大佬教程收集整理的这篇文章主要介绍了如何在不使用角色的情况下使用ASP.NET WebAPI实现基于声明的授权?,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
create table [dbo].[AspNetUsers] ( [Id] INT IDENTITY (1,1) NOT NULL,.... [SubjectId] INT DEFAULT ((0)) NOT NULL,[LOCATIOnId] INT DEFAULT ((0)) NOT NULL,CONSTraiNT [PK_dbo.AspNetUsers] PRIMary KEY CLUSTERED ([Id] ASC) );@H_197_3@我修改了ApplicationUser类,像这样:
public class ApplicationUser : IdentityUser<int,CustomUserLogin,CustomUserRole,CustomUserClaim> { public async Task<ClaimsIdentity> GenerateUserIdentityAsync(ApplicationUseRMANager manager,String authenticationTypE) { // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType ClaimsIdentity userIdentity = await manager.CreatEIDentityAsync(this,authenticationTypE); // Add custom user claims here userIdentity.AddClaim(new Claim("SubjectId",this.SubjectId.ToString())); userIdentity.AddClaim(new Claim("LOCATIOnId",this.LOCATIOnId.ToString())); return userIdentity; } public int SubjectId { get; set; } public int LOCATIOnId { get; set; } }@H_197_3@在我的寄存器方法中,为SubjectId添加新数据:
var user = new ApplicationUser() { UserName = model.UserName,SubjectId = 25,LOCATIOnId = 4 }; IdentityResult result = await UseRMANager.CreateAsync(user,model.password);@H_197_3@有人可以帮助告诉我我现在可以在控制器级别以及在方法级别基于这个SubjectId限制对控制器的访问,类似这样:
[Authorize(SubjectId = "1,25,26")] [RoutePrefix("api/Content")] public class ContentController : BaseController { [Authorize(LOCATIOnId = "4")] [Route("Get")] public IQueryable<Content> Get() { return db.Contents; } [Authorize(SubjectId = "25")] [Route("Get/{id:int}")] public async Task<IhttpActionResult> Get(int id) { Content content = await db.Contents.FindAsync(id); if (content == null) { return NotFound(); } return Ok(content); }@H_197_3@几个月来,我一直在寻找一个例子,但除了一些参考ThinkTexture产品和以下链接我没有找到任何东西
更新:
#region Assembly System.Web.http.dll,v5.2.2.0 // C:\Users\Richard\GitHub\abilitest-server\packages\Microsoft.AspNet.WebApi.Core.5.2.2\lib\net45\System.Web.http.dll #endregion using System; using System.Web.http.Controllers; using System.Web.http.Filters; namespace System.Web.http { // SumMary: // Specifies the authorization filter that verifies the request's System.Security.Principal.iprincipal. [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method,Inherited = true,AllowMultiple = truE)] public class AuthorizeAttribute : AuthorizationFilterAttribute { // SumMary: // Initializes a new instance of the System.Web.http.AuthorizeAttribute class. public AuthorizeAttribute(); // SumMary: // Gets or sets the authorized roles. // // Returns: // The roles String. public String Roles { get; set; } // // SumMary: // Gets a unique identifier for this attribute. // // Returns: // A unique identifier for this attribute. public override object TypEID { get; } // // SumMary: // Gets or sets the authorized users. // // Returns: // The users String. public String Users { get; set; } // SumMary: // Processes requests that fail authorization. // // Parameters: // actionContext: // The context. protected virtual void HandleUnauthorizedrequest(httpActionContext actionContext); // // SumMary: // InDicates whether the specified control is authorized. // // Parameters: // actionContext: // The context. // // Returns: // true if the control is authorized; otherwise,false. protected virtual bool IsAuthorized(httpActionContext actionContext); // // SumMary: // Calls when an action is being authorized. // // Parameters: // actionContext: // The context. // // Exceptions: // System.ArgumentNullException: // The context parameter is null. public override void OnAuthorization(httpActionContext actionContext); } }@H_197_3@
public class ClaimsAuthorize : AuthorizeAttribute { public String SubjectID { get; set; } public String LOCATIOnID { get; set; } protected override bool IsAuthorized(httpActionContext actionContext) { ClaimsIdentity claimsIdentity; var httpContext = httpContext.Current; if (!(httpContext.User.Identity is ClaimsIdentity)) { return false; } claimsIdentity = httpContext.User.Identity as ClaimsIdentity; var subIdClaims = claimsIdentity.FindFirst("SubjectId"); var locIdClaims = claimsIdentity.FindFirst("LOCATIOnId"); if (subIdClaims == null || locIdClaims == null) { // just extra defense return false; } var userSubId = subIdClaims.Value; var userLocId = subIdClaims.Value; // use your desired logic on 'userSubId' and `userLocId',maybe Contains if I get your example right? if (!this.SubjectID.Contains(userSubId) || !this.LOCATIOnID.Contains(userLocId)) { return false; } //ConTinue with the regular Authorize check return base.IsAuthorized(actionContext); } }@H_197_3@在您希望限制访问的控制器中,使用ClaimsAuthorize属性而不是正常Authorize:
[ClaimsAuthorize( SubjectID = "1,2",LOCATIOnID = "5,6,7")] [RoutePrefix("api/Content")] public class ContentController : BaseController { .... }@H_197_3@
以上是大佬教程为你收集整理的如何在不使用角色的情况下使用ASP.NET WebAPI实现基于声明的授权?全部内容,希望文章能够帮你解决如何在不使用角色的情况下使用ASP.NET WebAPI实现基于声明的授权?所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。