如何为Blazor页面实现自定义授权过滤器

Question

Blazor服务器端.NET Core 3.1.x 查看有关授权的示例，我正在尝试为自定义授权过滤器/属性提供解决方案。我只需要在授权过程中检查用户身份即可。

https://docs.microsoft.com/en-us/aspnet/core/security/blazor/?view=aspnetcore-3.1

在Blazor页面的顶部，在@page之后

@attribute [MyAuthFilter]

过滤器。但是，OnAuthorization永远不会受到打击。

public class MyAuthFilter: AuthorizeAttribute,IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationFilterContext context)
    {
        var httpContext = context.HttpContext;


        // get user name
        string userName = httpContext.User.Identity.Name;

        // todo - call method to check user access
        // check against list to see if access permitted
        //context.Result = new UnauthorizedResult();

    }
}

Answer 1

以下代码段描述了如何执行授权过程，以及如何以及在何处显示授权用户的内容。您可以根据此处显示的代码构建自己的组件：

Profile.razor

@page "/profile"
@page "/profile/{id}"


<AuthorizeView Policy="CanEditProfile" Resource="@ID">
    <NotAuthorized>
       <h2 class="mt-5">You are not authorized to view this page</h2>
    </NotAuthorized>
<Authorized>
    <div class="container my-profile">
        <h2>My Profile</h2>
        --- Place here all the content you want your user to view ----
    </div>
 </Authorized>
</AuthorizeView>

@code {

    [Parameter]
    public string ID { get; set; }
}  

ProfileHandler.cs

public class ProfileHandler : IAuthorizationHandler
{
    public Task HandleAsync(AuthorizationHandlerContext context)
    {
        if (context.User != null)
        {
            var pendingRequirements = context.PendingRequirements.ToList();

            foreach (var requirement in pendingRequirements)
            {
                if (requirement is ProfileOwnerRequirement)
                {
                    // get profile id from resource, passed in from blazor 
                    //  page component
                    var resource = context.Resource?.ToString();
                    var hasParsed = int.TryParse(resource, out int 
                                                       profileID);
                    if (hasParsed)
                    {

                        if (IsOwner(context.User, profileID))
                        {
                            context.Succeed(requirement);
                        }
                    }
                }
            }

        }
        return Task.CompletedTask;
    }
    private bool IsOwner(ClaimsPrincipal user, int profileID)
    {
        // compare the requested memberId to the user's actual claim of 
        // memberId
        //  var isAuthorized = context.User.GetMemberIdClaim();
        // now we know if the user is authorized or not, and can act 
        // accordingly

        var _profileID = user.GetMemberIDClaim();


        return _profileID == profileID;
     }

 }

ProfileOwnerRequirement.cs

 public class ProfileOwnerRequirement : IAuthorizationRequirement
 {
    public ProfileOwnerRequirement() { }

 }

启动类

services.AddSingleton<IAuthorizationHandler, ProfileHandler>();

        services.AddAuthorization(config =>
        {
            config.AddPolicy("CanEditProfile", policy =>
                policy.Requirements.Add(new ProfileOwnerRequirement()));
        });

希望这会有所帮助！