有没有办法绕过"绕过" asp.net核心授权?我注意到Authorize属性不再具有AuthorizeCore方法,您可以使用该方法决定是否继续使用auth。
Pre .net核心你可以这样做:
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
// no auth in debug mode please
#if DEBUG
return true;
#endif
return base.AuthorizeCore(httpContext);
}
我希望我不会错过任何明显明显的东西,但如果需要的话,能够在DEBUG中跳过auth工作流程会更好。我还没能找到.net core
答案 0 :(得分:7)
只需添加一个匿名过滤器就可以做到这一点,简单易行。
services.AddMvc(opts =>
{
opts.Filters.Add(new AllowAnonymousFilter());
});
参考:https://www.illucit.com/asp-net/asp-net-core-2-0-disable-authentication-development-environment/
答案 1 :(得分:3)
正如评论中所指出的,您可以为所有需求处理程序创建基类。
public abstract class RequirementHandlerBase<T> : AuthorizationHandler<T> where T : IAuthorizationRequirement
{
protected sealed override Task HandleRequirementAsync(AuthorizationHandlerContext context, T requirement)
{
#if DEBUG
context.Succeed(requirement);
return Task.FromResult(true);
#else
return HandleAsync(context, requirement);
#endif
}
protected abstract Task HandleAsync(AuthorizationHandlerContext context, T requirement);
}
然后从此基类派生您的需求处理程序。
public class AgeRequirementHandler : RequirementHandlerBase<AgeRequirement>
{
protected override HandleAsync(AuthorizationHandlerContext context, AgeRequirement requirement)
{
...
}
}
public class AgeRequirement : IRequrement
{
public int MinimumAge { get; set; }
}
然后注册它。
services.AddAuthorization(options =>
{
options.AddPolicy("Over18",
policy => policy.Requirements.Add(new AgeRequirement { MinimumAge = 18 }));
});
答案 2 :(得分:1)
我想到了两种可能的解决方案。
首先是使用假Authentication Middleware。您可以创建像this这样的虚假身份验证中间件。你的Startup.cs应该是这样的(你应该照顾假服务):
private IHostingEnvironment _env;
public Startup(IHostingEnvironment env)
{
_env = env;
// other stuff
}
public void ConfigureServices(IServiceCollection services)
{
// ...
if (_env.IsDevelopment())
{
// dev stuff
services.AddTransient<ISomeService, FakeSomeService>();
}
else
{
// production stuff
services.AddTransient<ISomeService, SomeService>();
}
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseFakeAuthentication();
}
else
{
app.UseRealAuthentication();
}
}
第二是使用多个处理程序(如@Tseng所说)。在这种情况下,我会写这样的东西:
private IHostingEnvironment _env;
public Startup(IHostingEnvironment env, IApplicationEnvironment appEnv)
{
_env = env;
// other stuff
}
public void ConfigureServices(IServiceCollection services)
{
// ...
if (_env.IsDevelopment())
{
// dev stuff
services.AddSingleton<IAuthorizationHandler, FakeAuthorizationHandler>();
}
else
{
// production stuff
services.AddSingleton<IAuthorizationHandler, RealAuthorizationHandler>();
}
}
答案 3 :(得分:1)
扩大John_J的答案:
public void ConfigureServices(IServiceCollection services)
{
...
#if DEBUG
services.AddMvc(opts =>
{
opts.Filters.Add(new AllowAnonymousFilter());
});
#else
services.AddMvc();
#endif
}
答案 4 :(得分:0)
您可以定义自己的处理程序以禁用授权:
public class DisableAuthorizationHandler<TRequirement> : AuthorizationHandler<TRequirement>
where TRequirement : IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement)
{
context.Succeed(requirement);
return Task.CompletedTask;
}
}
然后注册:
public void ConfigureServices(IServiceCollection services)
{
//...
#if DEBUG
services.AddTransient<IAuthorizationHandler, DisableAuthorizationHandler<IAuthorizationRequirement>>();
#endif
//...
}
答案 5 :(得分:0)
对于仍然需要获取伪造的User对象的人,下面的解决方案可以解决问题:
app.Use(async (context, next) =>
{
context.User = new System.Security.Claims.ClaimsPrincipal(new ClaimsIdentity(new Claim[]
{
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Guid.NewGuid().ToString()),
}, "test"));
await next.Invoke();
});
app.UseMvc();
如果 DefaultScheme 是“ Cookies ”,该解决方案应该可以正常工作。