Visual

17 基于 Claim 和 Policy 的授权 上.mp4 (99.57MB)

一句话的事儿

  • User分类成Role,然后Role能够做什么事情,通过Claim
  • 若单纯的通过Claim这个大熔炉集合显然显得很冗余,那么新添的一个Policy从而对大熔炉进行整合

Claim

  • 一部分信息
  • Name-Value
  • 可以来自内部或外部
  • 基于策略的(Policy)

Docs:Claims-based authorization in ASP.NET Core

UserController 中操作 Claim

User 与 Claim 的关系类似与 User 与 Role 的关系。

  1. public async Task<IActionResult> ManageClaims(string id)
  2. {
  3.     var user = await _userManager.Users.Include(x => x.Claims)
  4.         .Where(x => x.Id == id).SingleOrDefaultAsync();
  5.     if (user == null)
  6.     {
  7.         return RedirectToAction("Index");
  8.     }
  10.     // 筛选出该 User 没有的 Claim
  11.     var leftClaims = ClaimTypes.AllClaimTypeList.Except(user.Claims.Select(x => x.ClaimType)).ToList();
  13.     var vm = new ManageClaimsViewModel
  14.     {
  15.         UserId = id,
  16.         AvailableClaims = leftClaims
  17.     };
  19.     return View(vm);
  20. }
  22. [HttpPost]
  23. public async Task<IActionResult> ManageClaims(ManageClaimsViewModel vm)
  24. {
  25.     var user = await _userManager.FindByIdAsync(vm.UserId);
  26.     if (user == null)
  27.     {
  28.         return RedirectToAction("Index");
  29.     }
  31.     var claim = new IdentityUserClaim<string>
  32.     {
  33.         ClaimType = vm.ClaimId,
  34.         ClaimValue = vm.ClaimId
  35.     };
  37.     user.Claims.Add(claim);
  39.     var result = await _userManager.UpdateAsync(user);
  40.     if (result.Succeeded)
  41.     {
  42.         return RedirectToAction("EditUser", new { id = vm.UserId });
  43.     }
  45.     ModelState.AddModelError(string.Empty, "编辑用户Claims时发生错误");
  46.     return View(vm);
  47. }
  49. [HttpPost]
  50. public async Task<IActionResult> RemoveClaim(string id, string claim)
  51. {
  52.     var user = await _userManager.Users.Include(x => x.Claims)
  53.         .Where(x => x.Id == id).SingleOrDefaultAsync();
  54.     if (user == null)
  55.     {
  56.         return RedirectToAction("Index");
  57.     }
  59.     var claims = user.Claims.Where(x => x.ClaimType == claim).ToList();
  61.     foreach (var c in claims)
  62.     {
  63.         user.Claims.Remove(c);
  64.     }
  66.     var result = await _userManager.UpdateAsync(user);
  67.     if (result.Succeeded)
  68.     {
  69.         return RedirectToAction("EditUser", new { id });
  70.     }
  72.     ModelState.AddModelError(string.Empty, "编辑用户Claims时发生错误");
  73.     return RedirectToAction("ManageClaims", new { id });
  74. }

Policy(策略)

  • 注册 Policy
  • 使用 Policy 进行授权

Docs:Policy-based authorization in ASP.NET Core

添加策略

通过 Role 和 Claim 添加策略:

  1. services.AddAuthorization(options =>
  2. {
  3.     options.AddPolicy("仅限管理员", policy => policy.RequireRole("Administrators"));
  4.     options.AddPolicy("编辑专辑", policy=> policy.RequireClaim("Edit Albums"));
  5. });

两个注意事项

  1. 如果登录账号时抛出 No IUserTokenProvider is registered 异常,可以通过 AddDefaultTokenProviders() 解决
  2. 修改用户的 Claim 后,需重新登录才能生效。如果不想重新登录,可以通过 RefreshSignInAsync 解决
    1. PS:这会带来一些别的问题 Update user claims without updating authentication time