我在.net核心Web应用程序中具有安装程序标识,并像这样将某个控制器标记为授权。。
[Authorize(Roles = "Partner")]
public class ClaimsController : Controller
{
[Authorize(Roles = "Partner")]
public IActionResult Index()
{
var authenticated = User.Identity.IsAuthenticated;
//authenticated is false - but this view still loads?!
return View();
}
}
因此,只有合作伙伴角色的用户才有权访问。但是,完全没有登录的用户可以加载并查看Claims控制器上的Index视图。我可以检查是否有人登录并使用用户管理器,但肯定这些属性应该起作用?
核心3的startup.cs中是否还需要其他东西?这是我的startup.cs文件。.
public class Startup
{
private readonly IConfiguration _config;
public Startup(IConfiguration config)
{
_config = config;
}
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
var connstring = _config.GetConnectionString("HP_RBS_Database");
//we can create our own role and derive from IdentityRole
services.AddIdentity<UserLogin, IdentityRole>(x =>
{
x.User.RequireUniqueEmail = true;
//set password rules in here..
}) //specify where we store identity data
.AddEntityFrameworkStores<HP_RBS_Context>();
services.AddMvc();
services.AddRazorPages();
services.AddControllersWithViews().AddRazorRuntimeCompilation();
services.AddDbContext<HP_RBS_Context>(x =>
{
x.UseSqlServer(connstring);
});
services.AddTransient<HPPartnerPortalSeeder>();
services.AddScoped<IHP_RBS_Repository, HP_RBS_Repository>();
services.AddAuthentication();
services.AddAuthorization();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseStaticFiles();
app.UseAuthentication();
app.UseAuthorization();
app.UseRouting();
app.UseEndpoints(x =>
{
x.MapControllerRoute("Default",
"{controller}/{action}/{id?}",
new { controller = "Home", action = "Index" });
});
}
}
对UseAuthentication
和UseAuthorization
的调用必须置于UseRouting
和UseEndpoints
之间:
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(x =>
{
x.MapControllerRoute("Default",
"{controller}/{action}/{id?}",
new { controller = "Home", action = "Index" });
});
当将这些呼叫置于之前 UseRouting
时,UseAuthorization
呼叫有点无操作。它检查是否已选择一个端点,但是还没有发生。选择过程由接下来运行的UseRouting
调用执行,为时已晚。
[不幸的是,这意味着MVC终结点在运行时就好像授权成功一样,尽管根本没有执行。在当前版本的ASP.NET Core 3.0中,这是一个已知问题,已经为下一补丁版本做好了修复。