要将 Controller 标记为需要授权,您通常会像这样装饰它:
[Authorize]
public class MyController : Controller
我们的身份验证是通过第 3 方提供商进行的,并且考虑到它的设置方式,我们只希望它在我们的生产环境中实际生效,例如,我们不希望它在 QA 环境中处于事件状态。在 Startup.cs 文件中关闭环境很容易,但是有没有办法有条件地装饰 Controller ?我开始研究政策和角色,看起来它可能会被黑客入侵,但有更好的方法吗?
最佳答案
如果您使用的是 Asp.NET Core,请按照此处的文档操作:
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.1 https://learn.microsoft.com/en-us/aspnet/core/security/authorization/dependencyinjection?view=aspnetcore-2.1
您可以像这样制定您的自定义政策:
public class EnvironmentAuthorize : IAuthorizationRequirement
{
public string Environment { get; set; }
public EnvironmentAuthorize(string env)
{
Environment = env;
}
}
public class EnvironmentAuthorizeHandler : AuthorizationHandler<EnvironmentAuthorize>
{
private readonly IHostingEnvironment envionment;
public EnvironmentAuthorizeHandler(IHostingEnvironment env)
{
envionment = env;
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, EnvironmentAuthorize requirement)
{
if (requirement.Environment != envionment.EnvironmentName)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
在 Startup.cs 中:
services.AddAuthorization(options =>
{
options.AddPolicy("ProductionOnly", policy =>
policy.Requirements.Add(new EnvironmentAuthorize("Production")));
});
services.AddSingleton<IAuthorizationHandler, EnvironmentAuthorizeHandler>();
在 Controller 中:
[Authorize(Policy = "ProductionOnly")]
public class MyController : Controller
虽然这是可能的,但我不推荐这样做,在不同的环境中有不同的行为确实是一场噩梦。
关于c# - 具有 [Authorize] 的环境相关 Controller ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52434560/