我在我的API上有一条授权策略,该策略可以验证标题中是否有我希望授权该API继续进行的东西。它工作正常,但如果用户未获得授权,我将自定义错误响应。实际上,它是使用401响应的,例如我将使用403响应。
这是我的代码:
API
[HttpPost("search/")]
[Authorize(Policy = "SearchSomething")]
public ActionResult<IEnumerable<DtoSomethingGeneral>> GetSomethingFiltered([FromBody] GeneralFilters Filters)
启动
services.AddAuthorization(options =>
{
options.AddPolicy("SearchSomething", policy =>
{
policy.Requirements.Add(new AuthorizationDtoRequirement(permission.SearchSomething));
});
授权消耗
public class AuthorizationDtoRequirement : IAuthorizationRequirement
{
public AuthorizationDtoRequirement(string permission)
{
Permission = permission;
}
public string Permission { get; set; }
}
public class AuthorizationDtoHandler : AuthorizationHandler <AuthorizationDtoRequirement>
{
IHttpContextAccessor _httpContextAccessor = null;
public AuthorizationDtoHandler(IHttpContextAccessor httpContextAccessor)
{
_httpContextAccessor = httpContextAccessor;
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AuthorizationDtoRequirement requirement)
{
HttpContext httpContext = _httpContextAccessor.HttpContext;
string authHeader = httpContext.Request.Headers["UserPermission"];
if (authHeader != null && authHeader.Contains(requirement.Permission))
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
struct permission
{
public const string SearchSomething = "CAN_SEARCH_SOMETHING"; //The string in the header necessary to authorize the user
}
}