仅授权控制器允许在.net核心中进行匿名访问

问题描述 投票:1回答:1

我在.net核心Web应用程序中具有安装程序标识,并像这样将某个控制器标记为授权。。

[Authorize(Roles = "Partner")]
public class ClaimsController : Controller
{
    [Authorize(Roles = "Partner")]
    public IActionResult Index()
    {
        var authenticated = User.Identity.IsAuthenticated;
        //authenticated is false - but this view still loads?!
        return View();          
    }
}

因此,只有合作伙伴角色的用户才有权访问。但是,完全没有登录的用户可以加载并查看Claims控制器上的Index视图。我可以检查是否有人登录并使用用户管理器,但肯定这些属性应该起作用?

核心3的startup.cs中是否还需要其他东西?这是我的startup.cs文件。.

public class Startup
{
    private readonly IConfiguration _config;

    public Startup(IConfiguration config)
    {
        _config = config;
    }

    // This method gets called by the runtime. Use this method to add services to the container.
    // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
    public void ConfigureServices(IServiceCollection services)
    {
        var connstring = _config.GetConnectionString("HP_RBS_Database");

        //we can create our own role and derive from IdentityRole
        services.AddIdentity<UserLogin, IdentityRole>(x =>
        {
            x.User.RequireUniqueEmail = true;
            //set password rules in here..
        })  //specify where we store identity data
        .AddEntityFrameworkStores<HP_RBS_Context>();

        services.AddMvc();          
        services.AddRazorPages();
        services.AddControllersWithViews().AddRazorRuntimeCompilation();
        services.AddDbContext<HP_RBS_Context>(x =>
            {
                x.UseSqlServer(connstring);
            });

        services.AddTransient<HPPartnerPortalSeeder>();
        services.AddScoped<IHP_RBS_Repository, HP_RBS_Repository>();
        services.AddAuthentication();
        services.AddAuthorization();


    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseStaticFiles();
        app.UseAuthentication();
        app.UseAuthorization();
        app.UseRouting();
        app.UseEndpoints(x =>
        {
            x.MapControllerRoute("Default",
                "{controller}/{action}/{id?}",
                new { controller = "Home", action = "Index" });
        });
    }
}
c# asp.net-core .net-core asp.net-core-identity
1个回答
0
投票

UseAuthenticationUseAuthorization的调用必须置于UseRoutingUseEndpoints之间:

app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(x =>
{
    x.MapControllerRoute("Default",
        "{controller}/{action}/{id?}",
        new { controller = "Home", action = "Index" });
});

当将这些呼叫置于之前 UseRouting时,UseAuthorization呼叫有点无操作。它检查是否已选择一个端点,但是还没有发生。选择过程由接下来运行的UseRouting调用执行,为时已晚。

[不幸的是,这意味着MVC终结点在运行时就好像授权成功一样,尽管根本没有执行。在当前版本的ASP.NET Core 3.0中,这是一个已知问题,已经为下一补丁版本做好了修复。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.