c# - Asp Net Core 3.1 自定义角色授权
问题描述
我在ASP Net Forum上看到了针对 net core 2.2 的基本相同问题。当我尝试为我的 net core 3.1 应用程序实现时,出现错误
System.InvalidCastException: Unable to cast object of type 'System.Security.Claims.ClaimsIdentity' to type 'System.Security.Principal.WindowsIdentity'
错误发生在 RoleAuthHandler.cs 试图将 Identity 转换为 WindowsIdentity。
我想知道核心 2.2 和 3.1 之间是否有变化来解释这一点,或者我做错了什么。任何帮助都会很棒。
Startup.cs 包含
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddSingleton<IAuthorizationHandler, RoleAuthHandler>();
services.AddAuthorization(options =>
options.AddPolicy(
Role.Admin,
policy => policy.AddRequirements(new RoleRequirement(Role.Admin))));
}
角色.cs
public static class Role
{
public const string Guest = "Guest";
public const string Admin = "Admin";
}
角色需求.cs
public class RoleRequirement : IAuthorizationRequirement
{
public string[] Roles { get; }
public RoleRequirement(params string[] roles)
{
this.Roles = roles;
}
}
RoleAuthHandler.cs 包含
protected override Task HandleRequirementAsync(
AuthorizationHandlerContext context,
RoleRequirement requirement)
{
var wi = (WindowsIdentity)context.User.Identity;
var groupSet = new HashSet<string>();
if (wi.Groups != null)
{
foreach (var group in wi.Groups)
{
groupSet.Add(group.Translate(typeof(NTAccount)).ToString());
}
}
string[] userRoles = roleService.GetRolesForGroup(groupSet);
var intersectRoles = Enumerable.Intersect(userRoles, requirement.Roles, StringComparer.OrdinalIgnoreCase);
if (intersectRoles.Count() > 0)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
控制器类
[Authorize]
[ApiController]
[Route("[controller]")]
public class InterestingController : ControllerBase
{
[HttpGet]
public string Get()
{
return "Something Interesting";
}
}
解决方案
@Sayah imad - 感谢您的提醒。我在某处的帖子上看到了这个解决方案,然后将其驳回,因为我正在寻找的信息是“用户属于哪个组”。我没有意识到该信息在 ClaimsIdentity 中可用。你的提及,让我三思而后行,我找到了答案:
protected override Task HandleRequirementAsync(
AuthorizationHandlerContext context,
RoleRequirement requirement)
{
var claimsIdentity = (ClaimsIdentity)context?.User.Identity;
var userGroups = claimsIdentity.Claims
.Where(x => x.Type.Contains("groupsid", StringComparison.OrdinalIgnoreCase))
.ToList();
if (userGroups == null || !userGroups.Any())
{
return Task.CompletedTask;
}
var groupNames = new HashSet<string>();
foreach (var group in userGroups)
{
var groupName = new SecurityIdentifier(group.Value)
.Translate(typeof(NTAccount))
.ToString();
groupNames.Add(groupName);
}
var userRoles = this.authenticationService.GetRoles(groupNames.ToArray());
// If the user is an Admin, always allow
if (userRoles.Contains(Role.Admin))
{
context.Succeed(requirement);
return Task.CompletedTask;
}
var intersectingRoles = Enumerable.Intersect(
userRoles,
requirement?.Roles,
StringComparer.OrdinalIgnoreCase);
if (intersectingRoles?.Count() > 0)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
推荐阅读
- ansible - 让 ansible 跳过在运行 Ansible playbook 的机器上运行 play
- pine-script - Pine TradingView - multiple strategy.entry/exit
- javascript - res.render 传递的对象,它们叫什么?
- php - 无法从 EC2 PHP 连接到云 MongoDB
- java - 如何在 Android Studio 中为按钮创建自动动画
- matlab - 优化 FPGA 设计的建议
- r - 如何在r中分离箱线图?
- javascript - 如何为按钮编写代码以生成随机背景颜色渐变
- amazon-web-services - 错误:致命的 NoCredentialProviders:链中没有有效的提供者,原因是:EnvAccessKeyNotFound:
- amazon-web-services - cli 中的 SSM 参数将字符串评估为 api 请求