依赖于运行时配置的授权属性
Authorization Attribute Dependent on Runtime Configuration
我有一个 .Net Core 3.0 Web API 配置如下:
services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(x =>
{
...
});
services.AddAuthorizationCore(options =>
{
options.FallbackPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
});
我在控制器中启用它,例如:
[Authorize(Roles = "Admin,Technician")]
public IActionResult CreateFoo([FromBody] Foo foo)
一些 api 端点也使用 [AllowAnonymous] 禁用。
该产品支持多种环境,一个端点需要匿名或授权,具体取决于运行时变量;当前使用自定义 "ASPNETCORE_ENVIRONMENT" 选项。
我已经看到 来自 .net 安全人员的评论,但如果我实施自定义策略,它不允许匿名访问。
如果应用程序在特定环境下运行允许匿名访问,最简单的方法是什么?
AuthorizeAttribute is just an implementation of AuthorizationFilterAttribute。您可以创建自己的实现来绕过某些环境的身份验证:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
public class EnvironmentSpecificAutorizeAttribute : AuthorizeAttribute
{
public string AllowAnonymousEnvironment { get; set; }
protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
{
// if currentEnv == AllowAnonymousEnvironment
// return
// else
// base.HandleUnauthorizedRequest(actionContext);
}
public override void OnAuthorization(HttpActionContext actionContext)
{
// same logic as above
base.OnAuthorization(actionContext);
}
public override Task OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
{
// same logic as above
return base.OnAuthorizationAsync(actionContext, cancellationToken);
}
}
您可以在
中找到其他建议
如果我理解你的问题,那么你可以创建一个自定义属性,并在应用程序处于特定环境中 运行 时始终授予用户访问权限?
public class CustomEnvRequirement : AuthorizationHandler<CustomEnvRequirement>, IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CustomEnvRequirement requirement)
{
string currentEnv = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
// Allow Anonymous when the current env is development.
if (currentEnv.ToLowerInvariant().Equals("development"))
{
context.Succeed(requirement);
}
else if (currentEnv.ToLowerInvariant().Equals("production"))
{
// TODO: add more authorization logic.
}
return Task.CompletedTask;
}
}
这里是要添加的自定义属性
[Authorize(Policy = "CustomEnv")]
public IActionResult Index()
{
return this.View();
}
此外,请确保在 startup.cs
中配置它
services.AddAuthorization(options =>
{
options.AddPolicy("CustomEnv",
policy => policy.Requirements.Add(new CustomEnvRequirement()));
});
我有一个 .Net Core 3.0 Web API 配置如下:
services.AddAuthentication(x =>
{
x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(x =>
{
...
});
services.AddAuthorizationCore(options =>
{
options.FallbackPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
});
我在控制器中启用它,例如:
[Authorize(Roles = "Admin,Technician")]
public IActionResult CreateFoo([FromBody] Foo foo)
一些 api 端点也使用 [AllowAnonymous] 禁用。
该产品支持多种环境,一个端点需要匿名或授权,具体取决于运行时变量;当前使用自定义 "ASPNETCORE_ENVIRONMENT" 选项。
我已经看到
如果应用程序在特定环境下运行允许匿名访问,最简单的方法是什么?
AuthorizeAttribute is just an implementation of AuthorizationFilterAttribute。您可以创建自己的实现来绕过某些环境的身份验证:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
public class EnvironmentSpecificAutorizeAttribute : AuthorizeAttribute
{
public string AllowAnonymousEnvironment { get; set; }
protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
{
// if currentEnv == AllowAnonymousEnvironment
// return
// else
// base.HandleUnauthorizedRequest(actionContext);
}
public override void OnAuthorization(HttpActionContext actionContext)
{
// same logic as above
base.OnAuthorization(actionContext);
}
public override Task OnAuthorizationAsync(HttpActionContext actionContext, CancellationToken cancellationToken)
{
// same logic as above
return base.OnAuthorizationAsync(actionContext, cancellationToken);
}
}
您可以在
如果我理解你的问题,那么你可以创建一个自定义属性,并在应用程序处于特定环境中 运行 时始终授予用户访问权限?
public class CustomEnvRequirement : AuthorizationHandler<CustomEnvRequirement>, IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CustomEnvRequirement requirement)
{
string currentEnv = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
// Allow Anonymous when the current env is development.
if (currentEnv.ToLowerInvariant().Equals("development"))
{
context.Succeed(requirement);
}
else if (currentEnv.ToLowerInvariant().Equals("production"))
{
// TODO: add more authorization logic.
}
return Task.CompletedTask;
}
}
这里是要添加的自定义属性
[Authorize(Policy = "CustomEnv")]
public IActionResult Index()
{
return this.View();
}
此外,请确保在 startup.cs
中配置它 services.AddAuthorization(options =>
{
options.AddPolicy("CustomEnv",
policy => policy.Requirements.Add(new CustomEnvRequirement()));
});