之前我是通过在startup.cs中输入以下内容来实现AD组授权的:
services.AddSingleton<IAuthorizationHandler, CheckAdGroupHandler>();
services.AddAuthorization(options =>
{
options.AddPolicy("my_policy", policy =>
{
policy.Requirements.Add(new CheckAdGroupRequirement("some ad group,another ad group"));
policy.AuthenticationSchemes = new List<string>()
{
IISDefaults.AuthenticationScheme
};
});
});
CheckAdGroupHandler 所在位置:
public class CheckAdGroupHandler: AuthorizationHandler<CheckAdGroupRequirement>
{
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
CheckAdGroupRequirement requirement)
{
List<string> usersGroups = new List<string>();
WindowsIdentity windowsIdentity = (WindowsIdentity) context.User.Identity;
using (var ctx = new PrincipalContext(ContextType.Domain))
using (var user = UserPrincipal.FindByIdentity(ctx, windowsIdentity.Name))
{
if (user != null)
{
foreach (Principal principal in user.GetGroups())
{
string adGroup = principal.SamAccountName;
usersGroups.Add(adGroup);
}
}
}
foreach (var groupName in requirement.GroupNames)
{
if (usersGroups.Contains(groupName))
{
context.Succeed(requirement);
}
}
await Task.CompletedTask;
}
}
并检查广告组要求:
public class CheckAdGroupRequirement:IAuthorizationRequirement
{
public List<string> GroupNames { get; set; }
public CheckAdGroupRequirement(string groupNames)
{
GroupNames = groupNames.Split(',').ToList();
}
}
然后这样装饰index.cshtml.cs:
[Authorize(Policy = "my_policy")]
public class IndexModel : PageModel
{
我尝试在 .NET 8.0 中使用此逻辑,即在 Program.cs 中使用上述代码,例如
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddRazorPages();
builder.Services.AddSingleton<IAuthorizationHandler, CheckAdGroupHandler>();
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("my_policy", policy =>
{
policy.Requirements.Add(new CheckAdGroupRequirement("some ad group,another ad group"));
policy.AuthenticationSchemes = new List<string>()
{
IISDefaults.AuthenticationScheme
};
});
});
但无论我尝试什么,我都会在调试中遇到以下错误:
InvalidOperationException: No authentication handlers are registered. Did you forget to call AddAuthentication().Add[SomeAuthHandler]("Windows",...)?
我尝试过添加各种版本:
builder.Services.AddAuthentication(IISDefaults.AuthenticationScheme);
但无济于事。谁能给我指点一下吗?
在代码中设置“windowsAuthentication”:true或启用iis windows身份验证并禁用其他身份验证。
确保您已设置 program.cs 文件来处理身份验证:
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddRazorPages();
builder.Services.AddSingleton<IAuthorizationHandler, CheckAdGroupHandler>();
builder.Services.AddAuthentication(IISDefaults.AuthenticationScheme);
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("my_policy", policy =>
{
policy.Requirements.Add(new CheckAdGroupRequirement("some ad group,another ad group"));
policy.AuthenticationSchemes = new List<string> { IISDefaults.AuthenticationScheme };
});
});
var app = builder.Build();
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.MapRazorPages();
app.Run();