Security » Authorization » 基于声明的授权
Claims-Based Authorization¶ 基于声明的授权
When an identity is created it may be assigned one or more claims issued by a trusted party. A claim is name value pair that represents what the subject is, not what the subject can do. For example you may have a Drivers License, issued by a local driving license authority. Your driver’s license has your date of birth on it. In this case the claim name would be DateOfBirth
, the claim value would be your date of birth, for example 8th June 1970
and the issuer would be the driving license authority. Claims based authorization, at its simplest, checks the value of a claim and allows access to a resource based upon that value. For example if you want access to a night club the authorization process might be:
当创建一个身份时,它可以被分配一个或多个由受信任方发出的声明。一个声明是一个名称对,代表该主题是什么,而不是主体可以做什么。例如,您可以有一个由当地的驾驶执照管理局签发的驾照。驾照上有你的出生日期。这时声明的命名将会是DateOfBirth,声明的值将会是你的出生日期--例如1970年6月8日,并且发行人将是驾驶执照管理局。基于声明的授权因其极为简单,检查声明的值,并且基于这个值确定是否允许使用。例如,如果你想进入一个夜总会,其授权过程可能是:
The door security officer would evaluate the value of your date of birth claim and whether they trust the issuer (the driving license authority) before granting you access.
门禁安全员将检查你的出生日期,并且根据他们是否信任签发机关进而确定是否允许进入。
An identity can contain multiple claims with multiple values and can contain multiple claims of the same type.
身份可使用多个值来表示包含多个声明,并且可包含多个相同的类型的生命。
Adding claims checks¶ 添加声明检查
Claim based authorization checks are declarative - the developer embeds them within their code, against a controller or an action within a controller, specifying claims which the current user must possess, and optionally the value the claim must hold to access the requested resource. Claims requirements are policy based, the developer must build and register a policy expressing the claims requirements.
基于声明的授权检查是通过声明实现的,开发者将其嵌入控制器或控制器的方法代码中,该声明包含了用户必须拥有的或者可选的声明值,只有满足该条件的用户请求才能进行连接。声明是基于策略的,开发者必须搭建并注册一个声明所需的策略表达式。
The simplest type of claim policy looks for the presence of a claim and does not check the value.
最简单的声明策略仅查找出现的声明,并不检测相应的值。
First you need to build and register the policy. This takes place as part of the Authorization service configuration, which normally takes part in ConfigureServices()
in your Startup.cs file.
首先需要做的是搭建并注册策略。这作为授权服务配置的一部分,一般在Startup.cs文件的ConfigureServices()。
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc(); services.AddAuthorization(options =>
{
options.AddPolicy("EmployeeOnly", policy => policy.RequireClaim("EmployeeNumber"));
});
}
In this case the EmployeeOnly
policy checks for the presence of an EmployeeNumber
claim on the current identity.
这种情况下,EmployeeOnly策略检查当前的身份是否存在EmployeeNumber声明。
You then apply the policy using the Policy
property on the AuthorizeAttribute
attribute to specify the policy name;
接着,将Policy
特性使用到 AuthorizeAttribute
属性上,来指定策略名称:
[Authorize(Policy = "EmployeeOnly")]
public IActionResult VacationBalance()
{
return View();
}
The AuthorizeAttribute
attribute can be applied to an entire controller, in this instance only identities matching the policy will be allowed access to any Action on the controller.
可将AuthorizeAttribute
属性应用到实体控制器,在这种情况下,只有匹配该策略的身份才被允许使用该控制器的所有方法上。
[Authorize(Policy = "EmployeeOnly")]
public class VacationController : Controller
{
public ActionResult VacationBalance()
{
}
}
If you have a controller that is protected by the AuthorizeAttribute
attribute, but want to allow anonymous access to particular actions you apply the AllowAnonymousAttribute
attribute;
如果有一个被AuthorizeAttribute
属性保护的控制器,但同时想允许匿名用户使用一个特别的方法,你可以应用AllowAnonymousAttribute
属性。
[Authorize(Policy = "EmployeeOnly")]
public class VacationController : Controller
{
public ActionResult VacationBalance()
{
} [AllowAnonymous]
public ActionResult VacationPolicy()
{
}
}
Most claims come with a value. You can specify a list of allowed values when creating the policy. The following example would only succeed for employees whose employee number was 1, 2, 3, 4 or 5.
大多数声明都会使用一个值做为表达。当新建策略时,你可指定一个允许值的列表。下面的例子将实现员工代码为1、2、3、4或5的员工才能成功使用。
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc(); services.AddAuthorization(options =>
{
options.AddPolicy("Founders", policy =>
policy.RequireClaim("EmployeeNumber", "", "", "", "", ""));
}
}
Multiple Policy Evaluation¶ 多策略评估
If you apply multiple policies to a controller or action then all policies must pass before access is granted. For example;
如果在控制器或其中的方法上应用多策略,那么通过所有的策略后才能成功使用。例如:
[Authorize(Policy = "EmployeeOnly")]
public class SalaryController : Controller
{
public ActionResult Payslip()
{
} [Authorize(Policy = "HumanResources")]
public ActionResult UpdateSalary()
{
}
}
In the above example any identity which fulfills the EmployeeOnly
policy can access the Payslip
action as that policy is enforced on the controller. However in order to call the UpdateSalary
action the identity must fulfill both the EmployeeOnly
policy and the HumanResources
policy.
上述例子中,满足EmployeeOnly 策略的身份可以使用Payslip 方法,因为控制器上已经做了强制策略限制。然而,为只有同时满足EmployeeOnly 策略和HumanResources 策略的身份才能调用UpdateSalary 方法。
If you want more complicated policies, such as taking a date of birth claim, calculating an age from it then checking the age is 21 or older then you need to write custom policy handlers.
如果想应用复杂策略,例如声明出生日期时,需要计算年龄并且检查年龄是不是大于等于21岁,这时需要编写custom policy handlers。
Security » Authorization » 基于声明的授权的更多相关文章
- Security » Authorization » 基于资源的授权
Resource Based Authorization¶ 基于资源的授权 68 of 73 people found this helpful Often authorization depends ...
- Security » Authorization » 基于角色的授权
Role based Authorization¶ 基于角色的授权 133 of 153 people found this helpful When an identity is created i ...
- Security » Authorization » 基于视图的授权
View Based Authorization¶ 基于视图的授权 44 of 46 people found this helpful Often a developer will want to ...
- ASP.NET MVC 随想录—— 使用ASP.NET Identity实现基于声明的授权,高级篇
在这篇文章中,我将继续ASP.NET Identity 之旅,这也是ASP.NET Identity 三部曲的最后一篇.在本文中,将为大家介绍ASP.NET Identity 的高级功能,它支持声明式 ...
- Security » Authorization » 基于自定义策略的授权
Custom Policy-Based Authorization¶ 基于自定义策略的授权 98 of 108 people found this helpful Underneath the cov ...
- ASP.NET MVC 随想录——探索ASP.NET Identity 身份验证和基于角色的授权,中级篇
在前一篇文章中,我介绍了ASP.NET Identity 基本API的运用并创建了若干用户账号.那么在本篇文章中,我将继续ASP.NET Identity 之旅,向您展示如何运用ASP.NET Ide ...
- ASP.NET Identity 身份验证和基于角色的授权
ASP.NET Identity 身份验证和基于角色的授权 阅读目录 探索身份验证与授权 使用ASP.NET Identity 身份验证 使用角色进行授权 初始化数据,Seeding 数据库 小结 在 ...
- Asp.Net Core--基于声明的授权
翻译如下: 当创建身份时,其可以被分配由可信方发布的一个或多个声明. 索赔是名称值对,表示主题是什么,而不是主体可以做什么. 例如,您可能有驾驶执照,由当地驾驶执照颁发. 您的驾驶执照上有您的出生日期 ...
- Windows Azure Active Directory (1) 前言 - 基于声明的验证和授权
<Windows Azure Platform 系列文章目录> 在我们介绍整套系统架构之前,我们需要首先定义一些基本的概念. 用户及其属性: 用户值得是要使用某项服务的个体.用户一般都有一 ...
随机推荐
- 关于echarts的疑问
echarts-例子--待解决:模拟迁徙里面的 var planePath = 'path://M1705.06,1318.313v-89.254l-319.9-221.799l0.073-208.0 ...
- iOS:最详细的创建CocoaPods私有库教程
一.感慨 说实话,创建这个CocoaPods私有库,我愣是搞了两个星期,创建的过程中,自己的感情波动是这样的:激情四射---->有点困惑----->极度困惑----->有点失望--- ...
- soap ui 进行接口测试
[前置条件] 1. 电脑上已安装soap UI 5.0 2. 电脑上已安装eclipse. JDK1.6.tomcat 3. eclipse已经成功的配置JDK1.6.tomcat [操作步骤] 1. ...
- C++中的explicit关键字
http://www.cnblogs.com/winnersun/archive/2011/07/16/2108440.html 上面链接中的博主写的很好,我也不多说了.举得例子也很好,应该也是看了E ...
- hdu 1175冒牌连连看
#include <bits/stdc++.h> using namespace std; const int N = 1005; int arr[N][N]; int vis[N][N] ...
- (一) ARM 内存SDRAM 讲解
2.SDRAM内存工作原理 上面产生的误解关于 Bank ,这个bank 不是 和 S3C2440 芯片有关系(RAM 自身有bank , SDRAM 自身也有bank ,就像书 有 好几章节一样) ...
- hibernate中load和get方法的区别
1.读取时机不同(当lazy=true的时候) load是采用延迟机制(load语句不读库,等使用非主键时才去读库),而get不采用延 迟机制(get语句时马上读库): 2.搜索不到数据时的情 ...
- ASP.NET MVC 3 CheckBoxList 的使用
在以前的 ASP.NET MVC 中可以直接使用 CheckBoxList,但后来不知道什么原因在 MVC 中移除了 CheckBoxList,所以默认情况下 ASP.NET MVC 3 中是没有 C ...
- jquery之ajax
语法: $.ajax(url,[settings])/jQuery.ajax(url,[settings]) 返回值:XMLHttpRequest (该函数属于全局jQuery对象(也可理解为静态函数 ...
- degign new theme for Filezilla(Mac OS X)
the theme directory is located at Filezilla.app/Contents/SharedSupport/resources/ the dirs (excludin ...