Visual

18 基于 Claim 和 Policy 的授权 下.mp4 (81.39MB)

一句话的事儿

  • 使用Claims
  • 自定义 Policy
    • RequireAssertion
    • AddRequirements

Policy 内置的方式

  • RequireAuthenticatedUser —>必须是登录用户
  • RequireClaim —>要求特定的Claim出现,并且对应的值也是特定的值
  • RequireRole —>要求是特定的角色
  • RequireUserName —>特定的用户名

Policy 自定义

  • RequireAssertion —>
  • AddRequirements —>

    RequireAssertion

  1. services.AddAuthorization(options =>
  2. {
  3.     options.AddPolicy("仅限管理员", policy => policy.RequireRole("Administrators"));
  4.     options.AddPolicy("编辑专辑", policy => policy.RequireClaim("Edit Albums"));
  5.     options.AddPolicy("编辑专辑1", policy => policy.RequireAssertion(context =>
  6.     {
  7.         return context.User.HasClaim(c => c.Type == "Edit Albums");
  8.     }));
  9. });

AddRequirements

  • IAuthorizationRequirement
    • AuthorizationHandler
    • AuthorizationHandler
    • …(一个 Requirement 可以有多个 Handler)
    • 如果一个 Handler 返回 Succeed,而其他的都没有返回 Fail,那么这个 Requirement 就被满足了

18 基于 Claim 和 Policy 的授权 下 - 图2

EmailRequirement:

  1. using Microsoft.AspNetCore.Authorization;
  3. namespace Heavy.Web.Auth
  4. {
  5.     public class EmailRequirement : IAuthorizationRequirement
  6.     {
  7.         public string RequiredEmail { get; set; }
  9.         public EmailRequirement(string requiredEmail)
  10.         {
  11.             RequiredEmail = requiredEmail;
  12.         }
  13.     }
  14. }

EmailHandler:

  1. using System.Linq;
  2. using System.Threading.Tasks;
  3. using Microsoft.AspNetCore.Authorization;
  5. namespace Heavy.Web.Auth
  6. {
  7.     public class EmailHandler : AuthorizationHandler<EmailRequirement>
  8.     {
  9.         protected override Task HandleRequirementAsync(
  10.             AuthorizationHandlerContext context,
  11.             EmailRequirement requirement)
  12.         {
  13.             var claim = context.User.Claims.FirstOrDefault(c => c.Type == "Email");
  15.             if (claim != null && claim.Value.EndsWith(requirement.RequiredEmail))
  16.             {
  17.                 context.Succeed(requirement);
  18.             }
  20.             return Task.CompletedTask;
  21.         }
  22.     }
  23. }

配置 Requirement:

  1. services.AddAuthorization(options =>
  2. {
  3.     options.AddPolicy("仅限管理员", policy => policy.RequireRole("Administrators"));
  4.     options.AddPolicy("编辑专辑", policy => policy.RequireClaim("Edit Albums"));
  6.     //options.AddPolicy("编辑专辑1", policy => policy.RequireClaim("Edit Albums", new List<string> { "123", "456", "789" }));
  8.     options.AddPolicy("编辑专辑1", policy => policy.RequireAssertion(context =>
  9.     {
  10.         return context.User.HasClaim(c => c.Type == "Edit Albums");
  11.     }));
  13.     options.AddPolicy("编辑专辑2", policy => policy.AddRequirements(
  14.             new EmailRequirement("@126.com")));
  15. });
  17. // 注册 Handler
  18. services.AddSingleton<IAuthorizationHandler, EmailHandler>();

一个 Policy 里面的多个 Requirement 必须都满足才能通过:

  1. options.AddPolicy("编辑专辑2", policy => policy.AddRequirements(
  2.     new EmailRequirement("@126.com"),
  3.     new QualifiedUserRequirement()));