我正在使用.Net Core 2.1和AngularJS制作应用程序。 在我的.Net Core应用程序中,有一些方法允许经过身份验证和未经身份验证的用户访问。
这是我的个人档案方法
/// <summary>
/// Find personal profile.
/// </summary>
/// <param name="id">Id of user. 0 for the request sender profile</param>
/// <returns></returns>
[HttpGet("personal-profile/{id}")]
[AllowAnonymous]
public async Task<IActionResult> FindProfile([FromRoute] int? id)
{
// Get requester identity.
var profile = IdentityService.GetProfile(HttpContext);
// Search for accounts.
var accounts = UnitOfWork.Accounts.Search();
if (id == null || id < 1)
{
if (profile != null)
accounts = accounts.Where(x => x.Id == profile.Id);
else
return Ok();
}
else
accounts = accounts.Where(x => x.Id == id);
// Only search for active account.
accounts = accounts.Where(x => x.Status == AccountStatus.Available);
// Find the first account in system.
var account = await accounts.FirstOrDefaultAsync();
return Ok(account);
}
这是我的AuthorizationHandler类。
/// <summary>
/// Handle requirement asychronously.
/// </summary>
/// <param name="context"></param>
/// <param name="requirement"></param>
/// <returns></returns>
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
SolidAccountRequirement requirement)
{
// Convert authorization filter context into authorization filter context.
var authorizationFilterContext = (AuthorizationFilterContext) context.Resource;
//var httpContext = authorizationFilterContext.HttpContext;
var httpContext = _httpContextAccessor.HttpContext;
// Find claim identity attached to principal.
var claimIdentity = (ClaimsIdentity) httpContext.User.Identity;
// Find email from claims list.
var email =
claimIdentity.Claims.Where(x => x.Type.Equals(ClaimTypes.Email))
.Select(x => x.Value)
.FirstOrDefault();
// Email is invalid.
if (string.IsNullOrEmpty(email))
{
context.Fail();
return;
}
// Find accounts based on conditions.
var accounts = _unitOfWork.Accounts.Search();
accounts = accounts.Where(x =>
x.Email.Equals(email, StringComparison.InvariantCultureIgnoreCase) && x.Status == AccountStatus.Available);
// Find the first matched account in the system.
var account = await accounts.FirstOrDefaultAsync();
// Account is not found.
if (account == null)
return;
// Initiate claim identity with newer information from database.
var claimsIdentity = new ClaimsIdentity();
claimsIdentity.AddClaim(new Claim(ClaimTypes.Email, email));
claimsIdentity.AddClaim(new Claim(ClaimTypes.Name, account.Nickname));
claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, Enum.GetName(typeof(AccountRole), account.Role)));
claimsIdentity.AddClaim(new Claim(ClaimTypes.Authentication,
Enum.GetName(typeof(AccountStatus), account.Status)));
// Update claim identity.
_identityService.SetProfile(httpContext, account);
context.Succeed(requirement);
}
这就是我正在做的事。
AuthorizationHandler
中,检查请求标识(由JWT Bearer中间件解析)httpContext.Items[ClaimTypes.Actor]
这是我的代码中发生的事情:
- 使用邮递员向api/user/personal-profile/0
发送请求以获取请求发件人资料。
- 在FindProfile
中,profile
变量为空而不是用户信息,这意味着AuthorizationHandler
未被触发。
如果我从[AllowAnonymous]
方法移除FindProfile
属性,一切正常。
请参阅下面我附上的2张图片以获取更多信息:
我的问题是:
我们可以使用AllowAnonymous方法触发AuthorizationHandler
。在我的系统中,这两种用户都可以使用一些API。
谢谢
答案 0 :(得分:3)
> Can we make AuthorizationHandler be triggered with AllowAnonymous method?
[AllowAnonymous]
绕过所有授权声明。如果您对AuthorizeFilter.OnAuthorizationAsync
实施中的this is the corresponding code感兴趣。
if (context.Filters.Any(item => item is IAllowAnonymousFilter))
{
return;
}
考虑删除AllowAnonymous
并添加一些自定义逻辑。例如,您可以创建自己的MVC过滤器。让我们说:
public class MyAllowAnonymous : ActionFilterAttribute {}
然后在AuthorizationHandler
中检查authorizationFilterContext.Filters
集合是否包含此过滤器。如果是,则返回context.Succeed(requirement);
。
考虑与另一个AuthorizationHandler
创建IAuthorizationRequirement
的单独实现。
而不是过滤器检查您可以通过authorizationFilterContext.ActionDescriptor
直接获取路由名称,并决定是否允许匿名访问。但是你的AuthorizationHandler应该知道路由列表。