【ASP.NET Core】運行原理(4):受權
本系列將分析ASP.NET Core運行原理html
- 【ASP.NET Core】運行原理(1):建立WebHost
- 【ASP.NET Core】運行原理(2):啓動WebHost
- 【ASP.NET Core】運行原理(3):認證
- 【ASP.NET Core】運行原理(4):受權
在認證階段經過用戶令牌獲取到用戶的Claims,而受權就是對這些Claims的驗證。c#
目錄
- 受權核心
- AuthorizationOptions
- AuthorizationPolicy
- AuthorizationPolicyBuilder
- 執行受權
- AuthorizeFilter
- IPolicyEvaluator
- IAuthorizationService
- 總結
受權核心
services.AddAuthorization(opt => opt.AddPolicy("isAdmin", builder => builder.RequireUserName("admin")));
經過上面的代碼,能夠添加一個isAdmin的受權。async
對於第一個參數opt:ide
public class AuthorizationOptions
{
private IDictionary<string, AuthorizationPolicy> PolicyMap { get; } = new Dictionary<string, AuthorizationPolicy>();
public void AddPolicy(string name, AuthorizationPolicy policy)
{
PolicyMap[name] = policy;
}
public void AddPolicy(string name, Action<AuthorizationPolicyBuilder> configurePolicy)
{
var policyBuilder = new AuthorizationPolicyBuilder();
configurePolicy(policyBuilder);
AddPolicy(name,policyBuilder.Build());
}
public AuthorizationPolicy GetPolicy(string name)
{
return PolicyMap.ContainsKey(name) ? PolicyMap[name] : null;
}
}
實際上,AuthorizationOptions至關於AuthorizationPolicy的集合
而AuthorizationPolicy則是一個具體的受權策略對象優化
public class AuthorizationPolicy
{
public IReadOnlyList<IAuthorizationRequirement> Requirements { get; }
public IReadOnlyList<string> AuthenticationSchemes { get; }
}
而AuthorizationPolicyBuilder經過Build方法能夠構建一個AuthorizationPolicy,其內部有不少經常使用的添加IAuthorizationRequirement的方法:ui
public AuthorizationPolicy Build()
{
return new AuthorizationPolicy(this.Requirements, this.AuthenticationSchemes);
}
public AuthorizationPolicyBuilder RequireUserName(string userName)
{
this.Requirements.Add(new NameAuthorizationRequirement(userName));
}
... Require() ...
IAuthorizationRequirement是受權策略AuthorizationPolicy的一個受權條件,策略下的全部受權條件知足,則受權成功。this
public interface IAuthorizationRequirement
{
}
public class NameAuthorizationRequirement : IAuthorizationRequirement
{
public string RequiredName { get; }
}
IAuthorizationHandler是受權條件IAuthorizationRequirement的具體處理器,受權條件下的任意1個處理器受權成功,則受權成功。(默認狀況下:AuthorizationOptions的InvokeHandlersAfterFailure = true)lua
public interface IAuthorizationHandler
{
Task HandleAsync(AuthorizationHandlerContext context);
}
public abstract class AuthorizationHandler<TRequirement> : IAuthorizationHandler where TRequirement : IAuthorizationRequirement
{
public virtual async Task HandleAsync(AuthorizationHandlerContext context)
{
foreach (TRequirement requirement in context.Requirements)
await HandleRequirementAsync(context, requirement);
}
protected abstract Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement);
}
public class NameAuthorizationRequirement : AuthorizationHandler<NameAuthorizationRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, NameAuthorizationRequirement requirement)
{
if (context.User?.Identities.Any(identity => identity.Name == requirement.RequiredName))
context.Succeed((IAuthorizationRequirement) requirement);
return Task.CompletedTask;
}
}
受權的最終實現代碼在IAuthorizationHandlercode
執行受權
解釋了受權策略的原理,再談談受權策略的觸發。一般咱們在MVC中使用受權功能,而觸發受權也是在註冊MVC代碼中,一併註冊了。htm
public static IMvcBuilder AddMvc(this IServiceCollection services)
{
IMvcCoreBuilder builder = services.AddMvcCore();
builder.AddAuthorization();
}
internal static void AddAuthorizationServices(IServiceCollection services)
{
services.AddAuthenticationCore();
services.AddAuthorization();
services.AddAuthorizationPolicyEvaluator();
services.TryAddEnumerable(ServiceDescriptor.Transient<IApplicationModelProvider, AuthorizationApplicationModelProvider>());
}
在MVC中,ApplicationModel用來描述MVC中的模型,而IApplicationModelProvider則是初始化MVC的模型:
public class ApplicationModel
{
public IList<ControllerModel> Controllers { get; }
public IList<IFilterMetadata> Filters { get; }
}
public interface IApplicationModelProvider
{
int Order { get; }
void OnProvidersExecuting(ApplicationModelProviderContext context);
void OnProvidersExecuted(ApplicationModelProviderContext context);
}
其中AuthorizationApplicationModelProvider會初始化ApplicationModel的受權部分,註冊到Filters屬性上(AuthorizeFilter 和 AllowAnonymousFilter)。
public interface IAsyncAuthorizationFilter : IFilterMetadata
{
Task OnAuthorizationAsync(AuthorizationFilterContext context);
}
public class AuthorizeFilter : IAsyncAuthorizationFilter
{
public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
var policyEvaluator = GetRequiredService<IPolicyEvaluator>();
var authenticationResult = await policyEvaluator.AuthenticateAsync(effectivePolicy, context.HttpContext);
var authorizationResult = await policyEvaluator.AuthorizeAsync(effectivePolicy, authenticationResult, context.HttpContext, context);
if (authorizationResult.Challenged)
{
context.Result = (IActionResult) new ChallengeResult((IList<string>) effectivePolicy.AuthenticationSchemes.ToArray<string>());
}
else if (authorizationResult.Forbidden)
{
context.Result = (IActionResult) new ForbidResult((IList<string>) effectivePolicy.AuthenticationSchemes.ToArray<string>());
}
}
}
AuthorizeFilter的OnAuthorizationAsync方法會在Action執行前觸發,內部調用IPolicyEvaluator執行
public interface IPolicyEvaluator
{
Task<AuthenticateResult> AuthenticateAsync(AuthorizationPolicy policy, HttpContext context);
Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource);
}
public class PolicyEvaluator : IPolicyEvaluator
{
private readonly IAuthorizationService _authorization;
public virtual async Task<AuthenticateResult> AuthenticateAsync(AuthorizationPolicy policy, HttpContext context)
{
}
public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource)
{
var result = await _authorization.AuthorizeAsync(context.User, resource, policy);
if (result.Succeeded) return PolicyAuthorizationResult.Success();
return (authenticationResult.Succeeded) ? PolicyAuthorizationResult.Forbid() : PolicyAuthorizationResult.Challenge();
}
}
在AuthenticateAsync方法中,將合併policy的全部scheme認證結果。
在AuthorizeAsync方法中,將調用IAuthorizationService來實現受權。
public interface IAuthorizationService
{
Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements);
Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName);
}
public class DefaultAuthorizationService : IAuthorizationService
{
public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName)
{
var policy = await _policyProvider.GetPolicyAsync(policyName);
return await this.AuthorizeAsync(user, resource, policy);
}
public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements)
{
var authContext = _contextFactory.CreateContext(requirements, user, resource);
var handlers = await _handlers.GetHandlersAsync(authContext);
foreach (var handler in handlers)
{
await handler.HandleAsync(authContext);
if (!_options.InvokeHandlersAfterFailure && authContext.HasFailed)
break;
}
return _evaluator.Evaluate(authContext);
}
}
在IAuthorizationService類中,將調用policy的全部Requirement的Handle處理
總結
受權核心:AuthorizationOptions、AuthorizationPolicy、AuthorizationPolicyBuilder
AuthorizationOptions 用於保存 AuthorizationPolicy
AuthorizationPolicyBuilder 用於建立 AuthorizationPolicy
AuthorizationPolicy 包含 IAuthorizationRequirement 和 AuthenticationSchemes
IAuthorizationRequirement 包含受權邏輯 IAuthorizationHandler
執行受權:AuthorizeFilter、IPolicyEvaluator、IAuthorizationService
AuthorizeFilter的OnAuthorizationAsync方法會在Action執行前觸發,內部調用IPolicyEvaluator執行
IPolicyEvaluator 先根據 Schemes 獲取Claims,而後調用 IAuthorizationService 的受權方法
IAuthorizationService 調用 Requirement 對應的Handle受權邏輯
我的以爲源碼的一個待優化的地方:在DefaultAuthorizationHandlerProvider的GetHandlersAsync方法按需返回IAuthorizationHandler更合適。
相關文章
- 1. ASP.NET Core Identity 實戰(4)受權過程
- 2. ASP.NET Core策略受權和 ABP 受權
- 3. ASP.NET Core 運行原理剖析
- 4. 【ASP.NET Core】運行原理(2):啓動WebHost
- 5. 【ASP.NET Core】運行原理(3):認證
- 6. 【ASP.NET Core】運行原理(1):建立WebHost
- 7. asp.net core策略受權
- 8. Asp.Net Core 中IdentityServer4 受權原理及刷新Token的應用
- 9. asp.net 運行原理
- 10. 【原創】 Docker 中 運行 ASP.NET Core 站點
- 更多相關文章...
- • Eclipse 運行程序 - Eclipse 教程
- • MyBatis的工作原理 - MyBatis教程
- • ☆技術問答集錦(13)Java Instrument原理
- • Java Agent入門實戰(三)-JVM Attach原理與使用
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
- 1. 在windows下的虛擬機中,安裝華爲電腦的deepin操作系統
- 2. 強烈推薦款下載不限速解析神器
- 3. 【區塊鏈技術】孫宇晨:區塊鏈技術帶來金融服務的信任變革
- 4. 搜索引起的鏈接分析-計算網頁的重要性
- 5. TiDB x 微衆銀行 | 耗時降低 58%,分佈式架構助力實現普惠金融
- 6. 《數字孿生體技術白皮書》重磅發佈(附完整版下載)
- 7. 雙十一「避坑」指南:區塊鏈電子合同爲電商交易保駕護航!
- 8. 區塊鏈產業,怎樣「鏈」住未來?
- 9. OpenglRipper使用教程
- 10. springcloud請求一次好用一次不好用zuul Name or service not known
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. ASP.NET Core Identity 實戰(4)受權過程
- 2. ASP.NET Core策略受權和 ABP 受權
- 3. ASP.NET Core 運行原理剖析
- 4. 【ASP.NET Core】運行原理(2):啓動WebHost
- 5. 【ASP.NET Core】運行原理(3):認證
- 6. 【ASP.NET Core】運行原理(1):建立WebHost
- 7. asp.net core策略受權
- 8. Asp.Net Core 中IdentityServer4 受權原理及刷新Token的應用
- 9. asp.net 運行原理
- 10. 【原創】 Docker 中 運行 ASP.NET Core 站點