基於.NetCore3.1系列 —— 認證受權方案之受權揭祕 (上篇)
1、前言
回顧:認證受權方案之受權初識html
從上一節中,咱們在對受權系統已經有了初步的認識和使用,能夠發現,asp.net core爲咱們提供的受權策略是一個很是強大豐富且靈活的認證受權方案,可以知足大部分的受權場景。git
在ConfigureServices中配置服務:將受權服務添加到容器github
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy("customizePermisson",
policy => policy
.Requirements
.Add(new PermissionRequirement("user")));
});
//此外,還須要在 IAuthorizationHandler 類型的範圍內向 DI 系統註冊新的處理程序:
services.AddScoped<IAuthorizationHandler, PermissionRequirementHandler>();
}
在Configure中註冊管道:運行使用調用方法來配置Http請求管道c#
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
//開啓受權
app.UseAuthorization();
}
經過以上幾行代碼的實現,就能夠進行受權了,這個時候,你能夠會問,這幾行代碼都進行了什麼操做實現受權的?數組
好了,繼續回到上節最後說的在這一節中對受權策略的核心進行一步步的揭祕的。
app
2、開始
引入總體結構框架
2.1 添加受權AddAuthorization
添加受權策略服務使用AddAuthorization方法,以便調用。asp.net
從源碼能夠發現,從core3.0後,由以前在core2.0中的AuthorizationServiceCollectionExtensions.cs文件中,原來的AddAuthorization的方法變爲了AddAuthorizationCore方法,微軟在這一塊進行了封裝在PolicyServiceCollectionExtensions.cs文件中,沿用了以前AddAuthorization拓展名稱,不影響以前版本的使用。async
咱們來看看aspnetcore源碼:ide
public static class PolicyServiceCollectionExtensions
{
public static IServiceCollection AddAuthorizationPolicyEvaluator(this IServiceCollection services)
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
services.TryAddSingleton<AuthorizationPolicyMarkerService>();
services.TryAddTransient<IPolicyEvaluator, PolicyEvaluator>();
services.TryAddTransient<IAuthorizationMiddlewareResultHandler, AuthorizationMiddlewareResultHandler>();
return services;
}
public static IServiceCollection AddAuthorization(this IServiceCollection services)
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
services.AddAuthorizationCore();
services.AddAuthorizationPolicyEvaluator();
return services;
}
public static IServiceCollection AddAuthorization(this IServiceCollection services, Action<AuthorizationOptions> configure)
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
services.AddAuthorizationCore(configure);
services.AddAuthorizationPolicyEvaluator();
return services;
}
}
public static class AuthorizationServiceCollectionExtensions
{
public static IServiceCollection AddAuthorizationCore(this IServiceCollection services)
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
services.TryAdd(ServiceDescriptor.Transient<IAuthorizationService, DefaultAuthorizationService>());
services.TryAdd(ServiceDescriptor.Transient<IAuthorizationPolicyProvider, DefaultAuthorizationPolicyProvider>());
services.TryAdd(ServiceDescriptor.Transient<IAuthorizationHandlerProvider, DefaultAuthorizationHandlerProvider>());
services.TryAdd(ServiceDescriptor.Transient<IAuthorizationEvaluator, DefaultAuthorizationEvaluator>()); services.TryAdd(ServiceDescriptor.Transient<IAuthorizationHandlerContextFactory, DefaultAuthorizationHandlerContextFactory>());
services.TryAddEnumerable(ServiceDescriptor.Transient<IAuthorizationHandler, PassThroughAuthorizationHandler>());
return services;
}
public static IServiceCollection AddAuthorizationCore(this IServiceCollection services, Action<AuthorizationOptions> configure)
{
if (services == null)
{
throw new ArgumentNullException(nameof(services));
}
services.Configure(configure);
return services.AddAuthorizationCore();
}
}
由上可知,在調用AddAuthorization方法進行受權配置的時候,須要使用到AuthorizationOptions委託方式傳參。
因此咱們再來看看下面這一行代碼,經過AddPolicy實現添加策略方式。
options.AddPolicy("customizePermisson",policy => policy.Requirements.Add(new PermissionRequirement("user")));
查看源碼發現是引用了AuthorizationOptions對象。
2.2 配置選項AuthorizationOptions
受權選項實現添加和受權配置,提供受權服務的配置。
源碼以下:
public class AuthorizationOptions
{
private Dictionary<string, AuthorizationPolicy> PolicyMap { get; } = new Dictionary<string, AuthorizationPolicy>(StringComparer.OrdinalIgnoreCase);
public bool InvokeHandlersAfterFailure { get; set; } = true;
public AuthorizationPolicy DefaultPolicy { get; set; } = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
public AuthorizationPolicy? FallbackPolicy { get; set; }
public void AddPolicy(string name, AuthorizationPolicy policy)
{
if (name == null)
{
throw new ArgumentNullException(nameof(name));
}
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
PolicyMap[name] = policy;
}
public void AddPolicy(string name, Action<AuthorizationPolicyBuilder> configurePolicy)
{
if (name == null)
{
throw new ArgumentNullException(nameof(name));
}
if (configurePolicy == null)
{
throw new ArgumentNullException(nameof(configurePolicy));
}
var policyBuilder = new AuthorizationPolicyBuilder();
configurePolicy(policyBuilder);
PolicyMap[name] = policyBuilder.Build();
}
public AuthorizationPolicy GetPolicy(string name)
{
if (name == null)
{
throw new ArgumentNullException(nameof(name));
}
if (PolicyMap.TryGetValue(name, out var value))
{
return value;
}
return null;
}
}
定義一個字典
private Dictionary<string, AuthorizationPolicy> PolicyMap { get; } = new Dictionary<string, AuthorizationPolicy>(StringComparer.OrdinalIgnoreCase);
目的在於將定義的受權策略方式都保存在這個聲明的PolicyMap當中,而其中AddPolicy方法是將配置的策略添加到字典中。
public void AddPolicy(string name, AuthorizationPolicy policy);
public void AddPolicy(string name, Action<AuthorizationPolicyBuilder> configurePolicy);
而這方法中涉及到兩種不一樣的傳參對象AuthorizationPolicy和AuthorizationPolicyBuilder。
2.3 受權策略 AuthorizationPolicy
表示受權要求和方案的集合。具體源碼以下:
public class AuthorizationPolicy
{
public AuthorizationPolicy(IEnumerable<IAuthorizationRequirement> requirements, IEnumerable<string> authenticationSchemes)
{
if (requirements == null)
{
throw new ArgumentNullException(nameof(requirements));
}
if (authenticationSchemes == null)
{
throw new ArgumentNullException(nameof(authenticationSchemes));
}
if (requirements.Count() == 0)
{
throw new InvalidOperationException(Resources.Exception_AuthorizationPolicyEmpty);
}
Requirements = new List<IAuthorizationRequirement>(requirements).AsReadOnly();
AuthenticationSchemes = new List<string>(authenticationSchemes).AsReadOnly();
}
public IReadOnlyList<IAuthorizationRequirement> Requirements { get; }
public IReadOnlyList<string> AuthenticationSchemes { get; }
public static AuthorizationPolicy Combine(params AuthorizationPolicy[] policies)
{
if (policies == null)
{
throw new ArgumentNullException(nameof(policies));
}
return Combine((IEnumerable<AuthorizationPolicy>)policies);
}
public static AuthorizationPolicy Combine(IEnumerable<AuthorizationPolicy> policies)
{
if (policies == null)
{
throw new ArgumentNullException(nameof(policies));
}
var builder = new AuthorizationPolicyBuilder();
foreach (var policy in policies)
{
builder.Combine(policy);
}
return builder.Build();
}
public static async Task<AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException(nameof(policyProvider));
}
if (authorizeData == null)
{
throw new ArgumentNullException(nameof(authorizeData));
}
// Avoid allocating enumerator if the data is known to be empty
var skipEnumeratingData = false;
if (authorizeData is IList<IAuthorizeData> dataList)
{
skipEnumeratingData = dataList.Count == 0;
}
AuthorizationPolicyBuilder policyBuilder = null;
if (!skipEnumeratingData)
{
foreach (var authorizeDatum in authorizeData)
{
if (policyBuilder == null)
{
policyBuilder = new AuthorizationPolicyBuilder();
}
var useDefaultPolicy = true;
if (!string.IsNullOrWhiteSpace(authorizeDatum.Policy))
{
var policy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy);
if (policy == null)
{
throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeDatum.Policy));
}
policyBuilder.Combine(policy);
useDefaultPolicy = false;
}
var rolesSplit = authorizeDatum.Roles?.Split(',');
if (rolesSplit != null && rolesSplit.Any())
{
var trimmedRolesSplit = rolesSplit.Where(r => !string.IsNullOrWhiteSpace(r)).Select(r => r.Trim());
policyBuilder.RequireRole(trimmedRolesSplit);
useDefaultPolicy = false;
}
var authTypesSplit = authorizeDatum.AuthenticationSchemes?.Split(',');
if (authTypesSplit != null && authTypesSplit.Any())
{
foreach (var authType in authTypesSplit)
{
if (!string.IsNullOrWhiteSpace(authType))
{
policyBuilder.AuthenticationSchemes.Add(authType.Trim());
}
}
}
if (useDefaultPolicy)
{
policyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync());
}
}
}
// If we have no policy by now, use the fallback policy if we have one
if (policyBuilder == null)
{
var fallbackPolicy = await policyProvider.GetFallbackPolicyAsync();
if (fallbackPolicy != null)
{
return fallbackPolicy;
}
}
return policyBuilder?.Build();
}
}
咱們從源碼中能夠發現,Authorization 對象 Combine方法目的在於將受權策略進行合併,同時調用了AuthorizationPolicyBuilder對象中Combine方法,對受權方案或者受權策略進行合併。再來看看AuthorizationPolicy對象中的CombineAsync方法,這裏的參數用到了IAuthorizeData,同時這個方法的過程是將可能基於角色,基於方案或者基於策略都合併轉換爲是受權策略的方式,也是經過調用AuthorizationPolicyBuilder對象來實現合併。 因此能夠看得出AuthorizationPolicyBuilder提供了一些建立AuthorizationPolicy的方法。
這個時候,咱們能夠發現,其實以前說的基於角色、基於方案的受權方式本質上來講都是基於策略受權。
2.4 構建策略AuthorizationPolicyBuilder
除了上面說到使用AuthorizationPolicy對象以外,咱們還能夠用AuthorizationPolicyBuilder對象以Buider來建立AuthorizationPolicy對象,將多個AuthorizationPolicy對象提供的數組進行合併,因此AuthorizationPolicyBuilder提供的Combine方法的使用,爲AuthorizationPolicy受權構建提供了許多便捷的方式。
public class AuthorizationPolicyBuilder
{
public AuthorizationPolicyBuilder(params string[] authenticationSchemes)
{
AddAuthenticationSchemes(authenticationSchemes);
}
public AuthorizationPolicyBuilder(AuthorizationPolicy policy)
{
Combine(policy);
}
public IList<IAuthorizationRequirement> Requirements { get; set; } = new List<IAuthorizationRequirement>();
public IList<string> AuthenticationSchemes { get; set; } = new List<string>();
public AuthorizationPolicyBuilder AddAuthenticationSchemes(params string[] schemes)
{
foreach (var authType in schemes)
{
AuthenticationSchemes.Add(authType);
}
return this;
}
public AuthorizationPolicyBuilder AddRequirements(params IAuthorizationRequirement[] requirements)
{
foreach (var req in requirements)
{
Requirements.Add(req);
}
return this;
}
public AuthorizationPolicyBuilder Combine(AuthorizationPolicy policy)
{
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
AddAuthenticationSchemes(policy.AuthenticationSchemes.ToArray());
AddRequirements(policy.Requirements.ToArray());
return this;
}
public AuthorizationPolicyBuilder RequireClaim(string claimType, params string[] allowedValues)
{
if (claimType == null)
{
throw new ArgumentNullException(nameof(claimType));
}
return RequireClaim(claimType, (IEnumerable<string>)allowedValues);
}
public AuthorizationPolicyBuilder RequireClaim(string claimType, IEnumerable<string> allowedValues)
{
if (claimType == null)
{
throw new ArgumentNullException(nameof(claimType));
}
Requirements.Add(new ClaimsAuthorizationRequirement(claimType, allowedValues));
return this;
}
public AuthorizationPolicyBuilder RequireClaim(string claimType)
{
if (claimType == null)
{
throw new ArgumentNullException(nameof(claimType));
}
Requirements.Add(new ClaimsAuthorizationRequirement(claimType, allowedValues: null));
return this;
}
public AuthorizationPolicyBuilder RequireRole(params string[] roles)
{
if (roles == null)
{
throw new ArgumentNullException(nameof(roles));
}
return RequireRole((IEnumerable<string>)roles);
}
public AuthorizationPolicyBuilder RequireRole(IEnumerable<string> roles)
{
if (roles == null)
{
throw new ArgumentNullException(nameof(roles));
}
Requirements.Add(new RolesAuthorizationRequirement(roles));
return this;
}
public AuthorizationPolicyBuilder RequireUserName(string userName)
{
if (userName == null)
{
throw new ArgumentNullException(nameof(userName));
}
Requirements.Add(new NameAuthorizationRequirement(userName));
return this;
}
public AuthorizationPolicyBuilder RequireAuthenticatedUser()
{
Requirements.Add(new DenyAnonymousAuthorizationRequirement());
return this;
}
public AuthorizationPolicyBuilder RequireAssertion(Func<AuthorizationHandlerContext, bool> handler)
{
if (handler == null)
{
throw new ArgumentNullException(nameof(handler));
}
Requirements.Add(new AssertionRequirement(handler));
return this;
}
public AuthorizationPolicyBuilder RequireAssertion(Func<AuthorizationHandlerContext, Task<bool>> handler)
{
if (handler == null)
{
throw new ArgumentNullException(nameof(handler));
}
Requirements.Add(new AssertionRequirement(handler));
return this;
}
public AuthorizationPolicy Build()
{
return new AuthorizationPolicy(Requirements, AuthenticationSchemes.Distinct());
}
}
由上面多出出現的IAuthorizationRequirement對象能夠發現,受權要求Requirement屬性是策略的核心方案,每一種Requirement都表明一種受權方式。同時IAuthorizationPolicyBuilder爲這些預約義的方案建立了它們對應的使用方式並將其添加到Requirements集合中。
2.5 受權要求IAuthorizationRequirement
public interface IAuthorizationRequirement
{
}
接口並無任何實現成員,由於受權要求是具備不一樣的表現形式的,全部纔沒有具體的實現成員。受權要求目的在於檢驗某個當前用戶是否具備相應的要求, 因此大部分IAuthorizationRequirement接口的實現類都繼承了IAuthorizationHandler 接口來提供HandleAsync方法來實現對應的受權檢驗。
下面介紹asp.net core框架裏面默認實現的幾種IAuthorizationRequirement實現類型。
2.5.1 DenyAnonymousAuthorizationRequirement
阻止匿名用戶操做,言外之意就是拒絕未被驗證的匿名用戶訪問資源。
源碼以下:
public class DenyAnonymousAuthorizationRequirement : AuthorizationHandler<DenyAnonymousAuthorizationRequirement>, IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, DenyAnonymousAuthorizationRequirement requirement)
{
var user = context.User;
var userIsAnonymous =
user?.Identity == null ||
!user.Identities.Any(i => i.IsAuthenticated);
if (!userIsAnonymous)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
經過用戶的CliamPrincipal對象身份是否爲空或是不是一個通過認證的用戶身份,以此來肯定當前請求的用戶是否來源於匿名用戶。
2.5.2 NameAuthorizationRequirement
指定用戶名的受權方式,判斷當前用戶與某個指定的用戶是否匹配以此來受權訪問資源。
源碼以下:
public class NameAuthorizationRequirement : AuthorizationHandler<NameAuthorizationRequirement>, IAuthorizationRequirement
{
public NameAuthorizationRequirement(string requiredName)
{
if (requiredName == null)
{
throw new ArgumentNullException(nameof(requiredName));
}
RequiredName = requiredName;
}
public string RequiredName { get; }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, NameAuthorizationRequirement requirement)
{
if (context.User != null)
{
if (context.User.Identities.Any(i => string.Equals(i.Name, requirement.RequiredName)))
{
context.Succeed(requirement);
}
}
return Task.CompletedTask;
}
}
其中RequiredName屬性爲受權用戶,經過HandleRequirementAsync方法進行校驗當前用戶的ClaimPrincipal對象的身份與RequiredName是否具備匹配。
這裏的判斷用的是 string.Equals() 說明這裏比較的用戶名是區別大小寫的。
2.5.3 ClaimsAuthorizationRequirement
基於指定聲明類型的受權策略,檢驗當前用戶是否聲明類型和候選值。
源碼以下:
public class ClaimsAuthorizationRequirement : AuthorizationHandler<ClaimsAuthorizationRequirement>, IAuthorizationRequirement
{
public ClaimsAuthorizationRequirement(string claimType, IEnumerable<string> allowedValues)
{
if (claimType == null)
{
throw new ArgumentNullException(nameof(claimType));
}
ClaimType = claimType;
AllowedValues = allowedValues;
}
public string ClaimType { get; }
public IEnumerable<string> AllowedValues { get; }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ClaimsAuthorizationRequirement requirement)
{
if (context.User != null)
{
var found = false;
if (requirement.AllowedValues == null || !requirement.AllowedValues.Any())
{
found = context.User.Claims.Any(c => string.Equals(c.Type, requirement.ClaimType, StringComparison.OrdinalIgnoreCase));
}
else
{
found = context.User.Claims.Any(c => string.Equals(c.Type, requirement.ClaimType, StringComparison.OrdinalIgnoreCase)
&& requirement.AllowedValues.Contains(c.Value, StringComparer.Ordinal));
}
if (found)
{
context.Succeed(requirement);
}
}
return Task.CompletedTask;
}
}
由上咱們能夠看的出,ClaimType和AllowedValues這兩個屬性在構造函數中被初始化,分別用來表示當前聲明的聲明類型和默認容許值。經過HandleRequirementAsync來受權檢驗是否完成經過。
2.5.4 RolesAuthorizationRequirement
基於角色的受權策略,檢驗當前用戶是否擁有約定匹配的角色,若是擁有,則能夠訪問對應的資源。
源碼以下:
public class RolesAuthorizationRequirement : AuthorizationHandler<RolesAuthorizationRequirement>, IAuthorizationRequirement
{
public RolesAuthorizationRequirement(IEnumerable<string> allowedRoles)
{
if (allowedRoles == null)
{
throw new ArgumentNullException(nameof(allowedRoles));
}
if (allowedRoles.Count() == 0)
{
throw new InvalidOperationException(Resources.Exception_RoleRequirementEmpty);
}
AllowedRoles = allowedRoles;
}
public IEnumerable<string> AllowedRoles { get; }
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, RolesAuthorizationRequirement requirement)
{
if (context.User != null)
{
bool found = false;
if (requirement.AllowedRoles == null || !requirement.AllowedRoles.Any())
{
// Review: What do we want to do here? No roles requested is auto success?
}
else
{
found = requirement.AllowedRoles.Any(r => context.User.IsInRole(r));
}
if (found)
{
context.Succeed(requirement);
}
}
return Task.CompletedTask;
}
}
其中AllowedRoles表示目標角色列表的集合。經過HandleRequirementAsync實現受權檢驗,調用IsInRole方法來判斷當前用戶的ClaimsPrincipal對象是否有指定的角色。
2.5.5 AssertionRequirement
基於AuthorizationHandlerContext上下文斷言的形式來聲明受權。
源碼以下:
public class AssertionRequirement : IAuthorizationHandler, IAuthorizationRequirement
{
public Func<AuthorizationHandlerContext, Task<bool>> Handler { get; }
public AssertionRequirement(Func<AuthorizationHandlerContext, bool> handler)
{
if (handler == null)
{
throw new ArgumentNullException(nameof(handler));
}
Handler = context => Task.FromResult(handler(context));
}
public AssertionRequirement(Func<AuthorizationHandlerContext, Task<bool>> handler)
{
if (handler == null)
{
throw new ArgumentNullException(nameof(handler));
}
Handler = handler;
}
public async Task HandleAsync(AuthorizationHandlerContext context)
{
if (await Handler(context))
{
context.Succeed(this);
}
}
}
經過類型爲Func<AuthorizationHandlerContext, Task<bool>>的委託來表示該斷言,利用它來受權驗證。在HandleAsync檢驗方法中,直接調用這個委託對象來完成判斷。
2.5.6 OperationAuthorizationRequirement
基於預約義操做的受權策略。
源碼以下:
public class OperationAuthorizationRequirement : IAuthorizationRequirement
{
public string Name { get; set; }
}
由上可知,只是包含一個操做名字的Name屬性,目的在於將受權的目標對象映射到一個預約義的操做上。
3、用例
出現的IAuthorizationRequirement對象能夠發現,受權要求Requirement屬性是策略的核心方案,每一中Requirement都表明一種受權方式。
在上文咱們經過構建策略AuthorizationPolicyBuilder對象的源碼能夠發現,爲咱們提供了多個方法由預約義的IAuthorizationRequirement類型來建立並將其添加到Requirements集合中。
3.1 應用
實例應用以下:在ConfigureServices中配置服務中
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
var combindPolicy = new AuthorizationPolicyBuilder().RequireClaim("role").Build();
services.AddAuthorization(options =>
{
//DenyAnonymousAuthorizationRequirement
options.AddPolicy("DenyAnonyUser", policy => policy.RequireAuthenticatedUser());
//NameAuthorizationRequirement
options.AddPolicy("NameAuth", policy => policy.RequireUserName("艾三元"));
//ClaimsAuthorizationRequirement
options.AddPolicy("ClaimsAuth", policy => policy.RequireClaim("role","admin"));
//RolesAuthorizationRequirement
options.AddPolicy("RolesAuth", policy => policy.RequireRole("admin","user"));
//AssertionRequirement
options.AddPolicy("AssertAuth", policy => policy.RequireAssertion(c=>c.User.HasClaim(o=>o.Type=="role")));
//一樣可可用直接調用Combind方法,策略AuthorizationPolicy
options.AddPolicy("CombindAuth", policy => policy.Combine(combindPolicy));
});
}
以上,分別實現了框架中默認實現的幾種IAuthorizationRequirement實現類型在實際中的應用,經過不一樣受權要求實現的策略方式,同時也能夠將上面多種方式合併成一個對象,進行調用使用。
3.2 拓展
固然了,除了自帶了這幾種默認實現方式以外,咱們也能夠經過自定義Requirement來知足咱們的需求。
這個在上一節初識受權的時候,已經提到了自定義受權這一塊,因此在這裏再看一次。
定義一個權限策略
PermissionRequirement,這個策略幷包含一些屬性。public class PermissionRequirement: IAuthorizationRequirement { public string _permissionName { get; } public PermissionRequirement(string PermissionName) { _permissionName = PermissionName; } }再定義一個策略處理類
public class PermissionRequirementHandler : AuthorizationHandler<PermissionRequirement> { protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement) { var role = context.User.FindFirst(c => c.Type == ClaimTypes.Role); if (role != null) { var roleValue = role.Value; if (roleValue==requirement._permissionName) { context.Succeed(requirement); } } return Task.CompletedTask;配置使用
public void ConfigureServices(IServiceCollection services) { services.AddControllers(); //基於自定義策略受權 services.AddAuthorization(options => { options.AddPolicy("customizePermisson", policy => policy .Requirements .Add(new PermissionRequirement("admin"))); }); //此外,還須要在 IAuthorizationHandler 類型的範圍內向 DI 系統註冊新的處理程序: services.AddScoped<IAuthorizationHandler, PermissionRequirementHandler>(); // 如前所述,要求可包含多個處理程序。若是爲受權層的同一要求向 DI 系統註冊多個處理程序,有一個成功就足夠了。 }
特別說明
上述使用的處理程序是一對一的關係,當聲明要求知足條件的時候,則任務受權成功, 受權成功後,
context.Succeed將經過知足要求做爲其惟一參數調用。可是受權策略中也包含一對多的要求關係,它們屬於 & 的關係,只用所有驗證經過,才能最終受權成功。可是在有些場景下,咱們可能但願一個受權策略能夠適用多種狀況,好比,咱們進入公司時須要出示員工卡才能夠被受權進入,可是若是咱們忘了帶員工卡,能夠去申請一個臨時卡,一樣能夠受權成功。
這裏貼一個官方文檔的寫法:
public class BuildingEntryRequirement : IAuthorizationRequirement
{
}
public class BadgeEntryHandler : AuthorizationHandler<BuildingEntryRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
BuildingEntryRequirement requirement)
{
if (context.User.HasClaim(c => c.Type == "BadgeId" &&
c.Issuer == "http://microsoftsecurity"))
{
context.Succeed(requirement);
}
//TODO: Use the following if targeting a version of
//.NET Framework older than 4.6:
// return Task.FromResult(0);
return Task.CompletedTask;
}
}
public class TemporaryStickerHandler : AuthorizationHandler<BuildingEntryRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
BuildingEntryRequirement requirement)
{
if (context.User.HasClaim(c => c.Type == "TemporaryBadgeId" &&
c.Issuer == "https://microsoftsecurity"))
{
// We'd also check the expiration date on the sticker.
context.Succeed(requirement);
}
//TODO: Use the following if targeting a version of
//.NET Framework older than 4.6:
// return Task.FromResult(0);
return Task.CompletedTask;
}
}
咱們定義了兩個Handler,可是想讓它們獲得執行,還須要將其註冊到DI系統中:
services.AddSingleton<IAuthorizationHandler, BadgeEntryHandler>(); services.AddSingleton<IAuthorizationHandler, TemporaryStickerHandler>();
確保兩個處理程序都已註冊。 若是某個處理程序在某一策略評估後使用context.succeed()來成功 BuildingEntryRequirement ,則策略評估將成功。可是當咱們調用context.Fail()方法後會將受權結構設置失敗,那樣的話,最後的結果都是會受權失敗的。因此正常狀況下。咱們都是隻設置標記context.succeed()。
4、說明
這裏對上文源碼中出現的一些聲明方法進行說明。
4.1 IAuthorizeData
使用 IAuthorizeDate 接口方法。定義受權規則應用於資源所需的數據集。
public interface IAuthorizeData
{
string Policy { get; set; }
string Roles { get; set; }
string AuthenticationSchemes { get; set; }
}
Policy:獲取或設置肯定對資源的訪問的策略名稱。
Roles: 獲取或設置以逗號分隔的容許訪問資源的角色列表。
AuthenticationSchemes: 獲取或以設置以逗號分隔的方案列表,從中能夠構造用戶信息。
因此IAuthorizeData中定義的policy、roles、AuthenticationSchemes三個分別表明着受權系統中的三種受權方式。
具體的使用在後續講解受權的執行流程中會進行詳細介紹。
5、後續
上面主要講解了受權在配置方面的源碼,原本打算繼續接着往下寫的,可是考慮到總體篇幅可能會太長了,不便於閱讀。
因此受權揭祕的上篇內容就說到這裏了,在後續的文章中,會繼續深刻了解受權內部機制的奧祕以及是如何實現執行受權流程的。
6、總結
相關文章
- 1. 基於.NetCore3.1系列 —— 認證受權方案之受權揭祕 (下篇)
- 2. 基於.NetCore3.1系列 ——認證受權方案之Swagger加鎖
- 3. 認證受權方案之JwtBearer認證
- 4. 認證受權方案之受權初識
- 5. 認證受權:IdentityServer4
- 6. ETCD受權認證
- 7. Mobile在aws的認證受權方案
- 8. 【認證與受權】二、基於session的認證方式
- 9. OAuth2.0認證受權workflow
- 10. Ocelot(四)- 認證與受權
- 更多相關文章...
- • Rust 所有權 - RUST 教程
- • MySQL用戶授權(GRANT) - MySQL教程
- • ☆基於Java Instrument的Agent實現
- • 常用的分佈式事務解決方案
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
