Question

该方法已使用roles = admin：

进行保护

[Authorize(Roles = "admin")]
public class ValuesController : ApiController
{

    // GET api/values        
    public IEnumerable<string> Get()
    {
        return new string[] { "value1", "value2" };
    }}

我成功地使用Webapi项目声明，其中Individual User Account被选中，其中声明admin被注入

public class ApplicationUser : IdentityUser
{
    public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager, string authenticationType)
    {
        // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
        var userIdentity = await manager.CreateIdentityAsync(this, authenticationType);

        // Add custom user claims here
        userIdentity.AddClaim(new Claim(ClaimTypes.Role, "admin"));

        return userIdentity;
    }
}

现在我想使用Windows authentication选项进行测试，其中实现了IAuthenticationFilter：

public class CustomAuthenticationFilter : IAuthenticationFilter
{
    public bool AllowMultiple { get { return true; } }
    public Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
    {
        var windowsPrincipal = context.Principal as WindowsPrincipal;
        if (windowsPrincipal != null)
        {
            var name = windowsPrincipal.Identity.Name;
            // TODO: fetch claims from db (i guess based on name)
            var identity = new ClaimsIdentity(windowsPrincipal.Identity);

            identity.AddClaim(new Claim(ClaimTypes.Role, "admin"));

            var claimsPrincipal = new ClaimsPrincipal(identity);
            // here is the punchline - we're replacing original windows principal 
            // with our own claims principal


            context.Principal = claimsPrincipal;
        }

        return Task.FromResult(0);
    }

    public Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken)
    {
        return Task.FromResult(0);
    }
}

并添加到课程webapiconfig：

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        // Web API configuration and services
        config.Filters.Add(new CustomAuthenticationFilter());

        ...
    }
}

在调试webapi项目时，声明admin位于User.Identity.Claims，但无法在方法/ api / values / get中授权。

有什么想法吗？

Answer 1

默认身份RoleClaimType为identity/claims/groupsid，不是role。

通过在RoleClaimType构造函数中将identity/claims/role设置为ClaimsIdentity，我们可以通过[Authorize(Roles = "admin")]

public Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
    {
        var windowsPrincipal = context.Principal as WindowsPrincipal;
        if (windowsPrincipal != null)
        {
            var name = windowsPrincipal.Identity.Name;

            // TODO: fetch claims from db (i guess based on name)                
            var identity = new ClaimsIdentity(windowsPrincipal.Identity,
                null,
                "Negotiate",
                "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
                "http://schemas.microsoft.com/ws/2008/06/identity/claims/role");
            //identity

            identity.AddClaim(new Claim(ClaimTypes.Role, "admin"));

            var claimsPrincipal = new ClaimsPrincipal(identity);
            // here is the punchline - we're replacing original windows principal 
            // with our own claims principal


            context.Principal = claimsPrincipal;
        }

        return Task.FromResult(0);
    }

这是新身份：

使用Windows身份验证的webapi-use声明

1 个答案: