如何实现Blazor页面的自定义授权过滤 [英] How to implement custom authorization filter for Blazor page
本文介绍了如何实现Blazor页面的自定义授权过滤的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
https://docs.microsoft.com/en-us/aspnet/core/security/blazor/?view=aspnetcore-3.1
在Blazor页面的顶部,@page之后
@attribute [MyAuthFilter]
过滤。然而,OnAuthorization从未受到攻击。
public class MyAuthFilter: AuthorizeAttribute,IAuthorizationFilter
{
public void OnAuthorization(AuthorizationFilterContext context)
{
var httpContext = context.HttpContext;
// get user name
string userName = httpContext.User.Identity.Name;
// todo - call method to check user access
// check against list to see if access permitted
//context.Result = new UnauthorizedResult();
}
}
推荐答案
下面的代码片段介绍如何执行授权过程,以及如何以及在哪里向授权用户显示内容。您可以基于如下所示的代码构建您自己的组件:
Profile.razor
@page "/profile"
@page "/profile/{id}"
<AuthorizeView Policy="CanEditProfile" Resource="@ID">
<NotAuthorized>
<h2 class="mt-5">You are not authorized to view this page</h2>
</NotAuthorized>
<Authorized>
<div class="container my-profile">
<h2>My Profile</h2>
--- Place here all the content you want your user to view ----
</div>
</Authorized>
</AuthorizeView>
@code {
[Parameter]
public string ID { get; set; }
}
ProfileHandler.cs
public class ProfileHandler : IAuthorizationHandler
{
public Task HandleAsync(AuthorizationHandlerContext context)
{
if (context.User != null)
{
var pendingRequirements = context.PendingRequirements.ToList();
foreach (var requirement in pendingRequirements)
{
if (requirement is ProfileOwnerRequirement)
{
// get profile id from resource, passed in from blazor
// page component
var resource = context.Resource?.ToString();
var hasParsed = int.TryParse(resource, out int
profileID);
if (hasParsed)
{
if (IsOwner(context.User, profileID))
{
context.Succeed(requirement);
}
}
}
}
}
return Task.CompletedTask;
}
private bool IsOwner(ClaimsPrincipal user, int profileID)
{
// compare the requested memberId to the user's actual claim of
// memberId
// var isAuthorized = context.User.GetMemberIdClaim();
// now we know if the user is authorized or not, and can act
// accordingly
var _profileID = user.GetMemberIDClaim();
return _profileID == profileID;
}
}
ProfileOwnerRequirement.cs
public class ProfileOwnerRequirement : IAuthorizationRequirement
{
public ProfileOwnerRequirement() { }
}
启动类
services.AddSingleton<IAuthorizationHandler, ProfileHandler>();
services.AddAuthorization(config =>
{
config.AddPolicy("CanEditProfile", policy =>
policy.Requirements.Add(new ProfileOwnerRequirement()));
});
希望这能有所帮助!
这篇关于如何实现Blazor页面的自定义授权过滤的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文