ASP.NET核心:授权和保护Restful API

时间:2016-10-11 14:48:05

标签: asp.net-mvc asp.net-web-api authorization asp.net-core-1.0

我试图通过为Authorize属性提供自定义实现来保护我的API。

根据我为每个操作指定的资源和操作授权用户。在ASP.Net MVC中,它的工作原理如下:

    [CustomAuthorize(Resource = "Values", Operation="List")
    public IEnumerable<string> Get()
    {
        return new string[] { "value1", "value2" };
    }

在CustomAuthorize类中,我通过检查其角色中的权限来验证登录用户是否被授予访问此资源的权限。

public class CustomAuthorize : AuthorizeAttribute
{
    public string Resource { get; set; }
    public string Operation { get; set; }

    //validation here
}

我想在ASP.NET Core中实现它?这是通过基于自定义策略的授权以及如何传递操作和资源参数吗?

1 个答案:

答案 0 :(得分:1)

我使用IAuthorizationRequirment和AuthorizationHandler实现了它。我将资源/操作作为字符串传递。在ResourceRequirementHandler中,我将基于“/”拆分它,然后根据(资源和操作)执行逻辑:

namespace ResoucreAPIs.Filters
{
    public class ResourceRequirement : IAuthorizationRequirement
    {  
        public ResourceRequirement(string resource)
        {
            _resource = resource;
        }

        protected string  _resource { get; set; }
    }

   public class ResourceRequirementHandler : AuthorizationHandler<ResourceRequirement>
    {
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, 
          ResourceRequirement requirement)
        { 
            //check if the user can access this resource by validating //"requirement" against set of permissions in his claim idenity
            return Task.CompletedTask;
        }
    }
}

然后,注册处理程序和所有相关策略,并在Startup类的“ConfigureServices”中调用它:

   protected void SetResourceAuthorizationRequirements(IServiceCollection services)
    {

        services.AddAuthorization(options =>
        {
            options.AddPolicy("AdSingleRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdSingle/Read")));
            options.AddPolicy("AdListRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdList/Read")));
            options.AddPolicy("AdByCustomerRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdByCustomer/Read")));
            options.AddPolicy("AdModify", policy => policy.Requirements.Add(new Filters.ResourceRequirement("Ad/Modify")));
            options.AddPolicy("AdDelete", policy => policy.Requirements.Add(new Filters.ResourceRequirement("Ad/Delete"))); 
        });

        services.AddSingleton<IAuthorizationHandler, Filters.ResourceRequirementHandler>();

    }

为每个操作指定这些策略:

    [HttpGet]
    [Authorize(Policy = "AdListRead")]
    public IEnumerable<string> GetAllAds()
    {
        return new string[] { "value1", "value2" };
    }

    [Authorize(Policy = "AdSingleRead")]
    public string Get(int id)
    {
        return "value";
    }

    [HttpPost]
    [Authorize(Policy = "AdModify")]
    public void Post([FromBody]string value)
    {
    }


    [HttpPut("{id}")]
    [Authorize(Policy = "AdModify")]
    public void Put(int id, [FromBody]string value)
    {
    }


    [HttpDelete("{id}")]
    [Authorize(Policy = "AdDelete")]
    public void Delete(int id)
    {
    }
相关问题
最新问题