在Web.API自定义权限 [英] Custom authorizations in Web.API
问题描述
我的ASP.NET MVC的理解是,对授权我应该使用类似 -
My understanding of ASP.NET MVC is that for authorizations I should use something like -
public class IPAuthorize : AuthorizeAttribute {
protected override bool AuthorizeCore(HttpContextBase httpContext) {
//figure out if the ip is authorized
//and return true or false
}
但是在网页API,没有 AuthorizeCore(..)
。
有 OnAuthorization(..)
和MVC一般的建议是不要用 OnAuthorization(..)
。
There is OnAuthorization(..)
and the general advice for MVC is not to use OnAuthorization(..)
.
我应该在的Web API使用自定义的授权?
What should I use for custom authorizations in Web API?
推荐答案
我不同意对立在所有 -
I don't agree with Oppositional at all -
授权在授权过滤器完成 - 这意味着你从System.Web.Http.AuthorizeAttribute派生并实现IsAuthorized方法
Authorization is done in an authorization filter - that mean you derive from System.Web.Http.AuthorizeAttribute and implement the IsAuthorized method.
您不执行授权,在一个正常的动作过滤器,因为它们运行在比管道过滤器的授权之后。
You don't implement authorization in a normal action filter because they run later in the pipeline than authorization filters.
您还没有在过滤器中实现身份验证(如解析JWT) - 这是在所谓的MessageHandler的扩展点甚至更早完成
You also don't implement authentication in a filter (like parsing a JWT) - this is done even earlier in an extensibility point called MessageHandler.
这篇关于在Web.API自定义权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!