仅授权控制器允许在.net Core中进行匿名访问 [英] Authorize only controller allows anonymous access in .net core
问题描述
我在.net核心Web应用程序中具有安装标识,并且将某个控制器标记为这样的授权。。
I have setup identity in a .net core web app, and marked a certain controller as authorize like this..
[Authorize(Roles = "Partner")]
public class ClaimsController : Controller
{
[Authorize(Roles = "Partner")]
public IActionResult Index()
{
var authenticated = User.Identity.IsAuthenticated;
//authenticated is false - but this view still loads?!
return View();
}
}
因此,只有合作伙伴角色的用户才能访问。但是,根本没有登录的人可以加载并查看Claims控制器上的Index视图。我可以检查是否有人登录并通过用户管理器显式检查角色用户,但可以肯定的是,这些属性应该执行某些操作?
So only users in the partner role should have access.. However someone not logged in at all can load and view the Index view on the claims controller.. I could check if someone is logged in and check the role user explicitly with the user manager but surely these attributes should do something?
在core 3的startup.cs中我还需要一些额外的东西吗?这是我的startup.cs文件。
Is there something extra I need in startup.cs in core 3? This is my startup.cs file..
public class Startup
{
private readonly IConfiguration _config;
public Startup(IConfiguration config)
{
_config = config;
}
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
var connstring = _config.GetConnectionString("HP_RBS_Database");
//we can create our own role and derive from IdentityRole
services.AddIdentity<UserLogin, IdentityRole>(x =>
{
x.User.RequireUniqueEmail = true;
//set password rules in here..
}) //specify where we store identity data
.AddEntityFrameworkStores<HP_RBS_Context>();
services.AddMvc();
services.AddRazorPages();
services.AddControllersWithViews().AddRazorRuntimeCompilation();
services.AddDbContext<HP_RBS_Context>(x =>
{
x.UseSqlServer(connstring);
});
services.AddTransient<HPPartnerPortalSeeder>();
services.AddScoped<IHP_RBS_Repository, HP_RBS_Repository>();
services.AddAuthentication();
services.AddAuthorization();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseStaticFiles();
app.UseAuthentication();
app.UseAuthorization();
app.UseRouting();
app.UseEndpoints(x =>
{
x.MapControllerRoute("Default",
"{controller}/{action}/{id?}",
new { controller = "Home", action = "Index" });
});
}
}
推荐答案
对 UseAuthentication 和 UseAuthorization 的调用必须放在 UseRouting 和 UseEndpoints :
The calls to UseAuthentication and UseAuthorization must be placed between UseRouting and UseEndpoints:
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(x =>
{
x.MapControllerRoute("Default",
"{controller}/{action}/{id?}",
new { controller = "Home", action = "Index" });
});
在之前 UseRouting , UseAuthorization 调用有点无操作。它会检查是否已选择一个端点,但是还没有发生。选择过程是由接下来运行的 UseRouting 调用执行的,为时已晚。
When these calls are placed before UseRouting, the UseAuthorization call is somewhat of a no-op. It checks to see whether an endpoint has been selected, but this hasn't happened yet. The selection process is performed courtesy of the UseRouting call that runs next, which is too late.
不幸的是,这表示MVC端点即使完全没有执行,也好像授权成功一样运行。这是ASP.NET Core 3.0.0发行版中的一个已知问题,已在3.0.1发行版中修复。
Unfortunately, this means that the MVC endpoint runs as though authorisation succeeded, eventhough it wasn't performed at all. This is a known issue in the 3.0.0 release of ASP.NET Core, which has been fixed in the 3.0.1 release.
这篇关于仅授权控制器允许在.net Core中进行匿名访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
