带有 Windows 身份验证的 webapi-use 声明

Question

该方法已使用 roles=admin 保护：

[Authorize(Roles = "admin")]
public class ValuesController : ApiController
{

    // GET api/values        
    public IEnumerable<string> Get()
    {
        return new string[] { "value1", "value2" };
    }}

我成功地将声明与 Webapi 项目一起使用，其中选择了 Individual User Account，其中注入了声明 admin

public class ApplicationUser : IdentityUser
{
    public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager, string authenticationType)
    {
        // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
        var userIdentity = await manager.CreateIdentityAsync(this, authenticationType);

        // Add custom user claims here
        userIdentity.AddClaim(new Claim(ClaimTypes.Role, "admin"));

        return userIdentity;
    }
}

现在我想用Windows authentication 选项进行测试，其中实现了 IAuthenticationFilter：

public class CustomAuthenticationFilter : IAuthenticationFilter
{
    public bool AllowMultiple { get { return true; } }
    public Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
    {
        var windowsPrincipal = context.Principal as WindowsPrincipal;
        if (windowsPrincipal != null)
        {
            var name = windowsPrincipal.Identity.Name;
            // TODO: fetch claims from db (i guess based on name)
            var identity = new ClaimsIdentity(windowsPrincipal.Identity);

            identity.AddClaim(new Claim(ClaimTypes.Role, "admin"));

            var claimsPrincipal = new ClaimsPrincipal(identity);
            // here is the punchline - we're replacing original windows principal 
            // with our own claims principal


            context.Principal = claimsPrincipal;
        }

        return Task.FromResult(0);
    }

    public Task ChallengeAsync(HttpAuthenticationChallengeContext context, CancellationToken cancellationToken)
    {
        return Task.FromResult(0);
    }
}

并添加到类webapiconfig：

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        // Web API configuration and services
        config.Filters.Add(new CustomAuthenticationFilter());

        ...
    }
}

在调试webapi项目时声明admin在User.Identity.Claims中，但是在方法/api/values/get中无法授权。

有什么想法吗？

Answer 1

默认身份RoleClaimType 是identity/claims/groupsid，而不是role。

通过在ClaimsIdentity 构造函数中将RoleClaimType 设置为identity/claims/role，我们可以让它通过[Authorize(Roles = "admin")]

public Task AuthenticateAsync(HttpAuthenticationContext context, CancellationToken cancellationToken)
    {
        var windowsPrincipal = context.Principal as WindowsPrincipal;
        if (windowsPrincipal != null)
        {
            var name = windowsPrincipal.Identity.Name;

            // TODO: fetch claims from db (i guess based on name)                
            var identity = new ClaimsIdentity(windowsPrincipal.Identity,
                null,
                "Negotiate",
                "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
                "http://schemas.microsoft.com/ws/2008/06/identity/claims/role");
            //identity

            identity.AddClaim(new Claim(ClaimTypes.Role, "admin"));

            var claimsPrincipal = new ClaimsPrincipal(identity);
            // here is the punchline - we're replacing original windows principal 
            // with our own claims principal


            context.Principal = claimsPrincipal;
        }

        return Task.FromResult(0);
    }

这是新的身份：