Asp.Net MVC 5 - 自定义授权不起作用?
Asp.Net MVC 5 - Custom Authorize not working?
我有以下具有自定义授权属性的控制器:
[CustomAuthorize(Roles = "Editor, Admin")]
public ActionResult Test()
{
//...
}
这是我的自定义授权码:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
private readonly string[] _allowedRoles;
public CustomAuthorizeAttribute(params string[] roles)
{
_allowedRoles = roles;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
throw new ArgumentNullException("httpContext");
var user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
if (_allowedRoles.Length > 0 && !_allowedRoles.Any(user.IsInRole))
{
return false;
}
return true;
}
}
自定义授权为 甚至非编辑或管理员的用户返回 true?
我认为问题是这样的:
[CustomAuthorize(Roles = "Editor, Admin")]
我将它作为字符串传递,我需要在我的 CustomAuthorize 方法中将它转换为数组???
首先您需要获取当前用户的角色,然后检查是否有任何角色允许用户访问控制器:
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
throw new ArgumentNullException("httpContext");
var user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
var userRoles = ((ClaimsIdentity)User.Identity).Claims
.Where(c => c.Type == ClaimTypes.Role)
.Select(c => c.Value);
if (_allowedRoles.Length > 0 && !_allowedRoles.Any(x => userRoles.Any(y => x.Equals(y)))))
{
return false;
}
return true;
}
属性的当前定义未引用 Roles 属性,也未填充 _allowedRoles 字段。
这就是为什么你的属性总是returnstrue.
查看自定义属性的重构逻辑
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class CustomAuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute {
private readonly string[] _allowedRoles;
public CustomAuthorizeAttribute(params string[] roles) {
_allowedRoles = roles;
}
protected override bool AuthorizeCore(HttpContextBase httpContext) {
if (httpContext == null)
throw new ArgumentNullException("httpContext");
var user = httpContext.User;
if (user?.Identity?.IsAuthenticated) {
if (isInRole(user, _allowedRoles)) {
return true;
}
if (!string.IsNullOrWhiteSpace(Roles)) {
var roles = Roles.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries);
if (isInRole(user, roles))
return true;
}
return true;
}
return false;
}
bool isInRole(IPrincipal user, string[] roles) {
return roles.Length > 0 && roles.Any(user.IsInRole);
}
}
哪个可以这样用
[CustomAuthorize(Roles = "Editor, Admin")]
public ActionResult Test() {
//...
}
根据用户
拆分和检查角色的位置
或喜欢
[CustomAuthorize("Editor", "Admin")]
public ActionResult Test() {
//...
}
这将使用参数数组填充属性的构造函数
我有以下具有自定义授权属性的控制器:
[CustomAuthorize(Roles = "Editor, Admin")]
public ActionResult Test()
{
//...
}
这是我的自定义授权码:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
private readonly string[] _allowedRoles;
public CustomAuthorizeAttribute(params string[] roles)
{
_allowedRoles = roles;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
throw new ArgumentNullException("httpContext");
var user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
if (_allowedRoles.Length > 0 && !_allowedRoles.Any(user.IsInRole))
{
return false;
}
return true;
}
}
自定义授权为 甚至非编辑或管理员的用户返回 true?
我认为问题是这样的:
[CustomAuthorize(Roles = "Editor, Admin")]
我将它作为字符串传递,我需要在我的 CustomAuthorize 方法中将它转换为数组???
首先您需要获取当前用户的角色,然后检查是否有任何角色允许用户访问控制器:
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
throw new ArgumentNullException("httpContext");
var user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
var userRoles = ((ClaimsIdentity)User.Identity).Claims
.Where(c => c.Type == ClaimTypes.Role)
.Select(c => c.Value);
if (_allowedRoles.Length > 0 && !_allowedRoles.Any(x => userRoles.Any(y => x.Equals(y)))))
{
return false;
}
return true;
}
属性的当前定义未引用 Roles 属性,也未填充 _allowedRoles 字段。
这就是为什么你的属性总是returnstrue.
查看自定义属性的重构逻辑
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class CustomAuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute {
private readonly string[] _allowedRoles;
public CustomAuthorizeAttribute(params string[] roles) {
_allowedRoles = roles;
}
protected override bool AuthorizeCore(HttpContextBase httpContext) {
if (httpContext == null)
throw new ArgumentNullException("httpContext");
var user = httpContext.User;
if (user?.Identity?.IsAuthenticated) {
if (isInRole(user, _allowedRoles)) {
return true;
}
if (!string.IsNullOrWhiteSpace(Roles)) {
var roles = Roles.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries);
if (isInRole(user, roles))
return true;
}
return true;
}
return false;
}
bool isInRole(IPrincipal user, string[] roles) {
return roles.Length > 0 && roles.Any(user.IsInRole);
}
}
哪个可以这样用
[CustomAuthorize(Roles = "Editor, Admin")]
public ActionResult Test() {
//...
}
根据用户
拆分和检查角色的位置或喜欢
[CustomAuthorize("Editor", "Admin")]
public ActionResult Test() {
//...
}
这将使用参数数组填充属性的构造函数