ASP.NET Core-使用Windows Authenticaiton进行授权

时间:2018-11-28 16:55:10

标签: c# iis asp.net-core authorization windows-authentication

我已将我的Web api配置为与Windows身份验证一起使用。我的目标实质上是根据用户的Windows帐户来限制控制器中的某些操作。一些将能够执行读取操作,而其他一些将能够执行将写入基础数据库的操作。我发现了大量有关如何设置基于声明的授权的文档,这是我认为我需要走的路。我尚未找到的是如何使用Windows身份验证进行设置。我想我缺少中间步骤,例如将Windows Auth注册为身份提供者?

startup.cs 

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();

    services.AddAuthentication(IISDefaults.AuthenticationScheme);

    services.AddAuthorization(options =>
    {
        options.AddPolicy("readOnly", policy =>
                          policy.RequireClaim(`???????????????????????`));
        options.AddPolicy("write", policy =>
                          policy.RequireClaim(`???????????????????????`));
    });
}

控制器 

[Authorize(Policy = "ReadOnly")]
public class MyController : Controller
{
    public ActionResult SomeReadOnlyAction()
    {
        //Return data from database
    }

    [Authorize(Policy = "Write")]
    public ActionResult AWriteAction()
    {
        //Create/Update/Delete data from database
    }
}

我想问这个问题的另一种方法是如何使用Windows身份验证配置或访问声明/角色等。

1 个答案:

答案 0 :(得分:2)

您似乎想通过策略使用基于声明的授权。在您的应用程序中设置Windows身份验证之后,您可以向ClaimsPrincipal添加自定义声明,检查用户的身份并确认当前用户具有哪个权限:

  1. 您可以向您的应用程序添加声明转换服务:

    class ClaimsTransformer : IClaimsTransformation
{
    public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
    {
        var id = ((ClaimsIdentity)principal.Identity);

        var ci = new ClaimsIdentity(id.Claims, id.AuthenticationType, id.NameClaimType, id.RoleClaimType);
        if (ci.Name.Equals("name"))
        {
            ci.AddClaim(new Claim("permission", "readOnly"));
        }
        else
        {
            ci.AddClaim(new Claim("permission", "write"));

        }


        var cp = new ClaimsPrincipal(ci);

        return Task.FromResult(cp);
    }
}

  2. 添加到Startup.cs(.net Core 2.0):

        services.AddTransient<IClaimsTransformation, ClaimsTransformer>();

  3. 设置您的政策:

        services.AddAuthorization(options =>
    {
        options.AddPolicy("Readonly", policy =>
                          policy.RequireClaim("permission", "readOnly"));

        options.AddPolicy("Write", policy =>
                        policy.RequireClaim("permission", "write"));
    });

  4. 通过要求以下策略来限制对控制器或操作的访问:

        [Authorize(Policy = "Write")]
    public IActionResult Contact()
    {
        ViewData["Message"] = "Your contact page.";

        return View();
    }

如果您已经在AD中添加了组(写,只读)并将相关用户添加到group中,则还可以检查组:

public static class Security
{
    public static bool IsInGroup(this ClaimsPrincipal User, string GroupName)
    {
        var groups = new List<string>();

        var wi = (WindowsIdentity)User.Identity;
        if (wi.Groups != null)
        {
            foreach (var group in wi.Groups)
            {
                try
                {
                    groups.Add(group.Translate(typeof(NTAccount)).ToString());
                }
                catch (Exception)
                {
                    // ignored
                }
            }
            return groups.Contains(GroupName);
        }
        return false;
    }
}

并像这样使用:

 if (User.IsInGroup("GroupName"))
 {

 }
相关问题
最新问题