时间戳

首页 > 解决方案 > 具有多个要求的自定义授权策略在应用于控制器操作时不起作用

asp.net-core - 具有多个要求的自定义授权策略在应用于控制器操作时不起作用

问题描述

我有一个 .NET Core 3 WebAPI,我想在其中使用基于策略的自定义授权,其中一个策略有多个要求。

我已将策略添加到 DI中Startup.ConfigureServices()并添加到:MyCustomPolicyHandler

public virtual void ConfigureServices(IServiceCollection services)
{
    services.AddAuthorization(options =>
    {
        options.AddPolicy("MyCustomPolicy", policy =>
        {
            policy.Requirements.Add(new RequirementA());
            policy.Requirements.Add(new RequirementB());
            policy.Requirements.Add(new RequirementC());
            policy.Requirements.Add(new RequirementD());
            
        });
        
        services.AddScoped<IAuthorizationHandler, MyCustomPolicyHandler>();
        
    });                
}

我已经MyCustomPolicyHandler使用本文档中的示例实现了: ASP.NET Core 中基于策略的授权

public class MyCustomPolicyHandler: IAuthorizationHandler
{

    public Task HandleAsync(AuthorizationHandlerContext context)
    {
    
        var pendingRequirements = context.PendingRequirements.ToList();         
        
        Console.WriteLine($"MyCustomPolicyHandler: {pendingRequirements.Count} requirements");
        
        foreach (var requirement in pendingRequirements)
        {
            if(requirement is RequirementA) {
            
                // do stuff to check the requirements
                context.Succeed(requirement);
                
            }
            else if(requirement is RequirementB) {
                
                // do stuff to check the requirements
                context.Succeed(requirement);
            
            }
            else if(requirement is RequirementC) {
            
                // do stuff to check the requirements
                context.Succeed(requirement);
                
            }
            else if(requirement is RequirementD) {
                
                // do stuff to check the requirements
                context.Succeed(requirement);
            
            }
        }
        
        return Task.CompletedTask;
    
    }
}

接下来,我将策略应用于控制器操作之一:

public class MyController 
{
    [HttpGet]
    [Authorize(Policy="MyCustomPolicy")]    
    public ActionResult<SomeViewModel> Get(int id) {
    
        // do stuff
        
        return Ok(vm);
    }

}

我遇到的问题是没有与策略相关的要求。消息显示Console.WriteLine()0 个要求:

MyCustomPolicyHandler: 0 requirements

如果我将策略移至控制器,则存在以下要求:

[Authorize(Policy="MyCustomPolicy")]
public class MyController 
{
    [HttpGet]
    public ActionResult<SomeViewModel> Get(int id) {
    
        // do stuff
        
        return Ok(vm);
    }

}

MyCustomPolicyHandler: 4 requirements

但是,我需要将此策略应用于操作,而不是控制器。[Authorize(Policy="MyCustomPolicy")] 属性应该在操作级别起作用。

知道为什么这不起作用吗?

谢谢。

标签: asp.net-coreasp.net-core-webapiauthorize-attribute

解决方案

MyCustomPolicyHandler因为注射的地方放错了。它需要放在外面AddAuthorization

services.AddAuthorization(options =>
{
     options.AddPolicy("MyCustomPolicy", policy =>
     {
         policy.Requirements.Add(new RequirementA());
         //...
     });          
});

services.AddScoped<IAuthorizationHandler, MyCustomPolicyHandler>();

结果: 在此处输入图像描述

推荐阅读