基于策略的授权可以更动态吗? [英] Can Policy Based Authorization be more dynamic?
问题描述
Net Core策略授权,但是对我来说,它非常静态.因为在企业应用程序中,经常需要一些新角色,这些角色将需要新策略(据我所知),或者您是否想实施特定于某些客户端的新类型的策略.例如,如果我们要构建由这些策略驱动的CMS,我们希望每个客户端都能够定义自己的.那么,这种新的政策基础机制是否可以更具动态性,或者想法完全不同?
Net Core policy authorization, however it is looking very static to me. Because in the Enterprise Application, there is an often need for new roles which will need new policies (as far as i understand) or if you want to implement new type of policy specific for certain client. For example if we are building an CMS which will be driven by those policies, we will want, each client to be able to define hes own. So can this new policy base mechanism be more dynamic or, it's idea is entire different?
谢谢:))
推荐答案
我总是建议人们看看最低特权存储区,因为它有一个很好的示例,说明了新的 ASP.NET Core 身份验证和授权范式可以采用的所有方法.
I always recommend that people take a look @ the least privilege repo as it has some great examples of all the various approaches one can take with the new ASP.NET Core Authentication and Authorization paradigms.
这种新的政策基础机制可以更加动态吗?
Can this new policy base mechanism be more dynamic?
是的,实际上,它比以前的基于角色的概念更具动态性.它允许您定义可以由数据驱动的策略. 此处是有关此方面的详细信息的另一个很好的资源.您可以指定一个API入口点受策略保护(例如),该策略可以有一个处理程序,并且该处理程序可以执行所需的任何操作,即;检查上下文中的当前User,将声明与数据库中的值进行比较,比较角色,以及所有其他内容.请考虑以下:
Yes, in fact it is more dynamic than the previous role based concepts. It allows for you to define policies that can be data driven. Here is another great resource for details pertaining to this. You can specify that an API entry point for example is protected by a policy (for example), and that policy can have a handler and that handler can do anything it needs to, i.e.; examine the current User in context, compare claims to values in the database, compare roles, anything really. Consider the following:
使用Policy
[Authorize(Policy = "DataDrivenExample")]
public IActionResult GetFooBar()
{
// Omitted for brevity...
}
使用添加策略的选项添加授权.
Add the authorization with the options that add the policy.
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddAuthorization(options =>
{
options.AddPolicy("DataDrivenExample",
policy =>
policy.Requirements.Add(new DataDrivenRequirement()));
});
services.AddSingleton<IAuthorizationHandler, DataDrivenHandler>();
}
然后定义处理程序.
public class MinimumAgeHandler : AuthorizationHandler<DataDrivenRequirement>
{
protected override void Handle(AuthorizationContext context,
DataDrivenRequirement requirement)
{
// Do anything here, interact with DB, User, claims, Roles, etc.
// As long as you set either:
// context.Succeed(requirement);
// context.Fail();
}
}
这个想法完全不同吗?
Is the idea entirely different?
它应该与您习惯使用 auth8 和 authz 的以前的概念非常相似.
It should feel very similar to the previous concepts that you're accustomed to with auth8 and authz.
这篇关于基于策略的授权可以更动态吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
