是否有可能获得具有 OR 条件(如角色)的索赔授权?
Is it possible to have a claims authorization with an OR condition like roles?
我一直在我的 .net 应用程序中使用角色授权。但是,我正在构建一个演示应用程序并想尝试一下声明。我一直这样装饰我的控制器,可以授权管理员或具有完全访问权限的用户。
[[Authorize(Roles = "IsApiUserFullAccess", "IsAdmin") ]]
但是,我无法通过声明完成相同的操作。在我的初创公司中,我有这两个索赔政策。我如何装饰我的控制器或更改这些策略以声明获得我的控制器授权?
options.AddPolicy("IsApiUserFullAccess", policy => policy.RequireClaim("apiuser.fullaccess", "true"));
options.AddPolicy("IsAdmin", policy => policy.RequireClaim("administrator", "true"));
一种方法是构建自定义策略,其中包含对用户声明进行 OR 处理的要求和处理程序,如下所示:
// Marker class
public class HasFullAccessOrAdminRequirement : IAuthorizationRequirement {}
public class HasFullAccessOrAdminHandler
: AuthorizationHandler<HasFullAccessOrAdminRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
HasFullAccessOrAdminRequirement requirement)
{
var user = context.User;
if (user.HasClaim(...) || user.HasClaim(...))
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
然后注册:
options.AddPolicy("AdminOrFullAccess", builder =>
builder.AddRequirements(new HasFullAccessOrAdminRequirement());
然后使用它:[Authorize("AdminOrFullAccess")]
您可以使用接受 Function<> 的 RequireAssertion() 方法来实现策略。
示例:
services.AddAuthorization(options =>
{
options.AddPolicy("AdminOrFullAccess", policy =>
policy.RequireAssertion(context =>
{
bool isApiUserFullAccess = context.User.HasClaim(c => ...);
bool isAdmin = context.User.IsInRole("ADMIN_ROLE");
return isAdmin || isApiUserFullAccess;
});
});
我一直在我的 .net 应用程序中使用角色授权。但是,我正在构建一个演示应用程序并想尝试一下声明。我一直这样装饰我的控制器,可以授权管理员或具有完全访问权限的用户。
[[Authorize(Roles = "IsApiUserFullAccess", "IsAdmin") ]]
但是,我无法通过声明完成相同的操作。在我的初创公司中,我有这两个索赔政策。我如何装饰我的控制器或更改这些策略以声明获得我的控制器授权?
options.AddPolicy("IsApiUserFullAccess", policy => policy.RequireClaim("apiuser.fullaccess", "true"));
options.AddPolicy("IsAdmin", policy => policy.RequireClaim("administrator", "true"));
一种方法是构建自定义策略,其中包含对用户声明进行 OR 处理的要求和处理程序,如下所示:
// Marker class
public class HasFullAccessOrAdminRequirement : IAuthorizationRequirement {}
public class HasFullAccessOrAdminHandler
: AuthorizationHandler<HasFullAccessOrAdminRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
HasFullAccessOrAdminRequirement requirement)
{
var user = context.User;
if (user.HasClaim(...) || user.HasClaim(...))
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
然后注册:
options.AddPolicy("AdminOrFullAccess", builder =>
builder.AddRequirements(new HasFullAccessOrAdminRequirement());
然后使用它:[Authorize("AdminOrFullAccess")]
您可以使用接受 Function<> 的 RequireAssertion() 方法来实现策略。
示例:
services.AddAuthorization(options =>
{
options.AddPolicy("AdminOrFullAccess", policy =>
policy.RequireAssertion(context =>
{
bool isApiUserFullAccess = context.User.HasClaim(c => ...);
bool isAdmin = context.User.IsInRole("ADMIN_ROLE");
return isAdmin || isApiUserFullAccess;
});
});