咨询区
-
jltrem:
我想在 ASP.NET Core 中用 authorization 特性实现一个自定义验证,在之前的版本中,我可以用系统提供的 bool AuthorizeCore(HttpContextBase httpContext) 方法,但在这个版本中已经没有该方法了。
请问当前我该如何实现这个自定义的 AuthorizeAttribute 呢?
回答区-
gius:
看样子你用的是 ASP.NET Core 2,当然现在你也可以实现,继承 AuthorizeAttribute 并实现 IAuthorizationFilter 接口即可,参考代码如下:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
public class CustomAuthorizeAttribute : AuthorizeAttribute, IAuthorizationFilter
{
private readonly string _someFilterParameter;
public CustomAuthorizeAttribute(string someFilterParameter)
{
_someFilterParameter = someFilterParameter;
}
public void OnAuthorization(AuthorizationFilterContext context)
{
var user = context.HttpContext.User;
if (!user.Identity.IsAuthenticated)
{
// it isn't needed to set unauthorized result
// as the base class already requires the user to be authenticated
// this also makes redirect to a login page work properly
// context.Result = new UnauthorizedResult();
return;
}
// you can also use registered services
var someService = context.HttpContext.RequestServices.GetService();
var isAuthorized = someService.IsUserAuthorized(user.Identity.Name, _someFilterParameter);
if (!isAuthorized)
{
context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);
return;
}
}
}
-
Kévin Chalet
对于纯碎的授权,比如说只能给某些用户一些特定的访问权限,现在推荐的做法是使用新的授权块。
public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.Configure(options =>
{
options.AddPolicy("ManageStore", policy => policy.RequireClaim("Action", "ManageStore"));
});
}
}
public class StoreController : Controller
{
[Authorize(Policy = "ManageStore"), HttpGet]
public async Task Manage() { ... }
}
对于授权,最好在中间件层面做处理,回过头来说,你确定现在的做法是正确的吗?
点评区确实在 ASP.NET Core 5 时代,更好的方式应该是用 中间件 实现,而不是深入到业务体之后再用过滤器的方式来实现,当然你也可以用过滤器。
