指定Windows身份验证方案和角色不起作用 [英] Specifying Windows AuthenticationScheme and Roles Doesn't Work

问题描述

如何指定AuthenticationScheme是Windows并检查用户是否是广告组的成员?

How do I specify that the AuthenticationScheme is Windows and check that the user is a member of an AD Group?

当我指定AuthenticationScheme时，设置Roles不再有效，为什么不呢?以及我该如何解决?

When I specify the AuthenticationScheme, setting the Roles no longer works, why not? And how do I fix that?

public class SomeController : Controller
{
    //this works
    [Authorize(Roles = @"SOME.DOMAIN\SOME GROUP")]
    public IActionResult SomeAction(){ ... }

    //this works
    [Authorize(AuthenticationSchemes = "Windows")]
    //this doesn't work
    //[Authorize(Roles = @"SOME.DOMAIN\SOME GROUP", AuthenticationSchemes = "Windows")]
    public ActionResult SomeAction2(){ ... }
}

完整GitHub上的示例

某些背景

我们有一个名为SOME GROUP的广告组，该用户必须是执行某些操作的成员.在网络应用的其他部分，我们正在使用cookie auth，因此我需要在此特定控制器中指定身份验证方法.

We have an AD Group called SOME GROUP that the user must be a member of to execute certain actions. In other parts of the web app, we're using cookie auth so I need to specify the authentication method in this particular controller.

参考:使用ASP.NET中的特定方案进行授权核心

推荐答案

事实证明，WindowsIdentity被保留在HttpContext.User对象中，允许我们检查组/角色成员身份.

Turns out, the WindowsIdentity is preserved in the HttpContext.User object allowing us to check the group/role membership.

内联示例

using System.Security.Principal;

[Authorize(AuthenticationSchemes = IISServerDefaults.AuthenticationScheme)]
public ActionResult SomeAction()
{
    var windowsIdentity = HttpContext.User.Identity as WindowsIdentity;
    var windowsUser = new WindowsPrincipal(windowsIdentity);
    var role = "[MY-COMPUTER-NAME || AD GROUP NAME]\\[GROUP NAME]";
    var inInRole = windowsUser.IsInRole(role);

    // todo: if not allowed write code to handle it

    return View();
}

完整来源

政策示例

//AuthorizationHandler<T>
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, RoleRequirement requirement)
{
    if (!(context.User.Identity is WindowsIdentity windowsIdentity))
        return Task.CompletedTask;

    var windowsUser = new WindowsPrincipal(windowsIdentity);
    try
    {
        var hasRole = windowsUser?.IsInRole(requirement.GroupName) ?? false;
        if (hasRole)
            context.Succeed(requirement);
    }
    catch (Exception ex)
    {
        logger.LogError(ex, "Unable to check groups the user belongs too");
    }

    return Task.CompletedTask;
}

//IAuthorizationRequirement
public class RoleRequirement : IAuthorizationRequirement
{
    public RoleRequirement(string groupName)
    { GroupName = groupName; }

    /// <summary>
    /// The Windows / AD Group Name that is allowed to call the OMS API
    /// </summary>
    public string GroupName { get; }
}

//action protected with the policy
[Authorize("Super User Role")]
public IActionResult Contact()
{ return View(); }

//startup.cs
public void ConfigureServices(IServiceCollection services)
{
    //pull group name from the config
    var securityOptions = Configuration.GetSection("Security").Get<SecurityOptions>();

    services.AddAuthentication(IISDefaults.AuthenticationScheme);
    services.AddAuthorization(options =>
    {
        options.AddPolicy("Super User Role", policy =>
        {
            policy.Requirements.Add(new RoleRequirement(securityOptions.AllowedGroup));
            policy.AddAuthenticationSchemes("Windows");
        });
    });
    services.AddSingleton<IAuthorizationHandler, RoleHandler>();
    // ...
}

完整来源

这篇关于指定Windows身份验证方案和角色不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！