使用 .NET Core 5 - 据我了解,每个用户(无论是否登录)都会分配一个身份。因此,默认情况下,将分配一个匿名用户,
Identity.User.IsAuthenticated == false
。
我不知道如何将其表达为一项政策。有谁知道如何创建授权策略来代表这些匿名用户?
public static void AddAuthorizationAndPolicies(this IServiceCollection services)
{
services.AddAuthorization(options =>
{
//Policy for logged in user - straightforward
options.AddPolicy("IsLoggedIn",
policy => policy.RequireAuthenticatedUser());
//Policy for admin user - straightforward
options.AddPolicy("IsAdminUser",
policy => policy.RequireRole("Admin"));
//policy for Anonymous users - *** How to do this ***?
options.AddPolicy("IsAnonymousUser",
policy => policy.AddRequirements()); //???
});
}
您可以像这样添加
PermissiveAuthorizationPolicy
并让任何人通过
services.AddAuthorization(options =>
{
options.AddPolicy(ReverseProxyConfig.AuthPolicyName, policy =>
policy.Requirements.Add(new PermissiveAuthorizationPolicy())
);
});
public class PermissiveAuthorizationPolicy : AuthorizationHandler<PermissiveAuthorizationPolicy>, IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissiveAuthorizationPolicy requirement)
{
context.Succeed(requirement);
return Task.CompletedTask;
}
}
好吧,似乎执行此操作的一种方法是创建自定义授权要求类,然后创建使用它的策略。
创建自定义授权类(在本例中名为“AllowAnonymousAuthorizationRequirement”)...
public class AllowAnonymousAuthorizationRequirement:
AuthorizationHandler<AllowAnonymousAuthorizationRequirement>, IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, AllowAnonymousAuthorizationRequirement requirement)
{
var user = context.User;
var userIsAnonymous = user?.Identity == null || !user.Identities.Any(i => i.IsAuthenticated);
//success is user IS anonymous
if (userIsAnonymous)
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
然后添加使用新自定义要求的策略...
public static void AddAuthorizationAndPolicies(this IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy("IsAnonymousUser",
policy => policy.AddRequirements( new AllowAnonymousAuthorizationRequirement()));
});
}
请注意,此策略将拒绝经过身份验证的用户 - 因此仅在当前状态下专门针对匿名用户有用。