Asp.Net核心:IAuthorizationFilter和Authentication Service的执行顺序
Asp.Net Core: order of execution of IAuthorizationFilter and Authentication Service
我正在 Asp.Net Core Web Api 应用程序中实现身份验证和授权机制。
我使用 JWT 进行配置的用户身份验证:
ConfigureServices(IServiceCollection services)
{
...
services.AddAuthentication(...).AddJwtBearer(...)
...
}
(类似于)
此服务还根据 JWT 数据填充 HttpContext.User。
对于授权,我使用基于
的自定义 RBAC 实现
class AccessControlFilter : IAuthorizationFilter
{
public AccessControlFilter(string permission) {...}
public void OnAuthorization (AuthorizationFilterContext context){...}
}
(类似于 中的好答案)
我需要确定我的 AccessControlFilter 将 运行 在 JWT 身份验证服务之后,以便
上下文。HttpContext.User 已填充。
(我猜顺序是正确的,过滤器将在服务后 运行,但我找不到正确的文档。)
来自 ASP.NET Core Security Overview(强调我的):
Authentication vs. Authorization
Authentication is a process in which a user provides credentials that are then compared to those stored in an operating system, database, app or resource. If they match, users authenticate successfully, and can then perform actions that they're authorized for, during an authorization process. The authorization refers to the process that determines what a user is allowed to do.
Another way to think of authentication is to consider it as a way to enter a space, such as a server, database, app or resource, while authorization is which actions the user can perform to which objects inside that space (server, database, or app).
所以回答你的问题:身份验证总是发生在之前授权管道。这是有道理的,因为在知道用户有权做什么之前,您需要知道用户是谁。
我正在 Asp.Net Core Web Api 应用程序中实现身份验证和授权机制。
我使用 JWT 进行配置的用户身份验证:
ConfigureServices(IServiceCollection services)
{
...
services.AddAuthentication(...).AddJwtBearer(...)
...
}
(类似于
此服务还根据 JWT 数据填充 HttpContext.User。
对于授权,我使用基于
的自定义 RBAC 实现class AccessControlFilter : IAuthorizationFilter
{
public AccessControlFilter(string permission) {...}
public void OnAuthorization (AuthorizationFilterContext context){...}
}
(类似于
我需要确定我的 AccessControlFilter 将 运行 在 JWT 身份验证服务之后,以便 上下文。HttpContext.User 已填充。
(我猜顺序是正确的,过滤器将在服务后 运行,但我找不到正确的文档。)
来自 ASP.NET Core Security Overview(强调我的):
Authentication vs. Authorization
Authentication is a process in which a user provides credentials that are then compared to those stored in an operating system, database, app or resource. If they match, users authenticate successfully, and can then perform actions that they're authorized for, during an authorization process. The authorization refers to the process that determines what a user is allowed to do.
Another way to think of authentication is to consider it as a way to enter a space, such as a server, database, app or resource, while authorization is which actions the user can perform to which objects inside that space (server, database, or app).
所以回答你的问题:身份验证总是发生在之前授权管道。这是有道理的,因为在知道用户有权做什么之前,您需要知道用户是谁。