咨询区
jltrem:
我想在 ASP.NET Core 中用 authorization 特性实现一个自定义验证,在之前的版本中,我可以用系统提供的 bool AuthorizeCore(HttpContextBase httpContext) 方法,但在这个版本中已经没有该方法了。
请问当前我该如何实现这个自定义的 AuthorizeAttribute 呢?
回答区
gius:
看样子你用的是 ASP.NET Core 2,当然现在你也可以实现,继承 AuthorizeAttribute 并实现 IAuthorizationFilter 接口即可,参考代码如下:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
public class CustomAuthorizeAttribute : AuthorizeAttribute, IAuthorizationFilter
{private readonly string _someFilterParameter;public CustomAuthorizeAttribute(string someFilterParameter){_someFilterParameter = someFilterParameter;}public void OnAuthorization(AuthorizationFilterContext context){var user = context.HttpContext.User;if (!user.Identity.IsAuthenticated){// it isn't needed to set unauthorized result // as the base class already requires the user to be authenticated// this also makes redirect to a login page work properly// context.Result = new UnauthorizedResult();return;}// you can also use registered servicesvar someService = context.HttpContext.RequestServices.GetService<ISomeService>();var isAuthorized = someService.IsUserAuthorized(user.Identity.Name, _someFilterParameter);if (!isAuthorized){context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);return;}}
}Kévin Chalet
对于纯碎的授权,比如说只能给某些用户一些特定的访问权限,现在推荐的做法是使用新的授权块。
public class Startup
{public void ConfigureServices(IServiceCollection services){services.Configure<AuthorizationOptions>(options =>{options.AddPolicy("ManageStore", policy => policy.RequireClaim("Action", "ManageStore"));});}
}public class StoreController : Controller
{[Authorize(Policy = "ManageStore"), HttpGet]public async Task<IActionResult> Manage() { ... }
}对于授权,最好在中间件层面做处理,回过头来说,你确定现在的做法是正确的吗?
点评区
确实在 ASP.NET Core 5 时代,更好的方式应该是用 中间件 实现,而不是深入到业务体之后再用过滤器的方式来实现,当然你也可以用过滤器。
)
