
public void OnAuthorization(AuthorizationFilterContext context)
{
var groups = _groups.Split(',');
bool hasClaim = false;
foreach (var group in groups)
{
if (context.HttpContext.User.Claims.Any(c => c.Type == ClaimTypes.GroupSid && c.Value.Equals(group.Trim(), StringComparison.OrdinalIgnoreCase)))
hasClaim = true;
}
if (!hasClaim)
{
context.Result = new ForbidResult();
}
}
}
| 归档时间: |
|
| 查看次数: |
9263 次 |
| 最近记录: |