定制授权政策 [英] Custom Policy for Authorization
问题描述
我正在处理要求,其中我检查了我们的请求标头是否包含Authorization标头,并基于该标头调用另一个Server并返回403.目前,我已经通过创建Custom ActionAttribute来做到这一点:
I am working on requirement In which I have check whether our request header contains Authorization header and based on that either call another Server and return 403. Currently I have done it by creating Custom ActionAttribute like this:
public class ValidateAuthHeaderAttribute: ActionFilterAttribute
{
private readonly ILogger<ValidateAuthHeaderAttribute> _logger;
public ValidateAuthHeaderAttribute(ILogger<ValidateAuthHeaderAttribute> logger)
{
_logger = logger;
}
public override void OnActionExecuting(ActionExecutingContext context)
{
var httpContext = context.HttpContext;
if (httpContext.Request.Headers.ContainsKey("Authorization"))
{
return;
}
var failureResponse = new FailureResponseModel
{
Result = false,
ResultDetails = "Authorization header not present in request",
Uri = httpContext.Request.Path.ToUriComponent(),
Timestamp = DateTime.Now.ToString("s", CultureInfo.InvariantCulture),
Error = new Error
{
Code = 108,
Description = "Authorization header not present in request",
Resolve = "Send Request with authorization header to avoid this error."
}
};
var responseString = JsonConvert.SerializeObject(failureResponse);
context.Result = new ContentResult
{
Content = responseString,
ContentType = "application/json",
StatusCode = 403
};
}
}
我正在像这样在我的控制器/方法中使用此自定义属性.
And I am using this Custom Attribute in my Controller/Methods like this.
[TypeFilter(typeof(ValidateAuthHeaderAttribute))]
现在这可以正常工作,但是我正在阅读有关.Net Core中基于策略的授权
Now this is working fine, But I was reading about Policy Based Authorization in .Net Core doc. So as it is recommended now to use Policies. I was thinking it is possible to port my code to Custom Policy.
推荐答案
IMO,我建议您继续使用 ValidateAuthHeaderAttribute
,这要容易得多.
IMO, I would suggest you keep using ValidateAuthHeaderAttribute
which is much easier.
如果您坚持执行政策,请执行以下步骤:
If you insist on policy, follow steps below:
-
要求
public class AuthorizationHeaderRequirement: IAuthorizationRequirement
{
}
public class AuthorizationHeaderHandler : AuthorizationHandler<AuthorizationHeaderRequirement>
{
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, AuthorizationHeaderRequirement requirement)
{
// Requires the following import:
// using Microsoft.AspNetCore.Mvc.Filters;
if (context.Resource is AuthorizationFilterContext mvcContext)
{
// Examine MVC-specific things like routing data.
var httpContext = mvcContext.HttpContext;
if (httpContext.Request.Headers.ContainsKey("Authorization"))
{
context.Succeed(requirement);
return;
}
var failureResponse = new FailureResponseModel
{
Result = false,
ResultDetails = "Authorization header not present in request",
Uri = httpContext.Request.Path.ToUriComponent(),
Timestamp = DateTime.Now.ToString("s", CultureInfo.InvariantCulture),
Error = new Error
{
Code = 108,
Description = "Authorization header not present in request",
Resolve = "Send Request with authorization header to avoid this error."
}
};
var responseString = JsonConvert.SerializeObject(failureResponse);
mvcContext.Result = new ContentResult
{
Content = responseString,
ContentType = "application/json",
StatusCode = 403
};
await mvcContext.Result.ExecuteResultAsync(mvcContext);
}
return;
}
}
在 Startup.cs
services.AddAuthorization(options =>
{
options.AddPolicy("AuthorizationHeaderRequirement", policy =>
policy.Requirements.Add(new AuthorizationHeaderRequirement()));
});
services.AddSingleton<IAuthorizationHandler, AuthorizationHeaderHandler>();
控制器
Controller
[Authorize(Policy = "AuthorizationHeaderRequirement")]
public IActionResult Privacy()
{
return View();
}
这篇关于定制授权政策的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!