使用 .net 核心应用程序实现自定义策略。
假设我们有一个非常简单的自定义策略:
internal class RequireNamePolicy : AuthorizationHandler<RequireNameRequirement>, IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, RequireNameRequirement requirement)
{
var nameClaim = context.User.Claims.FirstOrDefault(c => c.Type == Claims.Name);
if (nameClaim != null && nameClaim.Value == "Chimney Spork")
{
context.Succeed(requirement);
}
else
{
context.Fail();
}
return Task.CompletedTask;
}
}
internal class RequireNameRequirement : IAuthorizationRequirement
{
}
现在假设声明不存在,所以我们点击 context.Fail()。
默认响应是没有消息正文的 403。
我的问题是,我们将在哪里更改状态代码(到 401)并返回说明问题的消息(即声明不存在)?
最佳答案
context.Resource as AuthorizationFilterContext 在 net core 3.1 中为 null
最后,我将方法重写为:
public class SysUserAuthHandler : AuthorizationHandler<SysUserAuthRequirement> {
private readonly IFetchLoginUser fetchUser;
private readonly IHttpContextAccessor httpContextAccessor;
public SysUserAuthHandler( IFetchLoginUser fetchLoginUser, IHttpContextAccessor httpContextAccessor ) {
fetchUser = fetchLoginUser;
this.httpContextAccessor = httpContextAccessor;
}
protected override Task HandleRequirementAsync( AuthorizationHandlerContext context, SysUserAuthRequirement requirement ) {
var httpContext = httpContextAccessor.HttpContext;
byte[] bytes;
string msg;
if (!string.IsNullOrWhiteSpace( context.User.Identity.Name )) {
var myUser = fetchUser.LoadUser( context.User.Identity.Name, SystemEnum.FooSytem);
if ((myUser.Auth & requirement.Auth) == requirement.Auth) {
context.Succeed( requirement );
return Task.CompletedTask;
}
msg = requirement.Auth switch {
1 => "You don't have Auth of Maker",
2 => "You don't have Auth of Checker",
4 => "You don't have Auth of Admin",
8 => "You don't have Auth of Operator",
_ => "You don't have Auth"
};
}
else {
msg = "User Invalid, Please check your login status or login again";
}
bytes = Encoding.UTF8.GetBytes( msg );
httpContext.Response.StatusCode = 405;
httpContext.Response.ContentType = "application/json";
httpContext.Response.Body.WriteAsync( bytes, 0, bytes.Length );
//context.Succeed( requirement );
return Task.CompletedTask;
}
}
public class SysUserAuthRequirement : IAuthorizationRequirement {
public long Auth { get; private set; }
public SysUserAuthRequirement( long auth ) {
Auth = auth;
}
}
不要忘记在启动中添加这一行
services.AddHttpContextAccessor();
关于.net - 如何更改状态代码并从失败的 AuthorizationHandler 策略中添加消息,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/48889688/