在《asp.net core认证与授权》中讲解了固定和自定义角色授权系统权限,其实我们还可以通过其他方式来授权,比如可以通过角色组,用户名,生日等,但这些主要取决于ClaimTypes,其实我们也可以自定义键值来授权,这些统一叫策略授权,其中更强大的是,我们可以自定义授权Handler来达到灵活授权,下面一一展开。

注意:下面的代码只是部分代码,完整代码参照:https://github.com/axzxs2001/Asp.NetCoreExperiment/tree/master/Asp.NetCoreExperiment/%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86/PolicyPrivilegeManagement

首先看基于角色组,或用户名,或基于ClaimType或自定义键值等授权策略,这些都是通过Services.AddAuthorization添加,并且是AuthorizationOptions来AddPolicy,这里策略的名称统一用RequireClaim来命名,不同的请求的策略名称各不相同,如用户名时就用policy.RequireUserName(),同时,在登录时,验证成功后,要添加相应的Claim到ClaimsIdentity中:

Startup.cs

 1         public void ConfigureServices(IServiceCollection services)
 2         {
 3             services.AddMvc();
 4             services.AddAuthorization(options =>
 5             {
 6 //基于角色组的策略
 7                 options.AddPolicy("RequireClaim", policy => policy.RequireRole("admin", "system"));
 8                 //基于用户名
 9                 //options.AddPolicy("RequireClaim", policy => policy.RequireUserName("桂素伟"));
10                 //基于ClaimType
11                 //options.AddPolicy("RequireClaim", policy => policy.RequireClaim(ClaimTypes.Country,"中国"));
12                 //自定义值
13                 // options.AddPolicy("RequireClaim", policy => policy.RequireClaim("date","2017-09-02"));                
14             }).AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme).AddCookie(options =>{
15                 options.LoginPath = new PathString("/login");
16                 options.AccessDeniedPath = new PathString("/denied");
17             }); 
18         }

HomeController.cs

 1 using System;
 2 using System.Collections.Generic;
 3 using System.Diagnostics;
 4 using System.Linq;
 5 using System.Threading.Tasks;
 6 using Microsoft.AspNetCore.Mvc;
 7 using PolicyPrivilegeManagement.Models;
 8 using Microsoft.AspNetCore.Authorization;
 9 using Microsoft.AspNetCore.Authentication;
10 using Microsoft.AspNetCore.Authentication.Cookies;
11 using System.Security.Claims;
12 
13 namespace PolicyPrivilegeManagement.Controllers
14 {
15     [Authorize(Policy = "RequireClaim")]
16     public class HomeController : Controller
17     {       
18         public IActionResult Index()
19         {
20             return View();
21         }
22 
23         public IActionResult About()
24         {
25             ViewData["Message"] = "Your application description page.";
26             return View();
27         }
28         
29         public IActionResult Contact()
30         {
31             ViewData["Message"] = "Your contact page.";
32             return View();
33         }
34 
35         public IActionResult Error()
36         {
37             return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
38         }
39         [AllowAnonymous]
40         [HttpGet("login")]
41         public IActionResult Login(string returnUrl = null)
42         {
43             TempData["returnUrl"] = returnUrl;
44             return View();
45         }
46         [AllowAnonymous]
47         [HttpPost("login")]
48         public async Task<IActionResult> Login(string userName, string password, string returnUrl = null)
49         {
50             var list = new List<dynamic> {
51                 new { UserName = "gsw", Password = "111111", Role = "admin",Name="桂素伟",Country="中国",Date="2017-09-02",BirthDay="1979-06-22"},
52                 new { UserName = "aaa", Password = "222222", Role = "system",Name="测试A" ,Country="美国",Date="2017-09-03",BirthDay="1999-06-22"}
53             };
54             var user = list.SingleOrDefault(s => s.UserName == userName && s.Password == password);
55             if (user != null)
56             {
57                 //用户标识
58                 var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);
59                 identity.AddClaim(new Claim(ClaimTypes.Sid, userName));
60                 identity.AddClaim(new Claim(ClaimTypes.Name, user.Name));
61                 identity.AddClaim(new Claim(ClaimTypes.Role, user.Role));
62                 identity.AddClaim(new Claim(ClaimTypes.Country, user.Country));
63                 identity.AddClaim(new Claim("date", user.Date));
64 
65                 await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));
66                 if (returnUrl == null)
67                 {
68                     returnUrl = TempData["returnUrl"]?.ToString();
69                 }
70                 if (returnUrl != null)
71                 {
72                     return Redirect(returnUrl);
73                 }
74                 else
75                 {
76                     return RedirectToAction(nameof(HomeController.Index), "Home");
77                 }
78             }
79             else
80             {
81                 const string badUserNameOrPasswordMessage = "用户名或密码错误!";
82                 return BadRequest(badUserNameOrPasswordMessage);
83             }
84         }
85         [HttpGet("logout")]
86         public async Task<IActionResult> Logout()
87         {
88             await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
89             return RedirectToAction("Index", "Home");
90         }
91         [AllowAnonymous]
92         [HttpGet("denied")]
93         public IActionResult Denied()
94         {
95             return View();
96         }
97     }
98 }

上面的授权策略都相对简单,单一,使用场景也很有限,就和固定角色授权如出一辙,其实可以用更好的来例用授权,那就是自定义授权Handler,我们在《asp.net core认证与授权》一文中,是通过中间件来达到自定义解色的,现在我们换个思路,通过自定义授权Handler来实现。

首先定义一个UserPermission,即用户权限实体类

 1 /// <summary>
 2     /// 用户权限
 3     /// </summary>
 4     public class UserPermission
 5     {
 6         /// <summary>
 7         /// 用户名
 8         /// </summary>
 9         public string UserName
10         { get; set; }
11         /// <summary>
12         /// 请求Url
13         /// </summary>
14         public string Url
15         { get; set; }
16     }

接下来定义一个PermissionRequirement,为请求条件实体类

 1 /// <summary>
 2     /// 必要参数类
 3     /// </summary>
 4     public class PermissionRequirement : IAuthorizationRequirement
 5     {
 6         /// <summary>
 7         /// 用户权限集合
 8         /// </summary>
 9         public  List<UserPermission> UserPermissions { get;private set; }
10         /// <summary>
11         /// 无权限action
12         /// </summary>
13         public string DeniedAction { get; set; }
14         /// <summary>
15         /// 构造
16         /// </summary>
17         /// <param name="deniedAction">无权限action</param>
18         /// <param name="userPermissions">用户权限集合</param>
19         public PermissionRequirement(string deniedAction, List<UserPermission> userPermissions)
20         {
21             DeniedAction = deniedAction;
22             UserPermissions = userPermissions;
23         }
24     }

再定义自定义授权Hanlder,我们命名为PermissionHandler,此类必需继承AuthorizationHandler<T>,只用实现public virtual Task HandleAsync(AuthorizationHandlerContext context),些方法是用户请求时验证是否授权的主方法,所以实现与自定义角色中间件的Invoke很相似。

 1 using Microsoft.AspNetCore.Authorization;
 2 using System.Collections.Generic;
 3 using System.Linq;
 4 using System.Security.Claims;
 5 using System.Threading.Tasks;
 6 
 7 namespace PolicyPrivilegeManagement.Models
 8 {
 9     /// <summary>
10     /// 权限授权Handler
11     /// </summary>
12     public class PermissionHandler : AuthorizationHandler<PermissionRequirement>
13     {
14         /// <summary>
15         /// 用户权限
16         /// </summary>
17         public List<UserPermission> UserPermissions { get; set; }
18 
19         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)
20         {
21             //赋值用户权限
22             UserPermissions = requirement.UserPermissions;
23             //从AuthorizationHandlerContext转成HttpContext,以便取出表求信息
24             var httpContext = (context.Resource as Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext).HttpContext;
25             //请求Url
26             var questUrl = httpContext.Request.Path.Value.ToLower();
27             //是否经过验证
28             var isAuthenticated = httpContext.User.Identity.IsAuthenticated;
29             if (isAuthenticated)
30             {
31                 if (UserPermissions.GroupBy(g => g.Url).Where(w => w.Key.ToLower() == questUrl).Count() > 0)
32                 {
33                     //用户名
34                     var userName = httpContext.User.Claims.SingleOrDefault(s => s.Type == ClaimTypes.Sid).Value;
35                     if (UserPermissions.Where(w => w.UserName == userName && w.Url.ToLower() == questUrl).Count() > 0)
36                     {
37                         context.Succeed(requirement);
38                     }
39                     else
40                     {
41                         //无权限跳转到拒绝页面
42                         httpContext.Response.Redirect(requirement.DeniedAction );
43 }
44 }
45 else
46 {
47 context.Succeed(requirement);
48 }
49 }
50 return Task.CompletedTask;
51 }
52 }
53 }

此次的Startup.cs的ConfigureServices发生了变化,如下

 1      public void ConfigureServices(IServiceCollection services)
 2         {
 3             services.AddMvc();
 4             services.AddAuthorization(options =>
 5             {  
 6                  //自定义Requirement,userPermission可从数据库中获得
 7                 var userPermission= new List<UserPermission> {
 8                               new UserPermission {  Url="/", UserName="gsw"},
 9                               new UserPermission {  Url="/home/permissionadd", UserName="gsw"},
10                               new UserPermission {  Url="/", UserName="aaa"},
11                               new UserPermission {  Url="/home/contact", UserName="aaa"}
12                           };
13 
14                 options.AddPolicy("Permission",
15                           policy => policy.Requirements.Add(new PermissionRequirement("/denied", userPermission)));
16 
17             }).AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme).AddCookie(options =>{
18                 options.LoginPath = new PathString("/login");
19                 options.AccessDeniedPath = new PathString("/denied");
20 
21             });
22             //注入授权Handler
23             services.AddSingleton<IAuthorizationHandler, PermissionHandler>();
24         }

HomeController中代码如下:

  1 using System.Collections.Generic;
  2 using System.Diagnostics;
  3 using System.Linq;
  4 using System.Threading.Tasks;
  5 using Microsoft.AspNetCore.Mvc;
  6 using PolicyPrivilegeManagement.Models;
  7 using Microsoft.AspNetCore.Authorization;
  8 using Microsoft.AspNetCore.Authentication;
  9 using Microsoft.AspNetCore.Authentication.Cookies;
 10 using System.Security.Claims;
 11 
 12 namespace PolicyPrivilegeManagement.Controllers
 13 {
 14     [Authorize(Policy = "Permission")]   
 15     public class HomeController : Controller
 16     {
 17         PermissionHandler _permissionHandler;
 18         public HomeController(IAuthorizationHandler permissionHandler)
 19         {
 20             _permissionHandler = permissionHandler as PermissionHandler;
 21         }
 22         public IActionResult Index()
 23         {
 24             return View();
 25         }
 26 
 27         public IActionResult PermissionAdd()
 28         {           
 29             return View();
 30         }
 31 
 32         [HttpPost("addpermission")]
 33         public IActionResult AddPermission(string url,string userName)
 34         {       
 35             //添加权限
 36             _permissionHandler.UserPermissions.Add(new UserPermission { Url = url, UserName = userName });
 37             return Content("添加成功");
 38         }
 39         
 40         public IActionResult Contact()
 41         {
 42             ViewData["Message"] = "Your contact page.";
 43 
 44             return View();
 45         }
 46 
 47         public IActionResult Error()
 48         {
 49             return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
 50         }
 51         [AllowAnonymous]
 52         [HttpGet("login")]
 53         public IActionResult Login(string returnUrl = null)
 54         {
 55             TempData["returnUrl"] = returnUrl;
 56             return View();
 57         }
 58         [AllowAnonymous]
 59         [HttpPost("login")]
 60         public async Task<IActionResult> Login(string userName, string password, string returnUrl = null)
 61         {
 62             var list = new List<dynamic> {
 63                 new { UserName = "gsw", Password = "111111", Role = "admin",Name="桂素伟",Country="中国",Date="2017-09-02",BirthDay="1979-06-22"},
 64                 new { UserName = "aaa", Password = "222222", Role = "system",Name="测试A" ,Country="美国",Date="2017-09-03",BirthDay="1999-06-22"}
 65             };
 66             var user = list.SingleOrDefault(s => s.UserName == userName && s.Password == password);
 67             if (user != null)
 68             {
 69                 //用户标识
 70                 var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);
 71                 identity.AddClaim(new Claim(ClaimTypes.Sid, userName));
 72                 identity.AddClaim(new Claim(ClaimTypes.Name, user.Name));
 73                 identity.AddClaim(new Claim(ClaimTypes.Role, user.Role));
 74                 identity.AddClaim(new Claim(ClaimTypes.Country, user.Country));
 75                 identity.AddClaim(new Claim("date", user.Date));
 76 
 77                 await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));
 78                 if (returnUrl == null)
 79                 {
 80                     returnUrl = TempData["returnUrl"]?.ToString();
 81                 }
 82                 if (returnUrl != null)
 83                 {
 84                     return Redirect(returnUrl);
 85                 }
 86                 else
 87                 {
 88                     return RedirectToAction(nameof(HomeController.Index), "Home");
 89                 }
 90             }
 91             else
 92             {
 93                 const string badUserNameOrPasswordMessage = "用户名或密码错误!";
 94                 return BadRequest(badUserNameOrPasswordMessage);
 95             }
 96         }
 97         [HttpGet("logout")]
 98         public async Task<IActionResult> Logout()
 99         {
100             await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
101             return RedirectToAction("Index", "Home");
102         }
103         [AllowAnonymous]
104         [HttpGet("denied")]
105         public IActionResult Denied()
106         {
107             return View();
108         }
109     }
110 }

本例设计是当用户gsw密码111111登录时,是不能访问/home/contact的,刚登录时访该action是不成功的,这里我们在/home/addpermission中添加一个Action名称:/home/contact,用户名:gsw的信息,此时再访问/home/contact,会发现是可以访问的,这是因为我们热更新了PermissionHandler中的用户权限集合,用户的权限得到了扩展和变化。

其实用中间件能达到灵活权限的设置,用自定义授权Handler也可以,接下来比较一下两种做法的优劣:

 

中间件

自定义授权Handler

用户权限集合

静态对象

实体化对象

热更新时

用中间件名称.用户权限集合更新

因为在Startup.cs中,PermissionHandler是依赖注放的,可以在热更新的构造中获取并操作

性能方面

每个action请求都会触发Invock方法,标记[AllowAnonymous]特性的Action也会触发

只有标记[Authorize]特性的Action会触发该方法,标记[AllowAnonymous]特性的Action不会触发,性能更优化

 

最后,把授权策略做了个NuGet的包,大家可在asp.net core 2.0的项目中查询 AuthorizePolicy引用使用这个包,包对应的github地址:https://github.com/axzxs2001/AuthorizePolicy,欢迎大家提出建议,来共同完善这个授权策略。

分类:

技术点:

相关文章: