真实的国产乱ⅩXXX66竹夫人,五月香六月婷婷激情综合,亚洲日本VA一区二区三区,亚洲精品一区二区三区麻豆

成都創(chuàng)新互聯(lián)網(wǎng)站制作重慶分公司

asp.netcore策略授權(quán)-創(chuàng)新互聯(lián)

在《asp.net core認(rèn)證與授權(quán)》中講解了固定和自定義角色授權(quán)系統(tǒng)權(quán)限,其實我們還可以通過其他方式來授權(quán),比如可以通過角色組,用戶名,生日等,但這些主要取決于ClaimTypes,其實我們也可以自定義鍵值來授權(quán),這些統(tǒng)一叫策略授權(quán),其中更強(qiáng)大的是,我們可以自定義授權(quán)Handler來達(dá)到靈活授權(quán),下面一一展開。

員工經(jīng)過長期磨合與沉淀,具備了協(xié)作精神,得以通過團(tuán)隊的力量開發(fā)出優(yōu)質(zhì)的產(chǎn)品。創(chuàng)新互聯(lián)堅持“專注、創(chuàng)新、易用”的產(chǎn)品理念,因為“專注所以專業(yè)、創(chuàng)新互聯(lián)網(wǎng)站所以易用所以簡單”。公司專注于為企業(yè)提供成都網(wǎng)站建設(shè)、網(wǎng)站建設(shè)、微信公眾號開發(fā)、電商網(wǎng)站開發(fā),成都小程序開發(fā),軟件按需開發(fā)網(wǎng)站等一站式互聯(lián)網(wǎng)企業(yè)服務(wù)。

注意:下面的代碼只是部分代碼,完整代碼參照:https://github.com/axzxs2001/Asp.NetCoreExperiment/tree/master/Asp.NetCoreExperiment/%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86/PolicyPrivilegeManagement

首先看基于角色組,或用戶名,或基于ClaimType或自定義鍵值等授權(quán)策略,這些都是通過Services.AddAuthorization添加,并且是AuthorizationOptions來AddPolicy,這里策略的名稱統(tǒng)一用RequireClaim來命名,不同的請求的策略名稱各不相同,如用戶名時就用policy.RequireUserName(),同時,在登錄時,驗證成功后,要添加相應(yīng)的Claim到ClaimsIdentity中:

Startup.cs

       public void ConfigureServices(IServiceCollection services)
        {
            services.AddMvc();
            services.AddAuthorization(options =>
            {
                //基于角色的策略
                 options.AddPolicy("RequireClaim", policy => policy.RequireRole("admin", "system"));
                //基于用戶名
                //options.AddPolicy("RequireClaim", policy => policy.RequireUserName("桂素偉"));
                //基于Claim
                //options.AddPolicy("RequireClaim", policy => policy.RequireClaim(ClaimTypes.Country,"中國"));
                //自定義值
                // options.AddPolicy("RequireClaim", policy => policy.RequireClaim("date","2017-09-02"));

            }).AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme).AddCookie(options =>{
                options.LoginPath = new PathString("/login");
                options.AccessDeniedPath = new PathString("/denied");
            });          
        }

HomeController.cs

using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using PolicyPrivilegeManagement.Models;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using System.Security.Claims;
namespace PolicyPrivilegeManagement.Controllers
{
    [Authorize(Policy = "RequireClaim")]
    public class HomeController : Controller
    {
        PermissionHandler _permissionHandler;
        public HomeController(IAuthorizationHandler permissionHandler)
        {
            _permissionHandler = permissionHandler as PermissionHandler;
        }
        public IActionResult Index()
        {
            return View();
        }
        public IActionResult PermissionAdd()
        {           
            return View();
        }

        public IActionResult Contact()
        {
            ViewData["Message"] = "Your contact page.";
            return View();
        }
        public IActionResult Error()
        {
            return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
        }
        [AllowAnonymous]
        [HttpGet("login")]
        public IActionResult Login(string returnUrl = null)
        {
            TempData["returnUrl"] = returnUrl;
            return View();
        }
        [AllowAnonymous]
        [HttpPost("login")]
        public async Task Login(string userName, string password, string returnUrl = null)
        {
            var list = new List {
                new { UserName = "gsw", Password = "111111", Role = "admin",Name="桂素偉",Country="中國",Date="2017-09-02",BirthDay="1979-06-22"},
                new { UserName = "aaa", Password = "222222", Role = "system",Name="測試A" ,Country="美國",Date="2017-09-03",BirthDay="1999-06-22"}
            };
            var user = list.SingleOrDefault(s => s.UserName == userName && s.Password == password);
            if (user != null)
            {
                //用戶標(biāo)識
                var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);
                identity.AddClaim(new Claim(ClaimTypes.Sid, userName));
                identity.AddClaim(new Claim(ClaimTypes.Name, user.Name));
                identity.AddClaim(new Claim(ClaimTypes.Role, user.Role));
                identity.AddClaim(new Claim(ClaimTypes.Country, user.Country));
                identity.AddClaim(new Claim("date", user.Date));
                await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));
                if (returnUrl == null)
                {
                    returnUrl = TempData["returnUrl"]?.ToString();
                }
                if (returnUrl != null)
                {
                    return Redirect(returnUrl);
                }
                else
                {
                    return RedirectToAction(nameof(HomeController.Index), "Home");
                }
            }
            else
            {
                const string badUserNameOrPasswordMessage = "用戶名或密碼錯誤!";
                return BadRequest(badUserNameOrPasswordMessage);
            }
        }
        [HttpGet("logout")]
        public async Task Logout()
        {
            await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
            return RedirectToAction("Index", "Home");
        }
        [AllowAnonymous]
        [HttpGet("denied")]
        public IActionResult Denied()
        {
            return View();
        }
    }
}

上面的授權(quán)策略都相對簡單,單一,使用場景也很有限,就和固定角色授權(quán)如出一轍,其實可以用更好的來例用授權(quán),那就是自定義授權(quán)Handler,我們在《asp.net core認(rèn)證與授權(quán)》一文中,是通過中間件來達(dá)到自定義解色的,現(xiàn)在我們換個思路,通過自定義授權(quán)Handler來實現(xiàn)。

首先定義一個UserPermission,即用戶權(quán)限實體類

    /// 
    /// 用戶權(quán)限
    /// 
    public class UserPermission
    {
        /// 
        /// 用戶名
        /// 
        public string UserName
        { get; set; }
        /// 
        /// 請求Url
        /// 
        public string Url
        { get; set; }
    }

接下來定義一個PermissionRequirement,為請求條件實體類

    /// 
    /// 必要參數(shù)類
    /// 
    public class PermissionRequirement : IAuthorizationRequirement
    {
        /// 
        /// 用戶權(quán)限集合
        /// 
        public  List UserPermissions { get;private set; }
        /// 
        /// 無權(quán)限action
        /// 
        public string DeniedAction { get; set; }
        /// 
        /// 構(gòu)造
        /// 
        /// 無權(quán)限action
        /// 用戶權(quán)限集合
        public PermissionRequirement(string deniedAction, List userPermissions)
        {
            DeniedAction = deniedAction;
            UserPermissions = userPermissions;
        }
    }

再定義自定義授權(quán)Hanlder,我們命名為PermissionHandler,此類必需繼承AuthorizationHandler,只用實現(xiàn)public virtualTask HandleAsync(AuthorizationHandlerContext context),些方法是用戶請求時驗證是否授權(quán)的主方法,所以實現(xiàn)與自定義角色中間件的Invoke很相似。

using Microsoft.AspNetCore.Authorization;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
namespace PolicyPrivilegeManagement.Models
{
    /// 
    /// 權(quán)限授權(quán)Handler
    /// 
    public class PermissionHandler : AuthorizationHandler
    {
        /// 
        /// 用戶權(quán)限
        /// 
        public List UserPermissions { get; set; }
        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)
        {
            //賦值用戶權(quán)限
            UserPermissions = requirement.UserPermissions;
            //從AuthorizationHandlerContext轉(zhuǎn)成HttpContext,以便取出表求信息
            var httpContext = (context.Resource as Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext).HttpContext;
            //請求Url
            var questUrl = httpContext.Request.Path.Value.ToLower();
            //是否經(jīng)過驗證
            var isAuthenticated = httpContext.User.Identity.IsAuthenticated;
            if (isAuthenticated)
            {
                if (UserPermissions.GroupBy(g => g.Url).Where(w => w.Key.ToLower() == questUrl).Count() > 0)
                {
                    //用戶名
                    var userName = httpContext.User.Claims.SingleOrDefault(s => s.Type == ClaimTypes.Sid).Value;
                    if (UserPermissions.Where(w => w.UserName == userName && w.Url.ToLower() == questUrl).Count() > 0)
                    {
                        context.Succeed(requirement);
                    }
                    else
                    {
                        //無權(quán)限跳轉(zhuǎn)到拒絕頁面
                        httpContext.Response.Redirect(requirement.DeniedAction);
                    }
                }
                else
                {
                    context.Succeed(requirement);
                }
            }
            return Task.CompletedTask;
        }
    }
}

此次的Startup.cs的ConfigureServices發(fā)生了變化,如下

       public void ConfigureServices(IServiceCollection services)
        {
            services.AddMvc();
            services.AddAuthorization(options =>
            {               
                //自定義Requirement,userPermission可從數(shù)據(jù)庫中獲得
                var userPermission = new List {
                              new UserPermission {  Url="/", UserName="gsw"},
                              new UserPermission {  Url="/home/permissionadd", UserName="gsw"},
                              new UserPermission {  Url="/", UserName="aaa"},
                              new UserPermission {  Url="/home/contact", UserName="aaa"}
                          };
                options.AddPolicy("Permission",
                          policy => policy.Requirements.Add(new PermissionRequirement("/denied", userPermission)));
            }).AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme).AddCookie(options =>{
                options.LoginPath = new PathString("/login");
                options.AccessDeniedPath = new PathString("/denied");
            });
            //注入授權(quán)Handler
            services.AddSingleton();
        }

HomeController中代碼如下:

using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using PolicyPrivilegeManagement.Models;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using System.Security.Claims;
namespace PolicyPrivilegeManagement.Controllers
{
    [Authorize(Policy = "Permission")]
    public class HomeController : Controller
    {
        PermissionHandler _permissionHandler;
        public HomeController(IAuthorizationHandler permissionHandler)
        {
            _permissionHandler = permissionHandler as PermissionHandler;
        }
        public IActionResult Index()
        {
            return View();
        }
        public IActionResult PermissionAdd()
        {           
            return View();
        }
        [HttpPost("addpermission")]
        public IActionResult AddPermission(string url,string userName)
        {       
            //添加權(quán)限
            _permissionHandler.UserPermissions.Add(new UserPermission { Url = url, UserName = userName });
            return Content("添加成功");
        }
        
        public IActionResult Contact()
        {
            ViewData["Message"] = "Your contact page.";
            return View();
        }
        public IActionResult Error()
        {
            return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
        }
        [AllowAnonymous]
        [HttpGet("login")]
        public IActionResult Login(string returnUrl = null)
        {
            TempData["returnUrl"] = returnUrl;
            return View();
        }
        [AllowAnonymous]
        [HttpPost("login")]
        public async Task Login(string userName, string password, string returnUrl = null)
        {
            var list = new List {
                new { UserName = "gsw", Password = "111111", Role = "admin",Name="桂素偉",Country="中國",Date="2017-09-02",BirthDay="1979-06-22"},
                new { UserName = "aaa", Password = "222222", Role = "system",Name="測試A" ,Country="美國",Date="2017-09-03",BirthDay="1999-06-22"}
            };
            var user = list.SingleOrDefault(s => s.UserName == userName && s.Password == password);
            if (user != null)
            {
                //用戶標(biāo)識
                var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);
                identity.AddClaim(new Claim(ClaimTypes.Sid, userName));
                identity.AddClaim(new Claim(ClaimTypes.Name, user.Name));
                identity.AddClaim(new Claim(ClaimTypes.Role, user.Role));
                identity.AddClaim(new Claim(ClaimTypes.Country, user.Country));
                identity.AddClaim(new Claim("date", user.Date));
                await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));
                if (returnUrl == null)
                {
                    returnUrl = TempData["returnUrl"]?.ToString();
                }
                if (returnUrl != null)
                {
                    return Redirect(returnUrl);
                }
                else
                {
                    return RedirectToAction(nameof(HomeController.Index), "Home");
                }
            }
            else
            {
                const string badUserNameOrPasswordMessage = "用戶名或密碼錯誤!";
                return BadRequest(badUserNameOrPasswordMessage);
            }
        }
        [HttpGet("logout")]
        public async Task Logout()
        {
            await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
            return RedirectToAction("Index", "Home");
        }
        [AllowAnonymous]
        [HttpGet("denied")]
        public IActionResult Denied()
        {
            return View();
        }
    }
}

本例設(shè)計是當(dāng)用戶gsw密碼111111登錄時,是不能訪問/home/contact的,剛登錄時訪該action是不成功的,這里我們在/home/addpermission中添加一個Action名稱:/home/contact,用戶名:gsw的信息,此時再訪問/home/contact,會發(fā)現(xiàn)是可以訪問的,這是因為我們熱更新了PermissionHandler中的用戶權(quán)限集合,用戶的權(quán)限得到了擴(kuò)展和變化。

其實用中間件能達(dá)到靈活權(quán)限的設(shè)置,用自定義授權(quán)Handler也可以,接下來比較一下兩種做法的優(yōu)劣:


中間件

自定義授權(quán)Handler

用戶權(quán)限集合

靜態(tài)對象

實體化對象

熱更新時

用中間件名稱.用戶權(quán)限集合更新

因為在Startup.cs中,PermissionHandler是依賴注放的,可以在熱更新的構(gòu)造中獲取并操作

性能方面

每個action請求都會觸發(fā)Invock方法,標(biāo)記[AllowAnonymous]特性的Action也會觸發(fā)

只有標(biāo)記[Authorize]特性的Action會觸發(fā)該方法,標(biāo)記[AllowAnonymous]特性的Action不會觸發(fā),性能更優(yōu)化

最后,把授權(quán)策略做了個NuGet的包,大家可在asp.net core 2.0的項目中查詢 AuthorizePolicy引用使用這個包,包對應(yīng)的github地址:https://github.com/axzxs2001/AuthorizePolicy,歡迎大家提出建議,來共同完善這個授權(quán)策略。

創(chuàng)新互聯(lián)www.cdcxhl.cn,專業(yè)提供香港、美國云服務(wù)器,動態(tài)BGP最優(yōu)骨干路由自動選擇,持續(xù)穩(wěn)定高效的網(wǎng)絡(luò)助力業(yè)務(wù)部署。公司持有工信部辦法的idc、isp許可證, 機(jī)房獨(dú)有T級流量清洗系統(tǒng)配攻擊溯源,準(zhǔn)確進(jìn)行流量調(diào)度,確保服務(wù)器高可用性。佳節(jié)活動現(xiàn)已開啟,新人活動云服務(wù)器買多久送多久。


文章名稱:asp.netcore策略授權(quán)-創(chuàng)新互聯(lián)
當(dāng)前地址:http://weahome.cn/article/ipoip.html

其他資訊

在線咨詢

微信咨詢

電話咨詢

028-86922220(工作日)

18980820575(7×24)

提交需求

返回頂部