思路:.net core中鉴权成功后,表示可以登录进来call 网站api,但是哪些api可以call通,哪些api没有权限,则通过授权来控制
这里手写几个类型授权策略:
1:AdminPolicy: 角色必须为admin 的才能访问api
2: MutiPolicy :要求角色必须为admin,且用户名为liping,国家为china 的才能访问api
3: EmailPolicy:要求用户邮箱是qq/gmail 的才能访问api
4:DBPolicy:通过数据库查询,要求用户邮箱为qq 的才能访问api
1 public class CustomerAuthorizationConfig 2 { 3 public static void ConfigureServices(IServiceCollection services) 4 { 5 //手写一个授权方案 6 services.AddAuthorization(options => 7 { 8 //:要求角色必须为admin 9 options.AddPolicy("AdminPolicy", pb => 10 { 11 pb.RequireRole("Admin"); 12 }); 13 14 15 //:要求角色必须为admin,且用户名为liping,国家为china 16 options.AddPolicy("MutiPolicy", p => 17 { 18 p.RequireRole("Admin") 19 .RequireUserName("liping") 20 .RequireAssertion(context => 21 context.User.Claims.FirstOrDefault(t => t.Type.Equals(ClaimTypes.Country))?.Value == "China"); 22 }); 23 24 25 //:多个组合条件校验 26 options.AddPolicy("EmailPolicy", p => 27 { 28 p.AddRequirements(new EmailRequirement()); 29 30 }); 31 32 33 //:数据库查数据校验 34 options.AddPolicy("DBPolicy", p => 35 { 36 p.AddRequirements(new DBRequirement("@qq.com")); 37 }); 38 39 40 });
services.AddSingleton<IAuthorizationHandler, GmailHandler>();
services.AddSingleton<IAuthorizationHandler, QQEmailHandler>();
41 } 42 43 public static void Configure(IApplicationBuilder app, IWebHostEnvironment env) 44 { 45 46 app.UseAuthorization(); 47 } 48 }
2:邮箱策略:
1 /// <summary> 2 /// 实现登录用户邮箱是qq/gamil的校验 3 /// 4 /// 自己做一个授权的策略(policy) 5 /// 继承IAuthorizationRequirement接口 6 /// </summary> 7 public class EmailRequirement: IAuthorizationRequirement 8 { 9 10 } 11 12 public class QQEmailHandler : AuthorizationHandler<EmailRequirement> 13 { 14 protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, EmailRequirement requirement) 15 { 16 if(context.User!=null && context.User.HasClaim(t=>t.Type == ClaimTypes.Email)) 17 { 18 var list = context.User.Claims.Where(t => t.Type == ClaimTypes.Email)?.ToList(); 19 if (list.Any(t => t.Value.EndsWith("@qq.com", StringComparison.OrdinalIgnoreCase))) { 20 21 context.Succeed(requirement); 22 } 23 else 24 { 25 //context.Fail(); 26 } 27 } 28 return Task.CompletedTask; 29 } 30 } 31 32 public class GmailHandler : AuthorizationHandler<EmailRequirement> 33 { 34 protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, EmailRequirement requirement) 35 { 36 if (context.User != null && context.User.HasClaim(t => t.Type == ClaimTypes.Email)) 37 { 38 var list = context.User.Claims.Where(t => t.Type == ClaimTypes.Email)?.ToList(); 39 if (list.Any(t => t.Value.EndsWith("@gmail.com", StringComparison.OrdinalIgnoreCase))) 40 { 41 42 context.Succeed(requirement); 43 } 44 else 45 { 46 //context.Fail(); 47 } 48 } 49 return Task.CompletedTask; 50 } 51 }
3:数据库策略
1 /// <summary> 2 /// 实现数据库的权限校验 3 /// </summary> 4 public class DBRequirement : AuthorizationHandler<DBRequirement>,IAuthorizationRequirement 5 { 6 public DBRequirement(string emailEndWith) 7 { 8 if (string.IsNullOrEmpty(emailEndWith)) 9 { 10 this.EmailEndWith = "@qq.com"; 11 } 12 else 13 { 14 EmailEndWith = emailEndWith; 15 } 16 17 } 18 19 private string EmailEndWith { get; set; } 20 protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, DBRequirement requirement) 21 { 22 if (context.User != null && context.User.HasClaim(t => t.Type == ClaimTypes.Email)) 23 { 24 var list = context.User.Claims.Where(t => t.Type == ClaimTypes.Email)?.ToList(); 25 if (list.Any(t => t.Value.EndsWith(EmailEndWith, StringComparison.OrdinalIgnoreCase))) 26 { 27 28 context.Succeed(requirement); 29 } 30 else 31 { 32 //context.Fail(); 33 } 34 } 35 return Task.CompletedTask; 36 } 37 }
4:如何调用
1 public class AuthController : Controller 2 { 3 public IActionResult Index() 4 { 5 return View(); 6 } 7 8 9 /// <summary> 10 /// 11 /// </summary> 12 /// <returns></returns> 13 //[Authorize(Roles ="Admin,User")]//用户必须是admin/user角色 14 //[Authorize(Policy ="EmailPolicy")]// 满足EmailPolicy授权方案 15 //[Authorize(Policy = "AdminPolicy")] //满足AdminPolicy 16 //[Authorize(policy: "MutiPolicy")] //满足MutiPolicy策略 17 //[Authorize(policy: "DBPolicy")] 18 [Authorize]//登录的 19 public IActionResult Info() 20 { 21 22 return View(); 23 } 24 25 } 31
标签:core,ClaimTypes,public,api,User,context,net,Type,手写 From: https://www.cnblogs.com/hanliping/p/18369833