阻断ASP .NET 5默认为匿名访问 [英] Blocking anonymous access by default in ASP .NET 5

问题描述

我和我的团队也开始了在ASP .NET 5一个新的网站项目，我试图建立我们的用户认证和授权政策的基础。

My team and I are starting up a new website project in ASP .NET 5 and I'm trying to set up the basis of our user authentication and authorization policy.

到目前为止，我已经成功地使用[授权]和[使用AllowAnonymous]属性来选择定义授权策略控制器或动作。有一件事我仍然在努力实现的是定义一个默认授权策略。

So far, I've managed to use the [Authorize] and [AllowAnonymous] attributes to selectively define an authorization policy controllers or actions. The one thing I'm still struggling to achieve is defining a default authorization policy.

Bascially，我想每个控制器和行动表现得好像他们有默认的[授权]属性，因此，只有行动特别标记为[使用AllowAnonymous]可以匿名用户访问。否则，我们想到的是，在某些时候，有人会忘记的[授权]属性添加到他们的控制器和存在安全漏洞到Web应用程序。

Bascially, I'd like every controller and action to behave as if they had an [Authorize] attribute by default, so that only actions specifically tagged as [AllowAnonymous] can be accessed by an anonymous user. Otherwise, we expect that, at some point, someone will forget to add an [Authorize] attribute to their controller and introduce vulnerabilities into the webapp.

这是我的理解是

filters.Add(new AuthorizeAttribute());

...除了FilterConfig.cs不再MVC 6.存在根据的How注册到MVC 6，ASP一个全球性的过滤器。 $ b;

... except that FilterConfig.cs no longer exists in MVC 6. According to How to register a global filter with mvc 6, asp.net 5 I can now access the global filters list using:

services.ConfigureMvc(options =>
{
   options.Filters.Add(new YouGlobalActionFilter());
}

......试了一下，看起来不错，但现在它的AuthorizeAttribute过滤器，我似乎无法找到。

... tried it, looks fine, but now it's the AuthorizeAttribute filter that I can't seem to find.

有关试验的目的我试着手工制作的相当于AuthorizeAttribute过滤器具有以下想出了：

For experimenting purposes I've tried to handcraft an equivalent to the AuthorizeAttribute filter and came up with the following:

public class LoginFilter: AuthorizeFilter
{
    public LoginFilter(): base(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build())
    {

    }

    public override Task OnAuthorizationAsync(Microsoft.AspNet.Mvc.AuthorizationContext context)
    {
        if(!context.HttpContext.User.Identity.IsAuthenticated && context.ActionDescriptor is ControllerActionDescriptor)
        {
            var action = context.ActionDescriptor as ControllerActionDescriptor;
            if(!AcceptAnonymous(action.ControllerTypeInfo) && !AcceptAnonymous(action.MethodInfo))
            {
                context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
            }
        }
        return base.OnAuthorizationAsync(context);
    }

    private static bool AcceptAnonymous(ICustomAttributeProvider o)
    {
        return o.IsDefined(typeof(AllowAnonymousAttribute), true);
    }
}

这有点儿工作......我可以把它添加到全局筛选器列表，它拒绝来自未经验证的用户来查询，除非查询被解析为标记[AllowsAnonymous]的动作。

This kinda works... I can add it to the global filters list, and it does reject queries coming from unauthenticated users unless the query is resolved to an action tagged [AllowsAnonymous].

不过...

• 在AuthorizationPolicyBuilder啄是丑陋的和误导性的：它没有任何作用，整个处理过程中，显然忽略了。唯一的原因，我说这是AuthorizeFilter需要在其构造方法的AuthorizationPolicy。我猜想，但还没有尝试过，直接实施IAsyncAuthorizationFilter将解决这一具体问题

• the AuthorizationPolicyBuilder thingy is ugly and misleading: it does not serve any purpose and is apparently ignored during the whole processing. The only reason I added it is that AuthorizeFilter requires an AuthorizationPolicy in its constructor. I guess, but haven't tried yet, that directly implementing IAsyncAuthorizationFilter would solve this particular issue

但本代码是特定于我的Web应用程序和功能是在该框架的早期版本显然提供的，因此我愿意打赌，已经有（或者很快就会有）做同样的事情一个组成部分，我宁愿使用一个标准组件从框架比我的手工自己的。

nothing in this code is specific to my webapp and the functionality was apparently provided in previous versions of the framework, so I'm willing to bet that there already is (or there will soon be) a component doing exactly the same thing, and I'd rather use a standard component from the framework than handcraft my own.

所以，长话短说，这里拥有AuthorizeAttribute过滤器不见了？或者是有任何功能等同，我可以使用，使拒绝匿名用户的默认行为？

So, long story short, where has the AuthorizeAttribute filter gone? Or is there any functional equivalent I can use to make rejection of anonymous users the default behavior?

推荐答案

您可以使用的 Microsoft.AspNet.Mvc.AuthorizeFilter

using Microsoft.AspNet.Mvc;
using Microsoft.AspNet.Authorization;

services.ConfigureMvc(options =>
{
   options.Filters.Add(new AuthorizeFilter(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()));
});

如果你需要自定义的授权要求看的有关详细信息，这个答案。

If you need custom authorization requirements see this answer for more information.

这篇关于阻断ASP .NET 5默认为匿名访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！