授权属性用户/角色
Authorize Attribute User / Roles
我是应用程序授权和安全方面的新手。我正在构建我的 angularjs 和使用 Owin 和 AspNet.Identity.EntityFramework 的网络 api 应用程序。我已经能够获得授权来强制用户注册/登录应用程序。现在我正在研究如何添加更具体的访问权限,例如管理员角色或特定用户以查看更敏感的数据。我从 [Authorize] 属性开始。这迫使安全。然后我添加了 [Authorize(User="tbryant")] 不允许其他用户甚至用户 tbryant 登录。在 tbryant 的 AspNetUsers table 中有一个用户名。
这是我的 api 控制器的示例数据:
[RoutePrefix("api/Orders")]
public class OrdersController : ApiController
{
[Authorize(Users="tbryant")]
[Route("")]
public IHttpActionResult Get()
{
return Ok(Order.CreateOrders());
}
}
public class Order
{
public int OrderID { get; set; }
public string CustomerName { get; set; }
public string ShipperCity { get; set; }
public Boolean IsShipped { get; set; }
public static List<Order> CreateOrders()
{
List<Order> OrderList = new List<Order>
{
new Order {OrderID = 10248, CustomerName = "Tee Joudeh", ShipperCity = "Cleveland", IsShipped = true },
new Order {OrderID = 10249, CustomerName = "Ahmad Hasan", ShipperCity = "Columbus", IsShipped = false},
new Order {OrderID = 10250,CustomerName = "Thomas Yaser", ShipperCity = "Detroit", IsShipped = false },
new Order {OrderID = 10251,CustomerName = "Lena Jones", ShipperCity = "Ann Arbor", IsShipped = false},
new Order {OrderID = 10252,CustomerName = "Yasmeen Rami", ShipperCity = "Bamberg", IsShipped = true}
};
return OrderList;
}
}
确保 HttpContext 中的 "user.Identity.Name" 等于 "tbryant"。
授权属性的工作原理如下。
protected virtual bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
if (_usersSplit.Length > 0 && !_usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase))
{
return false;
}
if (_rolesSplit.Length > 0 && !_rolesSplit.Any(user.IsInRole))
{
return false;
}
return true;
}
我是应用程序授权和安全方面的新手。我正在构建我的 angularjs 和使用 Owin 和 AspNet.Identity.EntityFramework 的网络 api 应用程序。我已经能够获得授权来强制用户注册/登录应用程序。现在我正在研究如何添加更具体的访问权限,例如管理员角色或特定用户以查看更敏感的数据。我从 [Authorize] 属性开始。这迫使安全。然后我添加了 [Authorize(User="tbryant")] 不允许其他用户甚至用户 tbryant 登录。在 tbryant 的 AspNetUsers table 中有一个用户名。
这是我的 api 控制器的示例数据:
[RoutePrefix("api/Orders")]
public class OrdersController : ApiController
{
[Authorize(Users="tbryant")]
[Route("")]
public IHttpActionResult Get()
{
return Ok(Order.CreateOrders());
}
}
public class Order
{
public int OrderID { get; set; }
public string CustomerName { get; set; }
public string ShipperCity { get; set; }
public Boolean IsShipped { get; set; }
public static List<Order> CreateOrders()
{
List<Order> OrderList = new List<Order>
{
new Order {OrderID = 10248, CustomerName = "Tee Joudeh", ShipperCity = "Cleveland", IsShipped = true },
new Order {OrderID = 10249, CustomerName = "Ahmad Hasan", ShipperCity = "Columbus", IsShipped = false},
new Order {OrderID = 10250,CustomerName = "Thomas Yaser", ShipperCity = "Detroit", IsShipped = false },
new Order {OrderID = 10251,CustomerName = "Lena Jones", ShipperCity = "Ann Arbor", IsShipped = false},
new Order {OrderID = 10252,CustomerName = "Yasmeen Rami", ShipperCity = "Bamberg", IsShipped = true}
};
return OrderList;
}
}
确保 HttpContext 中的 "user.Identity.Name" 等于 "tbryant"。
授权属性的工作原理如下。
protected virtual bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
if (_usersSplit.Length > 0 && !_usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase))
{
return false;
}
if (_rolesSplit.Length > 0 && !_rolesSplit.Any(user.IsInRole))
{
return false;
}
return true;
}