我配置了一个静态类,以扩展ClaimsPrincipal静态类和SystemRoles静态类,以声明在整个应用程序中使用要使用的组/角色值。以下是删除任何特定于客户端值的角色/方法的简化版本,但仍证明了真实用例。
namespace App.Authentication
{
/// <summary>
/// Helper extension methods for checking role membership.
/// </summary>
public static class ClaimsPrincipalExtensions
{
/// <summary>
/// Returns true if user has the System Administrator role.
/// </summary>
/// <param name="principal"></param>
/// <returns>bool</returns>
public static bool IsSysAdmin(this ClaimsPrincipal principal)
{
return principal != null &&
(
principal.HasClaim(ClaimTypes.GroupSid, SystemGroups.SysAdmin)
|| principal.HasClaim(ClaimTypes.Role, SystemRoles.SysAdmin)
);
}
public static bool IsManager(this ClaimsPrincipal principal)
{
return principal != null &&
(
principal.HasClaim(ClaimTypes.GroupSid, SystemGroups.Manager)
|| principal.HasClaim(ClaimTypes.Role, SystemRoles.Manager)
);
}
public static bool CanManageWorkersAcrossBranches(this ClaimsPrincipal principal)
{
return principal != null && principal.IsSysAdmin() || principal.IsManager();
}
}
}
namespace App.Authentication
{
public class SystemGroups
{
public const string Manager = "Manager";
public const string SysAdmin = "SysAdmin";
// SysAdmin is tacked on to all role combinations as that role is granted access to all parts of the application
public const string CanManageWorkersAcrossBranches = "Manager, SysAdmin";
}
public class SystemRoles
{
public const string Manager = @"DOMAINManager";
public const string SysAdmin = @"DOMAINSysAdmin";
// SysAdmin is tacked on to all role combinations as that role is granted access to all parts of the application
public const string CanManageWorkersAcrossBranches = @"DOMAINManager, DOMAINSysAdmin";
}
}
在控制器中使用任何一种方法或在开发模式下运行时的视图时,它们会按预期工作。但是,在生产模式下使用它们时,它们总是返回false。
public async Task<IEnumerable<WorkerProfileListViewModel>> GetWorkerProfile()
{
var profiles = this._profileService.AllWorkerProfiles(activeOnly: false);
// If a user cannot view workers across branches, then filter the data down to their branch only.
// This returns `false` when it should return `true`
if (!User.CanManageWorkersAcrossBranches())
{
var currentWorker = await this._workerService.GetCurrentWorkerAsync(User);
profiles = profiles.Where(p => p.BranchCode == currentWorker.BranchCode);
}
return profiles.Select(wp => new WorkerProfileListViewModel(wp));
}
弄清楚了问题。使用principal.HasClaim(ClaimTypes.Role, SystemRoles.SysAdmin)是由于索赔作为值而不是用于配置AD用户组的人类名称的失败,该名称与SystemRoles静态类中使用的值相同的值。
用principal.IsInRole(SystemRoles.SysAdmin)替换principal.HasClaim(ClaimTypes.Role, SystemRoles.SysAdmin)的Dev Env都可以使用ClaimsTransformer,以及在没有变压器的部署ENV中使用的,并且使用各种用户组/角色配置了实际的用户帐户。