ASP.NET 核心:授权和保护 Restful API
ASP.NET Core: Authorize and Secure Restful APIs
我正在尝试通过为 Authorize 属性提供自定义实现来保护我的 API。
根据我为每个操作指定的资源和操作授权用户。在 ASP.Net MVC 中,它是这样工作的:
[CustomAuthorize(Resource = "Values", Operation="List")
public IEnumerable<string> Get()
{
return new string[] { "value1", "value2" };
}
在 CustomAuthorize class 中,我通过检查其角色中的权限来验证登录用户是否被授予访问该资源的权限。
public class CustomAuthorize : AuthorizeAttribute
{
public string Resource { get; set; }
public string Operation { get; set; }
//validation here
}
我想在 ASP.NET Core 中实现它?是通过Custom Policy-Based Authorization以及如何传递操作和资源参数?
我已经使用 IAuthorizationRequirement 和 AuthorizationHandler 实现了它。我将 resource/operation 作为字符串传递。在 ResourceRequirementHandler 中,我将根据“/”拆分它,然后针对(资源和操作)执行我的逻辑:
namespace ResoucreAPIs.Filters
{
public class ResourceRequirement : IAuthorizationRequirement
{
public ResourceRequirement(string resource)
{
_resource = resource;
}
protected string _resource { get; set; }
}
public class ResourceRequirementHandler : AuthorizationHandler<ResourceRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
ResourceRequirement requirement)
{
//check if the user can access this resource by validating //"requirement" against set of permissions in his claim idenity
return Task.CompletedTask;
}
}
}
然后,注册处理程序和所有关联的策略,并在启动 "ConfigureServices" 中调用它 class:
protected void SetResourceAuthorizationRequirements(IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy("AdSingleRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdSingle/Read")));
options.AddPolicy("AdListRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdList/Read")));
options.AddPolicy("AdByCustomerRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdByCustomer/Read")));
options.AddPolicy("AdModify", policy => policy.Requirements.Add(new Filters.ResourceRequirement("Ad/Modify")));
options.AddPolicy("AdDelete", policy => policy.Requirements.Add(new Filters.ResourceRequirement("Ad/Delete")));
});
services.AddSingleton<IAuthorizationHandler, Filters.ResourceRequirementHandler>();
}
为每个操作指定这些策略:
[HttpGet]
[Authorize(Policy = "AdListRead")]
public IEnumerable<string> GetAllAds()
{
return new string[] { "value1", "value2" };
}
[Authorize(Policy = "AdSingleRead")]
public string Get(int id)
{
return "value";
}
[HttpPost]
[Authorize(Policy = "AdModify")]
public void Post([FromBody]string value)
{
}
[HttpPut("{id}")]
[Authorize(Policy = "AdModify")]
public void Put(int id, [FromBody]string value)
{
}
[HttpDelete("{id}")]
[Authorize(Policy = "AdDelete")]
public void Delete(int id)
{
}
我正在尝试通过为 Authorize 属性提供自定义实现来保护我的 API。
根据我为每个操作指定的资源和操作授权用户。在 ASP.Net MVC 中,它是这样工作的:
[CustomAuthorize(Resource = "Values", Operation="List")
public IEnumerable<string> Get()
{
return new string[] { "value1", "value2" };
}
在 CustomAuthorize class 中,我通过检查其角色中的权限来验证登录用户是否被授予访问该资源的权限。
public class CustomAuthorize : AuthorizeAttribute
{
public string Resource { get; set; }
public string Operation { get; set; }
//validation here
}
我想在 ASP.NET Core 中实现它?是通过Custom Policy-Based Authorization以及如何传递操作和资源参数?
我已经使用 IAuthorizationRequirement 和 AuthorizationHandler 实现了它。我将 resource/operation 作为字符串传递。在 ResourceRequirementHandler 中,我将根据“/”拆分它,然后针对(资源和操作)执行我的逻辑:
namespace ResoucreAPIs.Filters
{
public class ResourceRequirement : IAuthorizationRequirement
{
public ResourceRequirement(string resource)
{
_resource = resource;
}
protected string _resource { get; set; }
}
public class ResourceRequirementHandler : AuthorizationHandler<ResourceRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
ResourceRequirement requirement)
{
//check if the user can access this resource by validating //"requirement" against set of permissions in his claim idenity
return Task.CompletedTask;
}
}
}
然后,注册处理程序和所有关联的策略,并在启动 "ConfigureServices" 中调用它 class:
protected void SetResourceAuthorizationRequirements(IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy("AdSingleRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdSingle/Read")));
options.AddPolicy("AdListRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdList/Read")));
options.AddPolicy("AdByCustomerRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdByCustomer/Read")));
options.AddPolicy("AdModify", policy => policy.Requirements.Add(new Filters.ResourceRequirement("Ad/Modify")));
options.AddPolicy("AdDelete", policy => policy.Requirements.Add(new Filters.ResourceRequirement("Ad/Delete")));
});
services.AddSingleton<IAuthorizationHandler, Filters.ResourceRequirementHandler>();
}
为每个操作指定这些策略:
[HttpGet]
[Authorize(Policy = "AdListRead")]
public IEnumerable<string> GetAllAds()
{
return new string[] { "value1", "value2" };
}
[Authorize(Policy = "AdSingleRead")]
public string Get(int id)
{
return "value";
}
[HttpPost]
[Authorize(Policy = "AdModify")]
public void Post([FromBody]string value)
{
}
[HttpPut("{id}")]
[Authorize(Policy = "AdModify")]
public void Put(int id, [FromBody]string value)
{
}
[HttpDelete("{id}")]
[Authorize(Policy = "AdDelete")]
public void Delete(int id)
{
}