基于资源的ASP.NET授权FormsAuthentication和WebApi [英] Resource based ASP.NET Authorization FormsAuthentication and WebApi
问题描述
使用带有表单身份验证的webapi(我知道这听起来很奇怪,但这正是我所需要的).
我有一条路线:
[Route("{application}/orders}"]公共IHttpActionResult Get(字符串应用程序){var order = OrderService.GetOrders(application);//返回申请订单清单.返回Ok(订单);} 示例场景:John用户有权查看应用程序"CoolApp"的订单Leia用户有权查看应用程序"Robin"的订单用户Tristan没有查看订单的权限.
在数据库上就像角色-资源关系.UserRole:
用户-角色-应用=====================================约翰-OrdersManager-CoolAppLeia-OrdersManager-罗宾特里斯坦-其他角色-罗宾 我希望该路线检查用户是否有权获取该特定应用程序的订单.
我读了这篇文章: .net中基于资源的授权,并且看起来很有希望./p>
第一件事是我不确定是否应该使用 AuthorizeAttribute , AuthorizationFilterAttribute 或 IAuthorizationFilter 进行扩展,如此处 http://www.asp.net/不幸的是,web-api/overview/security/authentication-and-authorization-in-aspnet-web-api 的信息并不多.
第二,我读到绑定是在授权之后发生的,所以我不知道如何从 RouteData 中获取值,因为我在路由数据上定义了{application},我想我应该能够访问它.关于MVC的例子很少,但是无法为Web api获取一个例子,并且在整个actionContext对象上都没有诸如请求和上下文之类的对象,我不确定从何处以及以正确的方式获取它.
最后但并非最不重要的一点是,我应该覆盖所选扩展点的哪种方法.如果它同时具有异步和同步功能,我应该同时覆盖两者吗?
奖励:由于授权将依赖于我的存储库,因此,即使有可能,知道如何将其注入过滤器也将是一件很棒的事情.(我没有使用任何IoC容器.)
覆盖AuthorizationFilterAttribute可能是更好的方法.您要做的就是传递您要检查的属性:
公共类MyAuthorizeAttribute:AuthorizeAttribute{弦乐角色字符串申请公共MyAuthorizeAttribute(字符串角色,字符串应用程序){这.角色=角色;this.application =应用程序;}受保护的覆盖布尔值IsAuthorized(HttpActionContext actionContext){var routeData = actionContext.ControllerContext.RouteData;//进行检查}} 您可以在IsAuthorized方法中从HttpActionContext访问routedata.现在,您可以将属性附加到ApiController或Action Method.
我建议您使用IoC容器是否要通过Web API ActionFilter进行DI
Using webapi with formsauthentication (i know may sound weird, but it exactly what I need).
I have a route like :
[Route("{application}/orders}"]
public IHttpActionResult Get(string application) {
var orders = OrderService.GetOrders(application); // return list of orders of applicaiton.
return Ok(orders);
}
Example scenario : User John has permission to see orders for application "CoolApp" User Leia has permission to see orders for application "Robin" user Tristan doesn't have permission to see orders.
On the DB is like a Role - Resource relationship. UserRole:
User - Role - Application
=====================================
John - OrdersManager - CoolApp
Leia - OrdersManager - Robin
Tristan - OtherRole - Robin
I want that route to check if the user has permission to get orders of that specific application.
I read this: Resource based authorization in .net and looks promising.
First thing is I'm not sure if I should extend using AuthorizeAttribute, AuthorizationFilterAttribute or IAuthorizationFilter as briefly explained here http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api unfortunately, is not of much information.
Second I read that binding happens AFTER the authorization so I don't know how to get the values from the RouteData since I have the {application} defined on the route data I guess I should be able to access it. There are few examples for MVC, but was not able to get one for web api and with object like request and context all over the actionContext object I'm not sure where to get it and how in a proper way.
And last but not least, what method of the chosen extension point(s) should I override. If it have both async and sync, should I override both ?
BONUS: Since the authorize will have a dependency on my repository, would be great to know how to inject that into the filter if that's even possible. (I'm not using any IoC container).
Overriding AuthorizationFilterAttribute would probably be the better route. What you'd want to do is pass the attributes you want to check for:
public class MyAuthorizeAttribute : AuthorizeAttribute
{
string role;
string application
public MyAuthorizeAttribute (string role, string application){
this. role = roles;
this.application = application;
}
protected override bool IsAuthorized(HttpActionContext actionContext) {
var routeData = actionContext.ControllerContext.RouteData;
//do your checks
}
}
you can get access to routedata from the HttpActionContext in the IsAuthorized method. Now you can attach the attribute to your ApiController or Action Method.
I'd suggest using an IoC container is you want to do DI with an Web API ActionFilter
这篇关于基于资源的ASP.NET授权FormsAuthentication和WebApi的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
