ASP.NET Core: Authorize and Secure Restful APIs

2018-07-02 08:26:11

I am trying to protect my APIs by providing a custom implementation for Authorize attribute.

Authorizing users based on resource and operation, which I specify for each action. In ASP.Net MVC, it was working like this:

    [CustomAuthorize(Resource = "Values", Operation="List")
    public IEnumerable<string> Get()
    {
        return new string[] { "value1", "value2" };
    }

In CustomAuthorize class, I validate if the logged in user is granted the permission to access this resource by checking the permissions in his roles.

public class CustomAuthorize : AuthorizeAttribute
{
    public string Resource { get; set; }
    public string Operation { get; set; }

    //validation here
}

I want to implement that in ASP.NET Core? Is that through Custom Policy-Based Authorization and how to pass the Operation and Resource Parameters?

I have implemented it using IAuthorizationRequirment and AuthorizationHandler. I am passing the resource/operation as a string. In ResourceRequirementHandler i will split it based on "/" then do my logic against (Resource and Operation):

namespace ResoucreAPIs.Filters
{
    public class ResourceRequirement : IAuthorizationRequirement
    {  
        public ResourceRequirement(string resource)
        {
            _resource = resource;
        }

        protected string  _resource { get; set; }
    }

   public class ResourceRequirementHandler : AuthorizationHandler<ResourceRequirement>
    {
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, 
          ResourceRequirement requirement)
        { 
            //check if the user can access this resource by validating //"requirement" against set of permissions in his claim idenity
            return Task.CompletedTask;
        }
    }
}

Then, register the handlers and all associated policies and call it in "ConfigureServices" in Startup class:

   protected void SetResourceAuthorizationRequirements(IServiceCollection services)
    {

        services.AddAuthorization(options =>
        {
            options.AddPolicy("AdSingleRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdSingle/Read")));
            options.AddPolicy("AdListRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdList/Read")));
            options.AddPolicy("AdByCustomerRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdByCustomer/Read")));
            options.AddPolicy("AdModify", policy => policy.Requirements.Add(new Filters.ResourceRequirement("Ad/Modify")));
            options.AddPolicy("AdDelete", policy => policy.Requirements.Add(new Filters.ResourceRequirement("Ad/Delete"))); 
        });

        services.AddSingleton<IAuthorizationHandler, Filters.ResourceRequirementHandler>();

    }

Specify those policies for each action:

    [HttpGet]
    [Authorize(Policy = "AdListRead")]
    public IEnumerable<string> GetAllAds()
    {
        return new string[] { "value1", "value2" };
    }

    [Authorize(Policy = "AdSingleRead")]
    public string Get(int id)
    {
        return "value";
    }

    [HttpPost]
    [Authorize(Policy = "AdModify")]
    public void Post([FromBody]string value)
    {
    }


    [HttpPut("{id}")]
    [Authorize(Policy = "AdModify")]
    public void Put(int id, [FromBody]string value)
    {
    }


    [HttpDelete("{id}")]
    [Authorize(Policy = "AdDelete")]
    public void Delete(int id)
    {
    }

链接地址: http://www.djcxy.com/p/90184.html

上一篇: 在Asp.net Core中为多个声明提供基于授权的授权

下一篇: ASP.NET核心：授权和安全Restful API