我如何指定AuthenticationScheme是Windows并检查用户是广告组的成员吗?
当我指定AuthenticationScheme时,设置Roles不再有效,为什么不呢?我该如何解决?
public class SomeController : Controller
{
//this works
[Authorize(Roles = @"SOME.DOMAINSOME GROUP")]
public IActionResult SomeAction(){ ... }
//this works
[Authorize(AuthenticationSchemes = "Windows")]
//this doesn't work
//[Authorize(Roles = @"SOME.DOMAINSOME GROUP",
// AuthenticationSchemes = "Windows")]
public ActionResult SomeAction2(){ ... }
}
github上的完整样本
一些背景
我们有一个称为SOME GROUP的广告组,用户必须是执行某些操作的成员。在Web应用程序的其他部分中,我们使用Cookie auth,因此我需要在此特定控制器中指定身份验证方法。
参考:授权在ASP.NET Core中使用特定方案
事实证明,WindowsIdentity保留在HttpContext.User对象中,允许我们检查组/角色成员资格。
内联示例
using System.Security.Principal;
[Authorize(AuthenticationSchemes = IISServerDefaults.AuthenticationScheme)]
public ActionResult SomeAction()
{
var windowsIdentity = HttpContext.User.Identity as WindowsIdentity;
var windowsUser = new WindowsPrincipal(windowsIdentity);
var role = "[MY-COMPUTER-NAME || AD GROUP NAME]\[GROUP NAME]";
var inInRole = windowsUser.IsInRole(role);
// todo: if not allowed, write code to handle it
return View();
}
完整来源
策略示例
//AuthorizationHandler<T>
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, RoleRequirement requirement)
{
if (!(context.User.Identity is WindowsIdentity windowsIdentity))
return Task.CompletedTask;
var windowsUser = new WindowsPrincipal(windowsIdentity);
try
{
var hasRole = windowsUser?.IsInRole(requirement.GroupName) ?? false;
if (hasRole)
context.Succeed(requirement);
}
catch (Exception ex)
{
logger.LogError(ex, "Unable to check groups the user belongs too");
}
return Task.CompletedTask;
}
//IAuthorizationRequirement
public class RoleRequirement : IAuthorizationRequirement
{
public RoleRequirement(string groupName)
{ GroupName = groupName; }
/// <summary>
/// The Windows / AD Group Name that is allowed to call the OMS API
/// </summary>
public string GroupName { get; }
}
//action protected with the policy
[Authorize("Super User Role")]
public IActionResult Contact()
{ return View(); }
//startup.cs
public void ConfigureServices(IServiceCollection services)
{
//pull group name from the config
var securityOptions = Configuration.GetSection("Security").Get<SecurityOptions>();
services.AddAuthentication(IISDefaults.AuthenticationScheme);
services.AddAuthorization(options =>
{
options.AddPolicy("Super User Role", policy =>
{
policy.Requirements.Add(new RoleRequirement(securityOptions.AllowedGroup));
policy.AddAuthenticationSchemes("Windows");
});
});
services.AddSingleton<IAuthorizationHandler, RoleHandler>();
// ...
}
完整源
Windows身份验证与其他每个身份验证处理程序不同。ASP.NET不执行身份验证,Windows组件可以使用,并通过ASP.NET核心将其赋予其创建的身份。它不是为了设计或与其他身份验证类型混合而设计的,它是Windows和Anonymous,或者只是Windows。
将其与其他任何东西混合不受支持,因此即使它确实有效,您也不必限制。