基于策略的授权可以更加动态吗? [英] Can Policy Based Authorization be more dynamic?

问题描述

Net Core 策略授权，但对我来说它看起来非常静态.因为在企业应用程序中，经常需要新角色，这将需要新策略(据我所知)，或者如果您想为特定客户端实施新类型的策略.例如，如果我们正在构建一个由这些策略驱动的 CMS，我们希望每个客户都能够定义自己的.那么这个新的政策基础机制是否可以更加动态，或者它的想法完全不同?

谢谢 :))

解决方案

我总是建议人们看看@ 最小权限回购 因为它有一些很好的例子，说明了人们可以使用新的 ASP.NET Core 身份验证和授权范式采取的所有各种方法.

<块引用>

这种新的政策基础机制能否更具活力?

是的，事实上它比以前基于角色的概念更具动态性.它允许您定义可以由数据驱动的策略.这里是另一个很好的资源，可以了解与此相关的详细信息.例如，您可以指定 API 入口点受策略(例如)保护，并且该策略可以有一个处理程序，并且该处理程序可以做它需要做的任何事情，即；在上下文中检查当前的 User，将声明与数据库中的值进行比较，比较角色等等.考虑以下:

使用 Policy

定义入口点

[授权(Policy = "DataDrivenExample")]公共 IActionResult GetFooBar(){//为简洁起见省略...}

使用添加策略的选项添加授权.

public void ConfigureServices(IServiceCollection services){服务.AddMvc();services.AddAuthorization(options =>{options.AddPolicy("DataDrivenExample",政策=>policy.Requirements.Add(new DataDrivenRequirement()));});services.AddSingleton<IAuthorizationHandler, DataDrivenHandler>();}

然后定义处理程序.

public class MinimumAgeHandler : AuthorizationHandler{受保护的覆盖无效句柄(授权上下文上下文，数据驱动需求要求){//在这里做任何事情，与数据库、用户、声明、角色等进行交互.//只要你设置://context.Succeed(requirement);//context.Fail();}}

<块引用>

这个想法完全不同吗?

它应该与您习惯使用 auth8 和 authz 的先前概念非常相似.

Net Core policy authorization, however it is looking very static to me. Because in the Enterprise Application, there is an often need for new roles which will need new policies (as far as i understand) or if you want to implement new type of policy specific for certain client. For example if we are building an CMS which will be driven by those policies, we will want, each client to be able to define hes own. So can this new policy base mechanism be more dynamic or, it's idea is entire different?

thanks :))

解决方案

I always recommend that people take a look @ the least privilege repo as it has some great examples of all the various approaches one can take with the new ASP.NET Core Authentication and Authorization paradigms.

Can this new policy base mechanism be more dynamic?

Yes, in fact it is more dynamic than the previous role based concepts. It allows for you to define policies that can be data driven. Here is another great resource for details pertaining to this. You can specify that an API entry point for example is protected by a policy (for example), and that policy can have a handler and that handler can do anything it needs to, i.e.; examine the current User in context, compare claims to values in the database, compare roles, anything really. Consider the following:

Define an entry point with the Policy

[Authorize(Policy = "DataDrivenExample")]
public IActionResult GetFooBar()
{
    // Omitted for brevity...
}

Add the authorization with the options that add the policy.

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();    
    services.AddAuthorization(options =>
    {
        options.AddPolicy("DataDrivenExample",
                          policy => 
                          policy.Requirements.Add(new DataDrivenRequirement()));
    });    
    services.AddSingleton<IAuthorizationHandler, DataDrivenHandler>();
}

Then define the handler.

public class MinimumAgeHandler : AuthorizationHandler<DataDrivenRequirement>
{
    protected override void Handle(AuthorizationContext context, 
                                   DataDrivenRequirement requirement)
    {
        // Do anything here, interact with DB, User, claims, Roles, etc.
        // As long as you set either:
        //    context.Succeed(requirement);
        //    context.Fail();
    }
}

Is the idea entirely different?

It should feel very similar to the previous concepts that you're accustomed to with auth8 and authz.

这篇关于基于策略的授权可以更加动态吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！