的.NET Web API - 覆盖AuthorizationFilter [英] .Net Web Api - Override AuthorizationFilter

问题描述

您好我有一个MVC的Web站点内的Web API控制器。
我想，以允许访问使用2个规则的控制：
用户是管理员或请求从本地计算机来;

Hello I have a web api controller inside a mvc web site. I'm trying to allow access to the controller using 2 rules: User is admin or the request came from local computer;

我是新来的，但AuthorizationFilterAttribute我试着写一个限制访问
当地唯一的要求：

I'm new to AuthorizationFilterAttribute but I tried to write one that limit access to local request only:

public class WebApiLocalRequestAuthorizationFilter : AuthorizationFilterAttribute
{

    public override void OnAuthorization(HttpActionContext actionContext)
    {
        if (actionContext == null)
        {
            throw new ArgumentNullException("httpContext");
        }
        if (actionContext.Request.IsLocal())
        {
            return;
        }
        actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
        actionContext.Response.Content = new StringContent("Username and password are missings or invalid");
    }
}

然后我饰我的控制器2的属性。

Then I decorated my controller with 2 attributes as

[Authorize(Roles = "Admin")]
[WebApiLocalRequestAuthorizationFilter]
public class ContactController : ApiController
{
    public ContactModel Get(int id)
    {
        ContactsService contactsService = new ContactsService();
        return contactsService.GetContactById(id).Map<ContactModel>();
    }

}

但正如我怀疑，现在，为了访问的控制我需要管理员和请求应当从本地主机作出。我该怎么办呢？

But as I suspected , now, in order to access the controller I need to be admin and the request should be made from localhost. How can I do it?

亲切的问候，
塔尔Humy

Kind regards, Tal Humy

推荐答案

一种解决方案是创建一个从AuthorizeAttribute继承的类

One solution is to create a class that inherits from AuthorizeAttribute

例如。像这样

public class MyAuthorizeAttribute: AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        bool accessAllowed = false;
        bool isInGroup = false;

        List<string> roleValues = Roles.Split(',').Select(rValue => rValue.Trim().ToUpper()).ToList();

        foreach (string role in roleValues)
        {
            isInGroup = IdentityExtensions.UserHasRole(httpContext.User.Identity, role);
            if (isInGroup)
            {
                accessAllowed = true;
                break;
            }
        }

        //add any other validation here
        //if (actionContext.Request.IsLocal()) accessAllowed = true;

        if (!accessAllowed)
        {
            //do some logging
        }

        return accessAllowed;
    }
...
}

然后你可以使用它像这样：

Then you can use it like so:

[MyAuthorizeAttribute（角色=支持，管理员）]

[MyAuthorizeAttribute(Roles = "Support,Admin")]

在上面的code，对于IdentityExtensions检查和高速缓存，ActiveDirectory的角色，这也让我们可以通过改变其缓存角色假冒当前用户。

In the above code, IdentityExtensions checks for, and caches, ActiveDirectory roles which also allows us to fake the current user having roles by changing the cache.

这篇关于的.NET Web API - 覆盖AuthorizationFilter的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！