asp.net 核心 2.0 windows 基于角色的授权总是 returns 403
asp.net core 2.0 windows role based authorization always returns 403
我正在尝试使用 asp.net 核心 2.0 应用程序基于 Windows 角色设置基于角色的授权。这是配置:
launchSettings.json:
{
"iisSettings": {
"windowsAuthentication": true,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "http://localhost:9180/",
"sslPort": 0
}
},
"profiles": {
"IIS Express": {
"commandName": "IISExpress",
"launchBrowser": true,
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
},
"Bouwfonds.Gems.Onderhoud.Web.UI": {
"commandName": "Project",
"launchBrowser": true,
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
},
"applicationUrl": "http://localhost:9181/"
}
}
}
StartUp.cs:
public void ConfigureServices(IServiceCollection services) {
services.AddMvc();
services.AddAuthentication(IISDefaults.AuthenticationScheme);
}
在控制器中:
//管理员使用的SID:psgetsid.exe管理员
[Authorize(Roles = @"S-1-5-32-544")]
public class HomeController : Controller
Windows 身份验证有效,但我总是返回 403。有什么想法吗?
403 响应通常表示以下两种情况之一:
- 已提供身份验证,但不允许经过身份验证的用户执行请求的操作。
- 禁止所有用户操作。例如,当目录列表被禁用时,请求目录列表 return 代码 403。
您确定您在给定的组中吗?首先尝试授权用户,而不是角色:
[Authorize(Users="Alice, Bob, YourName")]
如果可行,则说明您不是该群组的成员,或者该群组不存在。
本地管理员组被添加为 denyonlysid(?) 声明:“{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid: S-1-5-32-544}”所以我想这就是该组不起作用的原因。显然,当您将自己添加到新的本地组时,您必须重新启动才能获得声明:P
因此,即使没有 SID 而只有组名,它现在也可以与本地组一起使用。
这是我要做的工作。我使用 Microsoft Authorization Workshop 示例拼凑了很多内容 https://github.com/blowdart/AspNetAuthorizationWorkshop。尽管我使用的是策略而不是角色。
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthorization(options =>
{
//Add policies as needed along with authorization classes
options.AddPolicy("Admin", policy => policy.Requirements.Add(new AdminAuthorization()));
});
services.AddMvc(config =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
config.Filters.Add(new AuthorizeFilter(policy));
});
//Also add the Authorization Handlers
services.AddSingleton<IAuthorizationHandler, AdminAuthorization>();
serviecs.AddAuthentication(Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme);
}
AdminAuthorization.cs
public class AdminAuthorization : AuthorizationHandler<AdminAuthorization>, IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthrizationHandlerContext context, AdminAuthorization requirement)
{
if(context.User.HasClaim(c => c.Value == @"S-1-5-32-544"))
{
context.Succeed(requirement);
}
else
{
context.Fail();
}
return Task.CompletedTask;
}
}
HomeController.cs
//Add the name of the policy used in the options.AddPolicy in the startup.cs
[Authorize(Policy = "Admin")]
public class HomeController : Controller
{
// your controller logic here
}
我正在尝试使用 asp.net 核心 2.0 应用程序基于 Windows 角色设置基于角色的授权。这是配置:
launchSettings.json:
{
"iisSettings": {
"windowsAuthentication": true,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "http://localhost:9180/",
"sslPort": 0
}
},
"profiles": {
"IIS Express": {
"commandName": "IISExpress",
"launchBrowser": true,
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
},
"Bouwfonds.Gems.Onderhoud.Web.UI": {
"commandName": "Project",
"launchBrowser": true,
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
},
"applicationUrl": "http://localhost:9181/"
}
}
}
StartUp.cs:
public void ConfigureServices(IServiceCollection services) {
services.AddMvc();
services.AddAuthentication(IISDefaults.AuthenticationScheme);
}
在控制器中:
//管理员使用的SID:psgetsid.exe管理员
[Authorize(Roles = @"S-1-5-32-544")]
public class HomeController : Controller
Windows 身份验证有效,但我总是返回 403。有什么想法吗?
403 响应通常表示以下两种情况之一:
- 已提供身份验证,但不允许经过身份验证的用户执行请求的操作。
- 禁止所有用户操作。例如,当目录列表被禁用时,请求目录列表 return 代码 403。
您确定您在给定的组中吗?首先尝试授权用户,而不是角色:
[Authorize(Users="Alice, Bob, YourName")]
如果可行,则说明您不是该群组的成员,或者该群组不存在。
本地管理员组被添加为 denyonlysid(?) 声明:“{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid: S-1-5-32-544}”所以我想这就是该组不起作用的原因。显然,当您将自己添加到新的本地组时,您必须重新启动才能获得声明:P
因此,即使没有 SID 而只有组名,它现在也可以与本地组一起使用。
这是我要做的工作。我使用 Microsoft Authorization Workshop 示例拼凑了很多内容 https://github.com/blowdart/AspNetAuthorizationWorkshop。尽管我使用的是策略而不是角色。
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthorization(options =>
{
//Add policies as needed along with authorization classes
options.AddPolicy("Admin", policy => policy.Requirements.Add(new AdminAuthorization()));
});
services.AddMvc(config =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
config.Filters.Add(new AuthorizeFilter(policy));
});
//Also add the Authorization Handlers
services.AddSingleton<IAuthorizationHandler, AdminAuthorization>();
serviecs.AddAuthentication(Microsoft.AspNetCore.Server.IISIntegration.IISDefaults.AuthenticationScheme);
}
AdminAuthorization.cs
public class AdminAuthorization : AuthorizationHandler<AdminAuthorization>, IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthrizationHandlerContext context, AdminAuthorization requirement)
{
if(context.User.HasClaim(c => c.Value == @"S-1-5-32-544"))
{
context.Succeed(requirement);
}
else
{
context.Fail();
}
return Task.CompletedTask;
}
}
HomeController.cs
//Add the name of the policy used in the options.AddPolicy in the startup.cs
[Authorize(Policy = "Admin")]
public class HomeController : Controller
{
// your controller logic here
}