我在带有WebApi的MVC项目中有简单的Cookie和持有者令牌授权。我想在我的标准 MVC 控制器上禁用持有者的访问。
这是我现在的情况:
- 标准 MVC 控制器访问:持有者或Cookie
- Web API 控制器访问:仅持有者
我想要:
- 标准 MVC 控制器访问:仅限 Cookie
- Web API 控制器访问:仅持有者
WebApiConfig.cs
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{action}/{id}",
defaults: new { id = RouteParameter.Optional }
);
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter("Bearer"));
}
}
Startup.Auth.cs
public partial class Startup
{
public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; }
public void ConfigureAuth(IAppBuilder app)
{
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
app.UseOAuthBearerAuthentication(OAuthBearerOptions);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
}
是否可以具有自定义授权属性?像这样:[授权("OnlyCookie"]
我看到了类似的解决方案,但它是针对SinglePageAplication的,我不知道如何在我的.NET MVC 4应用程序中实现它 - 我在这里看到了它:https://learn.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme
当我尝试添加"AuthenticationScheme = "Cookie"时,编译器给了我错误:CookieAuthenticationOptions"不包含"AuthenticationScheme"的定义
您没有该属性,因为您没有使用 ASP.Net Core。您在问题上发布的链接 ASP.Net Core ASP.NEt 而不是MVC。
您可以通过创建自定义授权筛选器属性来执行相同的操作。让我们将其命名为CustomAuthorizeAttribute,实现将是:
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
public string AuthenticationType { get; private set; }
public CustomAuthorize(string authenticationType)
{
if (string.IsNullOrWhiteSpace(authenticationType))
{
throw new ArgumentNullException(nameof(authenticationType));
}
this.AuthenticationType = authenticationType;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (!httpContext.User.Identity.AuthenticationType.Equals(this.AuthenticationType, StringComparison.InvariantCultureIgnoreCase))
{
return false;
}
return base.AuthorizeCore(httpContext);
}
}
因此,您可以在控制器上像这样使用它:
[CustomAuthorize(DefaultAuthenticationTypes.ApplicationCookie)]