Authorization其目标就是验证Http请求能否通过验证。ASP.Net Core提供了很多种Authorization方式,详细可以参考 微软官方文档。在这里只详细介绍2种方式:
- Policy
- Custom Attribute
1. Policy : 策略授权
先定义一个IAuthorizationRequirement类来定义策略的要求,以下例子支持传递一个age参数。
public class AdultPolicyRequirement : IAuthorizationRequirement { public int Age { get; } public AdultPolicyRequirement(int age) { //年龄限制 this.Age = age; } } 然后定义策略要求的Handler,当提供的Controller被请求时先根据请求的Http报文来决定是否可以通过验证。
public class AdultAuthorizationHandler : AuthorizationHandler { protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AdultPolicyRequirement requirement) { //获取当前http请求的context对象 var mvcContext = context.Resource as AuthorizationFilterContext; //以下代码都不是必须的,只是展示一些使用方法,你可以选择使用 ...... // var age = mvcContext.HttpContext.Request.Query.FirstOrDefault(u => u.Key == "age"); if (age.Value.Count <= 0|| Convert.ToInt16(age.Value[0]) < requirement.Age) { context.Fail(); } else { //通过验证,这句代码必须要有 context.Succeed(requirement); } return Task.CompletedTask; } } 还需要在启动时,在services里注册定义的策略和对应的Handler
//添加二种认证策略,一种以12岁为界限,一种是18岁 services.AddAuthorization(options => { options.AddPolicy("Adult1", policy => policy.Requirements.Add(new AdultPolicyRequirement(12))); options.AddPolicy("Adult2", policy => policy.Requirements.Add(new AdultPolicyRequirement(18))); }); //添加策略验证handler services.AddSingleton(); 最后在相应的Controller前加上Authroize特性 [Authorize("Adult1")]。总体上Policy这种方式比较简单,但是也有不灵活的地方,不同的策略要求都需要提前在services里注册。完整的例子可以参考 PolicySample
2. Custom Attribute:自定义特性
这里其实是第一种Policy策略和自定义特性的结合,从而实现在Controller的具体方法位置自定义不同参数的Policy策略。
首先需要定义这个Attribute和策略要求类
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true)] public class PermissionCheckAttribute : AuthorizeAttribute { public string Id { get; set; } public int Operation { get; set; } public PermissionCheckAttribute() : base("PermissionCheck") { } } public class PermissionCheckPolicyRequirement : IAuthorizationRequirement { //Add any custom requirement properties if you have them public PermissionCheckPolicyRequirement() { } } 再定义策略和Attribute对应的Handler处理类
public class PermissionCheckPolicyHandler : AttributeAuthorizationHandler<PermissionCheckPolicyRequirement, PermissionCheckAttribute> { protected override Task HandleRequirementAsync(AuthorizationHandlerContext authoriazationContext, PermissionCheckPolicyRequirement requirement, IEnumerable<PermissionCheckAttribute> attributes) { var context = authoriazationContext.Resource as AuthorizationFilterContext; foreach (var permissionAttribute in attributes) { this.checkPermission(context, permissionAttribute.Id, permissionAttribute.Operation); } authoriazationContext.Succeed(requirement); return Task.FromResult<object>(null); } private void checkPermission(AuthorizationFilterContext context, string _Id, int _Operation) { if (_Operation > 0) { if (_Id != "user1") { throw new Exception("不具备操作权限"); } } else { //dosomething } return; } } 同样还需要在service里添加策略和策略处理类,这里不贴代码了。最后在Controller里使用带参数的Attribute,类似如下:
[HttpGet] [PermissionCheck (Id ="user1", Operation=2)] public IEnumerable Get() { return new string[] { "value1", "value2" }; } // GET api/values/5 [HttpGet("{id}")] [PermissionCheck(Id = "user2", Operation = 4)] public string Get(int id) { return "value"; } 完整的代码参考Github地址
转:https://www.jianshu.com/p/0ed4d820809c