Edition 0 Updated to asp. Net core 0
Implement policy-based authorization
Yüklə 11,82 Mb. Pdf görüntüsü
|
|
Implement policy-based authorization
Custom authorization rules can also be written using authorization policies . This section provides an overview. For more information, see the ASP.NET Authorization Workshop . Custom authorization policies are registered in the Startup.ConfigureServices method using the service.AddAuthorization method. This method takes a delegate that configures an AuthorizationOptions argument. services. AddAuthorization (options => { options. AddPolicy ( "AdministratorsOnly" , policy => policy. RequireRole ( "Administrator" )); options. AddPolicy ( "EmployeesOnly" , policy => policy. RequireClaim ( "EmployeeNumber" )); options. AddPolicy ( "Over21" , policy => policy. Requirements . Add ( new MinimumAgeRequirement ( 21 ))); }); As shown in the example, policies can be associated with different types of requirements. After the policies are registered, they can be applied to an action or controller by passing the policy’s name as the Policy argument of the Authorize attribute (for example, [Authorize(Policy="EmployeesOnly")] ) Policies can have multiple requirements, not just one (as shown in these examples). In the previous example, the first AddPolicy call is just an alternative way of authorizing by role. If [Authorize(Policy="AdministratorsOnly")] is applied to an API, only users in the Administrator role will be able to access it. The second AddPolicy call demonstrates an easy way to require that a particular claim should be present for the user. The RequireClaim method also optionally takes expected values for the claim. If values are specified, the requirement is met only if the user has both a claim of the correct type and one of the specifi ed values. If you’re using the JWT bearer authentication middleware, all JWT properties will be available as user claims. The most interesting policy shown here is in the third AddPolicy method, because it uses a custom authorization requirement. By using custom authorization requirements, you can have a great deal of control over how authorization is performed. For this to work, you must implement these types: • A Requirements type that derives from IAuthorizationRequirement and that contains fields specifying the details of the requirement. In the example, this is an age field for the sample MinimumAgeRequirement type. • A handler that implements AuthorizationHandler , where T is the type of IAuthorizationRequirement that the handler can satisfy. The handler must implement the HandleRequirementAsync method, which checks whether a specified context that contains information about the user satisfies the requirement. 331 CHAPTER 8 | Make secure .NET Microservices and Web Applications If the user meets the requirement, a call to context.Succeed will indicate that the user is authorized. If there are multiple ways that a user might satisfy an authorization requirement, multiple handlers can be created. In addition to registering custom policy requirements with AddPolicy calls, you also need to register custom requirement handlers via Dependency Injection ( services.AddTransient ). An example of a custom authorization requirement and handler for checking a user’s age (base d on a DateOfBirth claim) is available in the ASP.NET Core authorization documentation . Yüklə 11,82 Mb. Dostları ilə paylaş:
|