我正在处理要求,其中我检查了我们的请求 header 是否包含授权 header ,并基于该 header 调用另一个服务器并返回 403。目前我已经通过创建自定义 ActionAttribute 来完成它:
public class ValidateAuthHeaderAttribute: ActionFilterAttribute
{
private readonly ILogger<ValidateAuthHeaderAttribute> _logger;
public ValidateAuthHeaderAttribute(ILogger<ValidateAuthHeaderAttribute> logger)
{
_logger = logger;
}
public override void OnActionExecuting(ActionExecutingContext context)
{
var httpContext = context.HttpContext;
if (httpContext.Request.Headers.ContainsKey("Authorization"))
{
return;
}
var failureResponse = new FailureResponseModel
{
Result = false,
ResultDetails = "Authorization header not present in request",
Uri = httpContext.Request.Path.ToUriComponent(),
Timestamp = DateTime.Now.ToString("s", CultureInfo.InvariantCulture),
Error = new Error
{
Code = 108,
Description = "Authorization header not present in request",
Resolve = "Send Request with authorization header to avoid this error."
}
};
var responseString = JsonConvert.SerializeObject(failureResponse);
context.Result = new ContentResult
{
Content = responseString,
ContentType = "application/json",
StatusCode = 403
};
}
}
我在我的 Controller /方法中使用这个自定义属性,就像这样。
[TypeFilter(typeof(ValidateAuthHeaderAttribute))]
现在一切正常,但我正在阅读 .Net Core 中基于策略的授权 doc .因此,现在建议使用策略。我在想可以将我的代码移植到自定义策略。
最佳答案
IMO,我建议您继续使用 ValidateAuthHeaderAttribute
,这样会容易得多。
如果您坚持政策,请按照以下步骤操作:
要求
public class AuthorizationHeaderRequirement: IAuthorizationRequirement { } public class AuthorizationHeaderHandler : AuthorizationHandler<AuthorizationHeaderRequirement> { protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, AuthorizationHeaderRequirement requirement) { // Requires the following import: // using Microsoft.AspNetCore.Mvc.Filters; if (context.Resource is AuthorizationFilterContext mvcContext) { // Examine MVC-specific things like routing data. var httpContext = mvcContext.HttpContext; if (httpContext.Request.Headers.ContainsKey("Authorization")) { context.Succeed(requirement); return; } var failureResponse = new FailureResponseModel { Result = false, ResultDetails = "Authorization header not present in request", Uri = httpContext.Request.Path.ToUriComponent(), Timestamp = DateTime.Now.ToString("s", CultureInfo.InvariantCulture), Error = new Error { Code = 108, Description = "Authorization header not present in request", Resolve = "Send Request with authorization header to avoid this error." } }; var responseString = JsonConvert.SerializeObject(failureResponse); mvcContext.Result = new ContentResult { Content = responseString, ContentType = "application/json", StatusCode = 403 }; await mvcContext.Result.ExecuteResultAsync(mvcContext); } return; } }
在
Startup.cs
中配置services.AddAuthorization(options => { options.AddPolicy("AuthorizationHeaderRequirement", policy => policy.Requirements.Add(new AuthorizationHeaderRequirement())); }); services.AddSingleton<IAuthorizationHandler, AuthorizationHeaderHandler>();
Controller
[Authorize(Policy = "AuthorizationHeaderRequirement")] public IActionResult Privacy() { return View(); }
关于c# - 自定义授权策略,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55866419/