Web.API 中的自定义授权 [英] Custom authorizations in Web.API
问题描述
我对 ASP.NET MVC 的理解是,对于授权,我应该使用类似 -
My understanding of ASP.NET MVC is that for authorizations I should use something like -
public class IPAuthorize : AuthorizeAttribute {
protected override bool AuthorizeCore(HttpContextBase httpContext) {
//figure out if the ip is authorized
//and return true or false
}
但是在 Web API 中,没有 AuthorizeCore(..)
.
But in Web API, there is no AuthorizeCore(..)
.
有 OnAuthorization(..)
并且对于 MVC 的一般建议是不要使用 OnAuthorization(..)
.
There is OnAuthorization(..)
and the general advice for MVC is not to use OnAuthorization(..)
.
Web API 中的自定义授权应该使用什么?
What should I use for custom authorizations in Web API?
推荐答案
授权在授权过滤器中完成 - 这意味着您从 System.Web.Http.AuthorizeAttribute 派生并实现 IsAuthorized 方法.
Authorization is done in an authorization filter - that mean you derive from System.Web.Http.AuthorizeAttribute and implement the IsAuthorized method.
您不会在普通操作过滤器中实现授权,因为它们在管道中的运行时间晚于授权过滤器.
You don't implement authorization in a normal action filter because they run later in the pipeline than authorization filters.
您也不会在过滤器中实现身份验证(例如解析 JWT) - 这甚至在名为 MessageHandler 的扩展点中更早地完成.
You also don't implement authentication in a filter (like parsing a JWT) - this is done even earlier in an extensibility point called MessageHandler.
这篇关于Web.API 中的自定义授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!