ASP.NET Core 3.0基于角色的授权不起作用

问题描述 投票:0回答:1

我有一个ASP.NET Core 3.0应用。我正在使用基于角色的授权。我的Startup.cs看起来像这样。

public void ConfigureServices(IServiceCollection services)
{
    services.AddRazorPages();
    services.Configure<CookiePolicyOptions>(options =>
    {
        options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;
    });

    services.AddAuthentication().AddCookie();
    services.AddAuthorization(options =>
    {
        options.AddPolicy("Admin", authBuilder => { authBuilder.RequireRole("Admin"); });
    });
    services.AddIdentity<SiteUser, IdentityRole>(x =>
    {
        x.Lockout.AllowedForNewUsers = true;
        x.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(2);
        x.Lockout.MaxFailedAccessAttempts = 3;
        x.Password.RequireNonAlphanumeric = true;
        x.Password.RequireUppercase = true;
    }).AddEntityFrameworkStores<SiteDbContext>();
    services.AddDbContext<SiteDbContext>(dbContextOptionBuilder =>
        dbContextOptionBuilder.UseLoggerFactory(ConsoleFactory)
            .UseSqlServer(Configuration.GetConnectionString(ConfigurationSettings.LocalDbKeyName)));
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Error/500");
        app.UseStatusCodePagesWithReExecute("/Error/{0}");
        app.UseHsts();
    }

    app.UseHttpsRedirection();
    app.UseStaticFiles();
    app.UseCookiePolicy();
    app.UseForwardedHeaders(new ForwardedHeadersOptions
    {
        ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
    });
    app.UseAuthentication();
    app.UseAuthorization();
    app.UseRouting();
    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllerRoute("default", "{controller=Home}/{action=Index}/{id?}");
        endpoints.MapControllers();
    });

在我的Controller类中,我具有适当的Authorize属性,例如,

[Authorize(Roles = "Admin")]
public ActionResult Index()
{
    var users= getSomeUsers();
    return View(users);        
}

AspNetRoles表中有2个角色,即管理员和用户。但是,没有管理员角色的用户帐户可以访问“索引”操作方法。它允许任何经过身份验证的用户访问页面,而不是将访问权限限制为具有正确角色(即管理员角色)的用户。我想念什么?

c# asp.net authorization core
1个回答
0
投票

检查您的用户对象是否具有管理员角色。如果您在授权中使用roles属性,则可以从代码中删除此行。

options.AddPolicy("Admin", authBuilder => { authBuilder.RequireRole("Admin"); });

希望这会有所帮助。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.