在Web.API自定义权限 [英] Custom authorizations in Web.API

问题描述

我的ASP.NET MVC的理解是，对授权我应该使用类似 -

My understanding of ASP.NET MVC is that for authorizations I should use something like -

public class IPAuthorize : AuthorizeAttribute {

protected override bool AuthorizeCore(HttpContextBase httpContext) {
    //figure out if the ip is authorized 
    //and return true or false
}

但是在网页API，没有 AuthorizeCore（..）。

有 OnAuthorization（..）和MVC一般的建议是不要用 OnAuthorization（..）。

There is OnAuthorization(..) and the general advice for MVC is not to use OnAuthorization(..).

我应该在的Web API使用自定义的授权？

What should I use for custom authorizations in Web API?

推荐答案

我不同意对立在所有 -

I don't agree with Oppositional at all -

授权在授权过滤器完成 - 这意味着你从System.Web.Http.AuthorizeAttribute派生并实现IsAuthorized方法

Authorization is done in an authorization filter - that mean you derive from System.Web.Http.AuthorizeAttribute and implement the IsAuthorized method.

您不执行授权，在一个正常的动作过滤器，因为它们运行在比管道过滤器的授权之后。

You don't implement authorization in a normal action filter because they run later in the pipeline than authorization filters.

您还没有在过滤器中实现身份验证（如解析JWT） - 这是在所谓的MessageHandler的扩展点甚至更早完成

You also don't implement authentication in a filter (like parsing a JWT) - this is done even earlier in an extensibility point called MessageHandler.

这篇关于在Web.API自定义权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！