我在下面创建了自定义处理程序,该处理程序实现了策略授权逻辑,该逻辑是我API的一部分,另一方面,我有一个Web应用程序正在消耗我API中的资源,而后者使用[Authorize(Policy = "MyPolicy")] < / p>
在我的控制器上:
[Authorize(Policy = "MyCustomePolicy")]
public IActionResult GetApplications(….)
我的自定义处理程序实现
public class ASpecificAuthorizationRequirement : IAuthorizationRequirement
{
public ASpecificAuthorizationRequirement()
{
}
}
public class MustBeASpecificAuthorizationHandler : AuthorizationHandler<ASpecificAuthorizationRequirement>
{
//when a requirement is met
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ASpecificAuthorizationRequirement requirement)
{
var filterContext = context.Resource as AuthorizationFilterContext;
if (filterContext == null)
{
context.Fail();
return Task.CompletedTask;
}
var ownerId = context.User.Claims.FirstOrDefault(c => c.Type == "sub").Value;
//for testing
if (ownerId != "d860efca-22d9-47fd-8249-791ba61b07c7")
{
context.Fail();
return Task.CompletedTask;
}
context.Succeed(requirement);
return Task.CompletedTask;
}
}
在我的API级别注册我的自定义策略:
在启动中
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddAuthorization(authorizationOptions =>
{
authorizationOptions.AddPolicy(
"MyCustomePolicy",
policyBuilder =>
{
policyBuilder.RequireAuthenticatedUser();
policyBuilder.AddRequirements(
new MustOwnImageRequirement());
});
});
services.AddScoped<IAuthorizationHandler, MustBeASpecificAuthorizationHandler >();
services.AddAuthentication(
IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = "https://localhost:44329/";
options.ApiName = "docapi";
});
services.AddCors();
services.AddOptions();
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info { Title = "Document Api", Version = "v1" });
});
services.ConfigureDependencies(Configuration);
}
Configure
public void Configure(IApplicationBuilder app, IHostingEnvironment env, IConfiguration configuration)
{
var dev = env.IsDevelopment();
var sta = env.IsStaging();
//if (env.IsDevelopment() || env.IsStaging())
if (dev || sta)
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler(appBuilder =>
{
appBuilder.Run(async context =>
{
context.Response.StatusCode = 500;
await context.Response.WriteAsync("An unexpected fault happened. Try again later.");
});
});
}
//before usemvc to check if api access is allowed before it is passed to the mvc middleware
app.UseAuthentication();
app.UseCors(builder =>
builder.WithOrigins("https://localhost:44345"));
app.UseIpRateLimiting();
#region Swagger
// Enable middleware to serve generated Swagger as a JSON endpoint.
app.UseSwagger();
// Enable middleware to serve swagger-ui (HTML, JS, CSS, etc.),
app.UseSwaggerUI(c =>
{
// force to add another /swagger to fix issue
c.SwaggerEndpoint("/swagger/v1/swagger.json", "Document API V1");
});
#endregion
app.UseMvc();
}
当我运行调用API的网站时,出现此错误,并且到目前为止我还没有发现任何错误。
InvalidOperationException: The AuthorizationPolicy named: 'MyCustomePolicy' was not found.
但是,要使其生效,我需要在API以及也在使用该API的网站中注册我的政策,这是我所不了解的。策略应在应用程序级别起作用,在这种情况下,调用时的API应该由身份验证层解决。我能在这里指出正确的方向吗?