ASP.NET 角色如何与授权一起使用?
How are ASP.NET Roles used with Authorization?
我正在使用 ASP.NET Core 并托管基本上是启用了 Windows 身份验证的默认模板。我将其托管在专用的 IIS 服务器上,并已验证该应用程序正在从 AD 接收正确的信息并且它正确地验证了我的会话。
我觉得我正在尝试做一些非常简单的事情。如果用户在安全组中(来自 AD)"Admin",他们可以访问特定功能。如果他们不在该组中,则无法访问。
我给服务添加了 [Authorize] 属性
(in ConfigureServices)
services.AddAuthentication(IISDefaults.AuthenticationScheme);
(in Configure)
app.UseAuthorization();
(in service)
[Authorize]
public class SiteService
{
private readonly string _route;
private readonly HttpClient _httpClient;
public SiteService(HttpClient httpClient)
{
_httpClient = httpClient;
_route = httpClient.BaseAddress.AbsoluteUri;
}
public async Task<IEnumerable<Site>> GetSites()
{
}
}
我可以在访问该服务的日志中看到 Domain/User。然后我在这里查看了 MS 文档:https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-3.1
并打上 [Authorize(Roles = "Admin")。那奏效了。然后我将 "Admin" 切换为 "sldkfjslksdlfkj"。什么都没有改变...我仍然可以访问该服务。
为什么 Roles="x" 检查不起作用?如何为安全组启用相对简单的 AD 检查?
您可以写一个 custom Policy Authorization handlers 来检查所有用户的 ADGroups 并检查它们是否包含所需的组名。
参考以下内容:
1.Create CheckADGroupRequirement(接受一个参数)
public class CheckADGroupRequirement : IAuthorizationRequirement
{
public string GroupName { get; private set; }
public CheckADGroupRequirement(string groupName)
{
GroupName = groupName;
}
}
2.Create 检查ADGroupHandler
public class CheckADGroupHandler : AuthorizationHandler<CheckADGroupRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
CheckADGroupRequirement requirement)
{
//var isAuthorized = context.User.IsInRole(requirement.GroupName);
var groups = new List<string>();//save all your groups' name
var wi = (WindowsIdentity)context.User.Identity;
if (wi.Groups != null)
{
foreach (var group in wi.Groups)
{
try
{
groups.Add(group.Translate(typeof(NTAccount)).ToString());
}
catch (Exception e)
{
// ignored
}
}
if(groups.Contains(requirement.GroupName))//do the check
{
context.Succeed(requirement);
}
}
return Task.CompletedTask;
}
}
3.Register ConfigureServices 中的处理程序
services.AddAuthorization(options =>
{
options.AddPolicy("AdminOnly", policy =>
policy.Requirements.Add(new CheckADGroupRequirement("DOMAIN\Domain Admin")));//set your desired group name
//other policies
});
services.AddSingleton<IAuthorizationHandler, CheckADGroupHandler>();
4.Use 在 controller/service
[Authorize(Policy = "AdminOnly")]
public class SiteService
我正在使用 ASP.NET Core 并托管基本上是启用了 Windows 身份验证的默认模板。我将其托管在专用的 IIS 服务器上,并已验证该应用程序正在从 AD 接收正确的信息并且它正确地验证了我的会话。
我觉得我正在尝试做一些非常简单的事情。如果用户在安全组中(来自 AD)"Admin",他们可以访问特定功能。如果他们不在该组中,则无法访问。
我给服务添加了 [Authorize] 属性
(in ConfigureServices)
services.AddAuthentication(IISDefaults.AuthenticationScheme);
(in Configure)
app.UseAuthorization();
(in service)
[Authorize]
public class SiteService
{
private readonly string _route;
private readonly HttpClient _httpClient;
public SiteService(HttpClient httpClient)
{
_httpClient = httpClient;
_route = httpClient.BaseAddress.AbsoluteUri;
}
public async Task<IEnumerable<Site>> GetSites()
{
}
}
我可以在访问该服务的日志中看到 Domain/User。然后我在这里查看了 MS 文档:https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-3.1
并打上 [Authorize(Roles = "Admin")。那奏效了。然后我将 "Admin" 切换为 "sldkfjslksdlfkj"。什么都没有改变...我仍然可以访问该服务。
为什么 Roles="x" 检查不起作用?如何为安全组启用相对简单的 AD 检查?
您可以写一个 custom Policy Authorization handlers 来检查所有用户的 ADGroups 并检查它们是否包含所需的组名。
参考以下内容:
1.Create CheckADGroupRequirement(接受一个参数)
public class CheckADGroupRequirement : IAuthorizationRequirement
{
public string GroupName { get; private set; }
public CheckADGroupRequirement(string groupName)
{
GroupName = groupName;
}
}
2.Create 检查ADGroupHandler
public class CheckADGroupHandler : AuthorizationHandler<CheckADGroupRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
CheckADGroupRequirement requirement)
{
//var isAuthorized = context.User.IsInRole(requirement.GroupName);
var groups = new List<string>();//save all your groups' name
var wi = (WindowsIdentity)context.User.Identity;
if (wi.Groups != null)
{
foreach (var group in wi.Groups)
{
try
{
groups.Add(group.Translate(typeof(NTAccount)).ToString());
}
catch (Exception e)
{
// ignored
}
}
if(groups.Contains(requirement.GroupName))//do the check
{
context.Succeed(requirement);
}
}
return Task.CompletedTask;
}
}
3.Register ConfigureServices 中的处理程序
services.AddAuthorization(options =>
{
options.AddPolicy("AdminOnly", policy =>
policy.Requirements.Add(new CheckADGroupRequirement("DOMAIN\Domain Admin")));//set your desired group name
//other policies
});
services.AddSingleton<IAuthorizationHandler, CheckADGroupHandler>();
4.Use 在 controller/service
[Authorize(Policy = "AdminOnly")]
public class SiteService