我正在从ASP.Net Framework转向ASP.Net Core .
在带有Web API 2项目的ASP.Net Framework中,我可以像这样自定义AuthorizeAttribute:
public class ApiAuthorizeAttribute : AuthorizationFilterAttribute
{
#region Methods
/// <summary>
/// Override authorization event to do custom authorization.
/// </summary>
/// <param name="httpActionContext"></param>
public override void OnAuthorization(HttpActionContext httpActionContext)
{
// Retrieve email and password.
var accountEmail =
httpActionContext.Request.Headers.Where(
x =>
!string.IsNullOrEmpty(x.Key) &&
x.Key.Equals("Email"))
.Select(x => x.Value.FirstOrDefault())
.FirstOrDefault();
// Retrieve account password.
var accountPassword =
httpActionContext.Request.Headers.Where(
x =>
!string.IsNullOrEmpty(x.Key) &&
x.Key.Equals("Password"))
.Select(x => x.Value.FirstOrDefault()).FirstOrDefault();
// Account view model construction.
var filterAccountViewModel = new FilterAccountViewModel();
filterAccountViewModel.Email = accountEmail;
filterAccountViewModel.Password = accountPassword;
filterAccountViewModel.EmailComparision = TextComparision.Equal;
filterAccountViewModel.PasswordComparision = TextComparision.Equal;
// Find the account.
var account = RepositoryAccount.FindAccount(filterAccountViewModel);
// Account is not found.
if (account == null)
{
// Treat the account as unthorized.
httpActionContext.Response = httpActionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
return;
}
// Role is not defined which means the request is allowed.
if (_roles == null)
return;
// Role is not allowed
if (!_roles.Any(x => x == account.Role))
{
// Treat the account as unthorized.
httpActionContext.Response = httpActionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
return;
}
// Store the requester information in action argument.
httpActionContext.ActionArguments["Account"] = account;
}
#endregion
#region Properties
/// <summary>
/// Repository which provides function to access account database.
/// </summary>
public IRepositoryAccount RepositoryAccount { get; set; }
/// <summary>
/// Which role can be allowed to access server.
/// </summary>
private readonly byte[] _roles;
#endregion
#region Constructor
/// <summary>
/// Initialize instance with default settings.
/// </summary>
public ApiAuthorizeAttribute()
{
}
/// <summary>
/// Initialize instance with allowed role.
/// </summary>
/// <param name="roles"></param>
public ApiAuthorizeAttribute(byte[] roles)
{
_roles = roles;
}
#endregion
}
在我自定义的AuthorizeAttribute中,我可以检查帐户是否有效,并将HttpStatusCode返回给客户端 .
我正在尝试在ASP.Net Core中做同样的事情,但我没有OnAuthorization来覆盖 .
我怎样才能在ASP.Net Framework中实现同样的功能?
谢谢,
2 回答
你接近这个错误了 . 从来没有真正鼓励为此编写自定义属性或扩展现有属性 . 由于 ASP.NET Core 角色仍然是系统的一部分,用于向后兼容,但现在也不鼓励这些角色 .
关于一些驱动架构变化以及它应该被利用的方式有一个很好的2部分系列here . 如果你仍然希望依赖角色,你可以这样做,但我建议使用政策 .
要连接策略,请执行以下操作:
为方便起见,我创建了一个
Policy
枚举 .装饰入口点如下:
AccountRequirement
只是一个占位符,它需要实现IAuthorizationRequirement
接口 .现在我们只需要创建一个处理程序并将其连接到DI .
其他资源
我的评论看起来很糟糕,因此我发布了一个答案,但只有在使用MVC时才有用:
我还注意到,在问题代码中,async关键字对于“HandleRequirementAsync”签名来说是多余的 . 我想返回Task.CompletedTask可能会很好 .