ASP.NET核心:授权和安全Restful API
我试图通过为Authorize属性提供自定义实现来保护我的API。
根据我为每个操作指定的资源和操作授权用户。 在ASP.Net MVC中,它是这样工作的:
[CustomAuthorize(Resource = "Values", Operation="List")
public IEnumerable<string> Get()
{
return new string[] { "value1", "value2" };
}
在CustomAuthorize类中,我通过检查其角色中的权限来验证登录用户是否被授予访问此资源的权限。
public class CustomAuthorize : AuthorizeAttribute
{
public string Resource { get; set; }
public string Operation { get; set; }
//validation here
}
我想在ASP.NET Core中实现它? 是通过自定义基于策略的授权以及如何传递操作和资源参数?
我已经使用IAuthorizationRequirment和AuthorizationHandler来实现它。 我以字符串形式传递资源/操作。 在ResourceRequirementHandler中,我将根据“/”分割它,然后根据(资源和操作)的逻辑进行分割:
namespace ResoucreAPIs.Filters
{
public class ResourceRequirement : IAuthorizationRequirement
{
public ResourceRequirement(string resource)
{
_resource = resource;
}
protected string _resource { get; set; }
}
public class ResourceRequirementHandler : AuthorizationHandler<ResourceRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
ResourceRequirement requirement)
{
//check if the user can access this resource by validating //"requirement" against set of permissions in his claim idenity
return Task.CompletedTask;
}
}
}
然后,注册处理程序和所有相关策略,并在启动类中的“ConfigureServices”中调用它:
protected void SetResourceAuthorizationRequirements(IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy("AdSingleRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdSingle/Read")));
options.AddPolicy("AdListRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdList/Read")));
options.AddPolicy("AdByCustomerRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdByCustomer/Read")));
options.AddPolicy("AdModify", policy => policy.Requirements.Add(new Filters.ResourceRequirement("Ad/Modify")));
options.AddPolicy("AdDelete", policy => policy.Requirements.Add(new Filters.ResourceRequirement("Ad/Delete")));
});
services.AddSingleton<IAuthorizationHandler, Filters.ResourceRequirementHandler>();
}
为每个操作指定这些策略:
[HttpGet]
[Authorize(Policy = "AdListRead")]
public IEnumerable<string> GetAllAds()
{
return new string[] { "value1", "value2" };
}
[Authorize(Policy = "AdSingleRead")]
public string Get(int id)
{
return "value";
}
[HttpPost]
[Authorize(Policy = "AdModify")]
public void Post([FromBody]string value)
{
}
[HttpPut("{id}")]
[Authorize(Policy = "AdModify")]
public void Put(int id, [FromBody]string value)
{
}
[HttpDelete("{id}")]
[Authorize(Policy = "AdDelete")]
public void Delete(int id)
{
}
链接地址: http://www.djcxy.com/p/90183.html