要将控制器标记为需要授权,通常按如下方式装饰它:
[Authorize]
public class MyController : Controller
我们的身份验证是通过第三方提供商进行的,考虑到它的设置方式,我们只希望它在我们的生产环境中实际生效,例如,我们不希望它在 QA 环境中处于活动状态。在 Startup.cs 文件中关闭环境很容易,但有没有办法有条件地装饰控制器?我开始查看策略和角色,似乎它可能会被黑客入侵,但有更好的方法吗?
如果您使用的是 Asp.NET Core,请按照此处的文档进行操作:
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.1 https://learn.microsoft.com/en-us/aspnet/core/security/authorization/dependencyinjection?view=aspnetcore-2.1
您可以像这样制定自定义策略:
public class EnvironmentAuthorize : IAuthorizationRequirement
{
public string Environment { get; set; }
public EnvironmentAuthorize(string env)
{
Environment = env;
}
}
public class EnvironmentAuthorizeHandler : AuthorizationHandler<EnvironmentAuthorize>
{
private readonly IHostingEnvironment envionment;
public EnvironmentAuthorizeHandler(IHostingEnvironment env)
{
envionment = env;
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, EnvironmentAuthorize requirement)
{
if (requirement.Environment != envionment.EnvironmentName)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
In de Startup.cs:
services.AddAuthorization(options =>
{
options.AddPolicy("ProductionOnly", policy =>
policy.Requirements.Add(new EnvironmentAuthorize("Production")));
});
services.AddSingleton<IAuthorizationHandler, EnvironmentAuthorizeHandler>();
在控制器中:
[Authorize(Policy = "ProductionOnly")]
public class MyController : Controller
虽然有可能,但我不能推荐这样做,在不同的环境中有不同的行为确实是一场噩梦。