ASP.NET Core 3.1-拒绝访问 [英] ASP.NET Core 3.1 - Access denied

问题描述

我在ASP.NET Core 3.1 Razor Pages中是一个新手，我有一个问题.希望你能帮我更多 :).

I'm quite new in ASP.NET Core 3.1 Razor Pages and I have a question. Hopefully you can help me further :).

我想要的是一个具有Windows AD安全性的应用程序.我要做什么的描述:

What I want to have is an application with Windows AD Security. Description of what I want to do:

• 客户需要使用其AD帐户登录.
• 如果输入了有效的AD帐户/密码组合，则该用户将得到授权.
• 如果在特定组中，则用户有权查看/调整特定页面，比方说，是否在运行应用程序的服务器的Administrators组中.

以下是我遇到的问题.在LaunchSettings.json中，我放置了以下代码:

The problem that I have is the following. In LaunchSettings.json I have placed this code:

    "windowsAuthentication": true,
    "anonymousAuthentication": false,
    "iisExpress": {
      "applicationUrl": "http://localhost:65385",
      "sslPort": 44356
    }
  } 

然后在Startup.cs中，我添加了AddAuthentication.

Then in Startup.cs I have added AddAuthentication.

    public void ConfigureServices(IServiceCollection services)
    {
      services.AddAuthentication(IISDefaults.AuthenticationScheme);
      services.AddRazorPages();
    }

在配置"部分中:

      app.UseAuthentication();
      app.UseAuthorization();

然后，我终于在我的Pages文件夹中创建了一个单独的文件夹，称为Admin.我只想将此文件夹限制为Administrators组.所以我将Authorize添加到Index1Model.

Then finally I created a separate folder, called Admin, in my Pages folder. I want to restrict this folder for only the Administrators group. So I added the Authorize to the Index1Model.

  [Authorize(Roles = "Administrators")]
  public class Index1Model : PageModel
    {
        public void OnGet()
        {
        }
    }

使用IIS Express在本地启动此代码并单击受保护的页面，我确实收到以下错误:

Launching this code locally with IIS Express and clicking the page protected I do get the following error:

Access denied

我认为这可能与假冒有关.但是，当我在IIS中启用此功能时，我将无法再打开该应用程序.显示在我的程序右上角的用户位于管理员组中，因此应被允许查看该页面.我在俯视什么?感谢您的帮助！

I thought it might have to do with impersonation. But when I enable this in IIS then I cannot open the application anymore. The user which is display in the upper corner of my program is in the Administrator group and therewith should be allowed to see the page. What am I overlooking? Thanks for helping me out!

推荐答案

据我所知，Windows身份验证只会检查用户是否已通过身份验证.它不会在MVC应用程序中提供任何基于角色的控制.

As far as I know, the windows authentication will just check the the user is authenticated or not. It will not provide any role based control in the MVC application.

因此您的Authorize属性将无用.

So your Authorize attribute will be useless.

要获得基于AD角色的授权，建议您考虑使用基于策略的授权来仅对Active Directory组中的用户具有访问权限的页面进行身份验证.详细信息，您可以参考文章.

To achive AD role based authorize, I suggest you could consider using Policy-based authorization to authenticate only users from a Active Directory group have access to the page. Detials, you could refer to article.

您可以创建一个自定义策略授权处理程序，以检查用户的所有ADGroup，并检查它们是否包含所需的组名.

You could create a custom Policy Authorization handlers to check User's all ADGroups and check if they contains your desired group name.

更多详细信息，您可以参考以下步骤:

More details, you could refer to below steps:

1.创建CheckADGroupRequirement(接受参数)

1.Create CheckADGroupRequirement(accept a parameter)

public class CheckADGroupRequirement : IAuthorizationRequirement
    {
        public string GroupName { get; private set; }

        public CheckADGroupRequirement(string groupName)
        {
            GroupName = groupName;
        }
    }

2.创建处理程序

public class CheckADGroupHandler : AuthorizationHandler<CheckADGroupRequirement>
    {
        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
                                                       CheckADGroupRequirement requirement)
        {
            //var isAuthorized = context.User.IsInRole(requirement.GroupName);

            var groups = new List<string>();//save all your groups' name
            var wi = (WindowsIdentity)context.User.Identity;
            if (wi.Groups != null)
            {
                foreach (var group in wi.Groups)
                {
                    try
                    {
                        groups.Add(group.Translate(typeof(NTAccount)).ToString());
                    }
                    catch (Exception e)
                    {
                        // ignored
                    }
                }
               if(groups.Contains(requirement.GroupName))//do the check
                {
                    context.Succeed(requirement);
                }
            }

            return Task.CompletedTask;
        }
    }

3.ConfigureServices中的注册处理程序

3.Register Handler in ConfigureServices

services.AddAuthorization(options =>
{
    options.AddPolicy("ADRoleOnly", policy =>
        policy.Requirements.Add(new CheckADGroupRequirement("DOMAIN\\Domain Admin")));
});

services.AddSingleton<IAuthorizationHandler, CheckADGroupHandler>();

4.Controller

4.Controller

[Authorize(Policy = "ADRoleOnly")]
 public class ADController : Controller

这篇关于ASP.NET Core 3.1-拒绝访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！