是否可以针对两个或多个保单申请授权?我正在使用 ASP.NET 5,rc1。
[Authorize(Policy = "Limited,Full")]
public class FooBarController : Controller
{
// This code doesn't work
}
如果没有,我如何在不使用策略的情况下实现这一目标?有两组用户可以访问此控制器:“完全”和“受限”。用户可能属于“完全”或“受限”,或两者。他们只需要属于两个组之一即可访问该控制器。
不是你想要的方式;政策的设计是累积性的。例如,如果您使用两个单独的属性,那么它们必须都通过。
您必须评估单个策略中的 OR 条件。 但是您不必在单个处理程序中将其编码为 OR。您的需求可能有多个处理程序。如果任一处理程序标记成功,则满足要求。请参阅我的授权研讨会中的步骤 6。
设置新策略“LimitedOrFull”(假设它们与声明类型名称匹配)后,创建如下要求:
options.AddPolicy("LimitedOrFull", policy =>
policy.RequireAssertion(context =>
context.User.HasClaim(c =>
(c.Type == "Limited" ||
c.Type == "Full"))));
Net Core 可以选择拥有多个具有相同 AuthorizationRequirement 类型的 AuthorizationHandler。其中只有其中之一必须成功通过授权 https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.1#why-would-i-want-multiple-handlers-for-a-requirement
使用动态创建的按需需求的解决方案最适合我:
public interface ILimitedRequirement : IAuthorizationRequirement { }
public interface IFullRequirement : IAuthorizationRequirement { }
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true)]
public class AuthorizeAnyAttribute : AuthorizeAttribute {
public string[] Policies { get; }
public AuthorizeAnyAttribute(params string[] policies) : base(String.Join("Or", policies))
=> Policies = policies;
}
ILimitedRequirement
和IFullRequirement
创建授权处理程序(请注意,这些处理程序处理接口,而不是类): public class LimitedRequirementHandler : AuthorizationHandler<ILimitedRequirement> {
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, ILimitedRequirement requirement) {
if(limited){
context.Succeed(requirement);
}
}
}
public class FullRequirementHandler : AuthorizationHandler<IFullRequirement> {
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, IFullRequirement requirement) {
if(full){
context.Succeed(requirement);
}
}
}
public static class AuthorizationExtensions {
public static bool IsAlreadyDetermined<TRequirement>(this AuthorizationHandlerContext context)
where TRequirement : IAuthorizationRequirement
=> context.HasFailed || context.HasSucceeded
|| !context.PendingRequirements.Any(x => x is TRequirement);
}
public class LimitedRequirementHandler : AuthorizationHandler<ILimitedRequirement> {
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, ILimitedRequirement requirement) {
if(context.IsAlreadyDetermined<ILimitedRequirement>())
return;
if(limited){
context.Succeed(requirement);
}
}
}
public class FullRequirementHandler : AuthorizationHandler<IFullRequirement> {
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, IFullRequirement requirement) {
if(context.IsAlreadyDetermined<IFullRequirement>())
return;
if(full){
context.Succeed(requirement);
}
}
}
//Order of handlers is important - it determines their execution order in request pipeline
services.AddScoped<IAuthorizationHandler, LimitedRequirementHandler>();
services.AddScoped<IAuthorizationHandler, FullRequirementHandler>();
AuthorizeAny
属性并使用 ImpromptuInterface(或用于动态创建类型实例的任何其他工具)动态创建它们的需求: using ImpromptuInterface;
List<AuthorizeAnyAttribute> attributes = new List<AuthorizeAnyAttribute>();
foreach(Type type in Assembly.GetExecutingAssembly().GetTypes().Where(type => type.IsAssignableTo(typeof(ControllerBase)))) {
attributes.AddRange(Attribute.GetCustomAttributes(type , typeof(AuthorizeAnyAttribute))
.Cast<AuthorizeAnyAttribute>()
.Where(x => x.Policy != null));
foreach(var methodInfo in type.GetMethods()) {
attributes.AddRange(Attribute.GetCustomAttributes(methodInfo , typeof(AuthorizeAnyAttribute))
.Cast<AuthorizeAnyAttribute>()
.Where(x => x.Policy != null));
}
}
//Add base requirement interface from which all requirements will be created on demand
Dictionary<string, Type> baseRequirementTypes = new();
baseRequirementTypes.Add("Limited", typeof(ILimitedRequirement));
baseRequirementTypes.Add("Full", typeof(IFullRequirement));
Dictionary<string, IAuthorizationRequirement> requirements = new();
foreach(var attribute in attributes) {
if(!requirements.ContainsKey(attribute.Policy)) {
Type[] requirementTypes = new Type[attribute.Policies.Length];
for(int i = 0; i < attribute.Policies.Length; i++) {
if(!baseRequirementTypes.TryGetValue(attribute.Policies[i], out Type requirementType))
throw new ArgumentException($"Requirement for {attribute.Policies[i]} policy doesn't exist");
requirementTypes[i] = requirementType;
}
//Creating instance of combined requirement dynamically
IAuthorizationRequirement newRequirement = new { }.ActLike(requirementTypes);
requirements.Add(attribute.Policy, newRequirement);
}
}
services.AddAuthorization(options => {
foreach(KeyValuePair<string, IAuthorizationRequirement> item in requirements) {
options.AddPolicy(item.Key, x => x.AddRequirements(item.Value));
}
}
如果默认
AuthorizeAttribute
的处理方式与自定义 AuthorizeAnyAttribute
相同,则上述解决方案允许处理与 OR 组合相同的单个需求
如果上述解决方案太过分了,则始终可以使用手动组合类型创建和注册:
public class LimitedOrFullRequirement : ILimitedRequirement, IFullRequirement { }
public class LimitedRequirement : ILimitedRequirement { }
public class FullRequirement : IFullRequirement { }
services.AddAuthorization(options => {
options.AddPolicy("Limited Or Full",
policy => policy.AddRequirements(new LimitedOrFullRequirement()));
//If these policies also have single use, they need to be registered as well
//options.AddPolicy("Limited",
// policy => policy.AddRequirements(new LimitedRequirement()));
//options.AddPolicy("Full",
// policy => policy.AddRequirements(new FullRequirement()));
});
我使用策略和角色:
[Authorize(Policy = "ManagerRights", Roles = "Administrator")]
这是使用自定义授权属性的解决方案,IMO,这是迄今为止最干净的方法。
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class MultiPolicyAuthorizeAttribute : Attribute, IAsyncAuthorizationFilter
{
private readonly string[] _policies;
public AmfAuthorizeAttribute(params string[] policies)
{
_policies = policies;
}
public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
var authService = context.HttpContext.RequestServices.GetService<IAuthorizationService>();
if (authService == null)
{
context.Result = new ForbidResult();
return;
}
bool isAuthorized = false;
foreach (var policy in _policies)
{
var authorized = await authService.AuthorizeAsync(context.HttpContext.User, policy);
if (authorized.Succeeded)
{
isAuthorized = true;
break;
}
}
if (!isAuthorized)
{
context.Result = new ForbidResult();
}
}
}
请注意,扩展此属性以基于指定的策略或角色执行任意逻辑并不难。