c#WebApi属性授权

时间:2016-04-27 10:05:39

标签: c# asp.net-web-api

我有一个由外部程序员编写的代码。该项目是一个WebApi。我不知道授权是如何发生的。我认为,控制器方法之上的属性会使这种情况发生。但我不明白授权是如何实际发生的。控制器方法的示例:

    [HttpGet]
    [Route("organizationunits/{entity}/{type}")]
    [MDLAuthorize(Actions.Read)]
    public async Task<IHttpActionResult> GetEntities(string entity, string type)
    {//some code}

MDLAuthorize属性指定方法。而且我想某种方式是调用了IsAuthorized方法。

public class MDLAuthorize : AuthorizeAttribute
{
    private string _action;

    public MDLAuthorize(string action)
        : base()
    {
        _action = action;
    }

    protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        try
        {
            if (String.IsNullOrEmpty(_action))
                return false;

            var baseAuthorized = base.IsAuthorized(actionContext);

            string activity = actionContext.ActionDescriptor.ControllerDescriptor.ControllerName;
            if (actionContext.RequestContext.Principal == null ||
                actionContext.RequestContext.Principal.Identity == null)
            {
                //no principal, no fun.
                return false;
            }
            else
            {
                string username = actionContext.RequestContext.Principal.Identity.Name;
                bool isAuthorized = Security.HasPermission(username, activity, _action);
                return isAuthorized;
            }
        }
        catch (Exception ex)
        {
            MDLApiLog.Error(ex);
            return false;
        }
    }
}

我不知道我的问题是否需要,但这是AuthorizeAttribute类

    //
// Summary:
//     Specifies the authorization filter that verifies the request's System.Security.Principal.IPrincipal.
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : AuthorizationFilterAttribute
{
    //
    // Summary:
    //     Initializes a new instance of the System.Web.Http.AuthorizeAttribute class.
    public AuthorizeAttribute();

    //
    // Summary:
    //     Gets or sets the authorized roles.
    //
    // Returns:
    //     The roles string.
    public string Roles { get; set; }
    //
    // Summary:
    //     Gets a unique identifier for this attribute.
    //
    // Returns:
    //     A unique identifier for this attribute.
    public override object TypeId { get; }
    //
    // Summary:
    //     Gets or sets the authorized users.
    //
    // Returns:
    //     The users string.
    public string Users { get; set; }

    //
    // Summary:
    //     Calls when an action is being authorized.
    //
    // Parameters:
    //   actionContext:
    //     The context.
    //
    // Exceptions:
    //   T:System.ArgumentNullException:
    //     The context parameter is null.
    public override void OnAuthorization(HttpActionContext actionContext);
    //
    // Summary:
    //     Processes requests that fail authorization.
    //
    // Parameters:
    //   actionContext:
    //     The context.
    protected virtual void HandleUnauthorizedRequest(HttpActionContext actionContext);
    //
    // Summary:
    //     Indicates whether the specified control is authorized.
    //
    // Parameters:
    //   actionContext:
    //     The context.
    //
    // Returns:
    //     true if the control is authorized; otherwise, false.
    protected virtual bool IsAuthorized(HttpActionContext actionContext);
}

1 个答案:

答案 0 :(得分:1)

继承AuthorizeAttribute的任何属性都会在请求时调用其IsAuthorized()方法。派生属性中该方法的主体使用Security.HasPermission()方法检查用户是否能够执行该操作。

相关问题
最新问题