.Net 5 Blazor Server AD 组授权问题
.Net 5 Blazor Server AD Group Authorization issue
我无法让我的 Blazor Server 应用程序成为 AD 组成员,我可以让它读取我的用户 ID,所以我假设 NTLM 正在工作,但它似乎没有将我识别为 bing在一组中。
我尝试过 IIS 和 IIS Expresss
launchSettings.json
{
"iisSettings": {
"windowsAuthentication": true,
"anonymousAuthentication": false,
"iisExpress": {
"applicationUrl": "http://localhost:58855",
"sslPort": 44394
}
},
"profiles": {
"IIS Express": {
"commandName": "IISExpress",
"launchBrowser": true,
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
},
"AppName": {
"commandName": "Project",
"dotnetRunMessages": "true",
"launchBrowser": true,
"applicationUrl": "https://localhost:5001;http://localhost:5000",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
}
}
}
Startup.cs
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddRazorPages();
services.AddServerSideBlazor();
services.AddHttpContextAccessor();
services.AddAuthentication(IISDefaults.AuthenticationScheme);
services.AddAuthorization(options =>
{
options.AddPolicy("ADRoleOnly", policy => policy.RequireRole("DOMAIN\GroupName"));
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
//app.UseHsts();
}
//app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapBlazorHub();
endpoints.MapFallbackToPage("/_Host");
});
}
}
然后在我的一个 Razor 页面中,我有以下内容,正如我所说,即使在 NotAuthorized 部分我的用户名仍然显示
<AuthorizeView Policy="ADRoleOnly">
<Authorized>
@context.User.Identity.Name is authorized.
</Authorized>
<NotAuthorized>
@context.User.Identity.Name is not authorized.
</NotAuthorized>
</AuthorizeView>
<AuthorizeView Roles="DOMAIN\GroupName">
<Authorized>
@context.User.Identity.Name is authorized.
</Authorized>
<NotAuthorized>
@context.User.Identity.Name is not authorized.
</NotAuthorized>
</AuthorizeView>
目前我推出了自己的安全性,它只是隐藏了共享布局页面上的所有内容,但我不喜欢它,它很慢,如果可以的话,你永远不应该编写自己的安全模型,a ) 我不会让它保持最新并且 b) 它比其他任何东西都更有可能有错误。
我真的很想知道我错过了什么导致它无法正常工作。
我现在不觉得自己很傻吗,我试图授权的组只是 AD 中的分发组,而不是安全组。我使用了不同的组,现在工作正常。
我无法让我的 Blazor Server 应用程序成为 AD 组成员,我可以让它读取我的用户 ID,所以我假设 NTLM 正在工作,但它似乎没有将我识别为 bing在一组中。
我尝试过 IIS 和 IIS Expresss
launchSettings.json
{
"iisSettings": {
"windowsAuthentication": true,
"anonymousAuthentication": false,
"iisExpress": {
"applicationUrl": "http://localhost:58855",
"sslPort": 44394
}
},
"profiles": {
"IIS Express": {
"commandName": "IISExpress",
"launchBrowser": true,
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
},
"AppName": {
"commandName": "Project",
"dotnetRunMessages": "true",
"launchBrowser": true,
"applicationUrl": "https://localhost:5001;http://localhost:5000",
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
}
}
}
}
Startup.cs
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
{
services.AddRazorPages();
services.AddServerSideBlazor();
services.AddHttpContextAccessor();
services.AddAuthentication(IISDefaults.AuthenticationScheme);
services.AddAuthorization(options =>
{
options.AddPolicy("ADRoleOnly", policy => policy.RequireRole("DOMAIN\GroupName"));
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
//app.UseHsts();
}
//app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapBlazorHub();
endpoints.MapFallbackToPage("/_Host");
});
}
}
然后在我的一个 Razor 页面中,我有以下内容,正如我所说,即使在 NotAuthorized 部分我的用户名仍然显示
<AuthorizeView Policy="ADRoleOnly">
<Authorized>
@context.User.Identity.Name is authorized.
</Authorized>
<NotAuthorized>
@context.User.Identity.Name is not authorized.
</NotAuthorized>
</AuthorizeView>
<AuthorizeView Roles="DOMAIN\GroupName">
<Authorized>
@context.User.Identity.Name is authorized.
</Authorized>
<NotAuthorized>
@context.User.Identity.Name is not authorized.
</NotAuthorized>
</AuthorizeView>
目前我推出了自己的安全性,它只是隐藏了共享布局页面上的所有内容,但我不喜欢它,它很慢,如果可以的话,你永远不应该编写自己的安全模型,a ) 我不会让它保持最新并且 b) 它比其他任何东西都更有可能有错误。
我真的很想知道我错过了什么导致它无法正常工作。
我现在不觉得自己很傻吗,我试图授权的组只是 AD 中的分发组,而不是安全组。我使用了不同的组,现在工作正常。