Claims-Based Authorization 基于声明的授权

142 of 162 people found this helpful

When an identity is created it may be assigned one or more claims issued by a trusted party. A claim is name value pair that represents what the subject is, not what the subject can do. For example you may have a Drivers License, issued by a local driving license authority. Your driver’s license has your date of birth on it. In this case the claim name would be DateOfBirth, the claim value would be your date of birth, for example 8th June 1970 and the issuer would be the driving license authority. Claims based authorization, at its simplest, checks the value of a claim and allows access to a resource based upon that value. For example if you want access to a night club the authorization process might be:

当创建一个身份时,它可以被分配一个或多个由受信任方发出的声明。一个声明是一个名称对,代表该主题是什么,而不是主体可以做什么。例如,您可以有一个由当地的驾驶执照管理局签发的驾照。驾照上有你的出生日期。这时声明的命名将会是DateOfBirth,声明的值将会是你的出生日期--例如1970年6月8日,并且发行人将是驾驶执照管理局。基于声明的授权因其极为简单,检查声明的值,并且基于这个值确定是否允许使用。例如,如果你想进入一个夜总会,其授权过程可能是:

The door security officer would evaluate the value of your date of birth claim and whether they trust the issuer (the driving license authority) before granting you access.

门禁安全员将检查你的出生日期,并且根据他们是否信任签发机关进而确定是否允许进入。

An identity can contain multiple claims with multiple values and can contain multiple claims of the same type.

身份可使用多个值来表示包含多个声明,并且可包含多个相同的类型的生命。

Adding claims checks 添加声明检查

Claim based authorization checks are declarative - the developer embeds them within their code, against a controller or an action within a controller, specifying claims which the current user must possess, and optionally the value the claim must hold to access the requested resource. Claims requirements are policy based, the developer must build and register a policy expressing the claims requirements.

基于声明的授权检查是通过声明实现的,开发者将其嵌入控制器或控制器的方法代码中,该声明包含了用户必须拥有的或者可选的声明值,只有满足该条件的用户请求才能进行连接。声明是基于策略的,开发者必须搭建并注册一个声明所需的策略表达式。

The simplest type of claim policy looks for the presence of a claim and does not check the value.

最简单的声明策略仅查找出现的声明,并不检测相应的值。

First you need to build and register the policy. This takes place as part of the Authorization service configuration, which normally takes part in ConfigureServices() in your Startup.cs file.

首先需要做的是搭建并注册策略。这作为授权服务配置的一部分,一般在Startup.cs文件的ConfigureServices()。

public void ConfigureServices(IServiceCollection services)
{
services.AddMvc(); services.AddAuthorization(options =>
{
options.AddPolicy("EmployeeOnly", policy => policy.RequireClaim("EmployeeNumber"));
});
}

In this case the EmployeeOnly policy checks for the presence of an EmployeeNumber claim on the current identity.

这种情况下,EmployeeOnly策略检查当前的身份是否存在EmployeeNumber声明。

You then apply the policy using the Policy property on the AuthorizeAttribute attribute to specify the policy name;

接着,将Policy 特性使用到 AuthorizeAttribute 属性上,来指定策略名称:

[Authorize(Policy = "EmployeeOnly")]
public IActionResult VacationBalance()
{
return View();
}

The AuthorizeAttribute attribute can be applied to an entire controller, in this instance only identities matching the policy will be allowed access to any Action on the controller.

可将AuthorizeAttribute属性应用到实体控制器,在这种情况下,只有匹配该策略的身份才被允许使用该控制器的所有方法上。

[Authorize(Policy = "EmployeeOnly")]
public class VacationController : Controller
{
public ActionResult VacationBalance()
{
}
}

If you have a controller that is protected by the AuthorizeAttribute attribute, but want to allow anonymous access to particular actions you apply the AllowAnonymousAttribute attribute;

如果有一个被AuthorizeAttribute 属性保护的控制器,但同时想允许匿名用户使用一个特别的方法,你可以应用AllowAnonymousAttribute 属性。

[Authorize(Policy = "EmployeeOnly")]
public class VacationController : Controller
{
public ActionResult VacationBalance()
{
} [AllowAnonymous]
public ActionResult VacationPolicy()
{
}
}

Most claims come with a value. You can specify a list of allowed values when creating the policy. The following example would only succeed for employees whose employee number was 1, 2, 3, 4 or 5.

大多数声明都会使用一个值做为表达。当新建策略时,你可指定一个允许值的列表。下面的例子将实现员工代码为1、2、3、4或5的员工才能成功使用。

public void ConfigureServices(IServiceCollection services)
{
services.AddMvc(); services.AddAuthorization(options =>
{
options.AddPolicy("Founders", policy =>
policy.RequireClaim("EmployeeNumber", "", "", "", "", ""));
}
}

Multiple Policy Evaluation 多策略评估

If you apply multiple policies to a controller or action then all policies must pass before access is granted. For example;

如果在控制器或其中的方法上应用多策略,那么通过所有的策略后才能成功使用。例如:

[Authorize(Policy = "EmployeeOnly")]
public class SalaryController : Controller
{
public ActionResult Payslip()
{
} [Authorize(Policy = "HumanResources")]
public ActionResult UpdateSalary()
{
}
}

In the above example any identity which fulfills the EmployeeOnly policy can access the Payslip action as that policy is enforced on the controller. However in order to call the UpdateSalary action the identity must fulfill both the EmployeeOnly policy and the HumanResources policy.

上述例子中,满足EmployeeOnly 策略的身份可以使用Payslip 方法,因为控制器上已经做了强制策略限制。然而,为只有同时满足EmployeeOnly 策略和HumanResources 策略的身份才能调用UpdateSalary 方法。

If you want more complicated policies, such as taking a date of birth claim, calculating an age from it then checking the age is 21 or older then you need to write custom policy handlers.

如果想应用复杂策略,例如声明出生日期时,需要计算年龄并且检查年龄是不是大于等于21岁,这时需要编写custom policy handlers

原文链接

Security » Authorization » 基于声明的授权的更多相关文章

  1. Security » Authorization » 基于资源的授权

    Resource Based Authorization¶ 基于资源的授权 68 of 73 people found this helpful Often authorization depends ...

  2. Security » Authorization » 基于角色的授权

    Role based Authorization¶ 基于角色的授权 133 of 153 people found this helpful When an identity is created i ...

  3. Security » Authorization » 基于视图的授权

    View Based Authorization¶ 基于视图的授权 44 of 46 people found this helpful Often a developer will want to ...

  4. ASP.NET MVC 随想录—— 使用ASP.NET Identity实现基于声明的授权,高级篇

    在这篇文章中,我将继续ASP.NET Identity 之旅,这也是ASP.NET Identity 三部曲的最后一篇.在本文中,将为大家介绍ASP.NET Identity 的高级功能,它支持声明式 ...

  5. Security » Authorization » 基于自定义策略的授权

    Custom Policy-Based Authorization¶ 基于自定义策略的授权 98 of 108 people found this helpful Underneath the cov ...

  6. ASP.NET MVC 随想录——探索ASP.NET Identity 身份验证和基于角色的授权,中级篇

    在前一篇文章中,我介绍了ASP.NET Identity 基本API的运用并创建了若干用户账号.那么在本篇文章中,我将继续ASP.NET Identity 之旅,向您展示如何运用ASP.NET Ide ...

  7. ASP.NET Identity 身份验证和基于角色的授权

    ASP.NET Identity 身份验证和基于角色的授权 阅读目录 探索身份验证与授权 使用ASP.NET Identity 身份验证 使用角色进行授权 初始化数据,Seeding 数据库 小结 在 ...

  8. Asp.Net Core--基于声明的授权

    翻译如下: 当创建身份时,其可以被分配由可信方发布的一个或多个声明. 索赔是名称值对,表示主题是什么,而不是主体可以做什么. 例如,您可能有驾驶执照,由当地驾驶执照颁发. 您的驾驶执照上有您的出生日期 ...

  9. Windows Azure Active Directory (1) 前言 - 基于声明的验证和授权

    <Windows Azure Platform 系列文章目录> 在我们介绍整套系统架构之前,我们需要首先定义一些基本的概念. 用户及其属性: 用户值得是要使用某项服务的个体.用户一般都有一 ...

随机推荐

  1. 《Linux内核分析》第七周 读书笔记

    <深入理解计算机系统>CHAPTER7阅读梳理 [学习时间:3hours] [学习内容:链接需要的代码&数据:链接机制:链接生成的目标文件] 一.链接概述 1.链接 定义:链接是将 ...

  2. cordova 打包遇到的一些坑

    最近在打包cordova应用的时候遇到不少坑,还是记录下来,免得以后遇到又浪费时间 1.第一个是图片包含中文文字导致的,找了很久,偶然看到一篇文章,有截图如下,忘了哪篇了,不然甩个链接, ,所以下次编 ...

  3. JS中isPrototypeOf 和hasOwnProperty 的区别

    1.isPrototypeOf isPrototypeOf是用来判断指定对象object1是否存在于另一个对象object2的原型链中,是则返回true,否则返回false. 格式如下: object ...

  4. ubuntu安装eclipse配置jdk环境

    $ sudo mkdir /usr/local/java //在此目录下新建一个文件夹java $ sudo mv 下载/jdk-8u111-linux-i586.tar.gz /usr/local/ ...

  5. java实现求数组中元素第二大的元素

    /** * 找出数组中数第二大的值 * @param array * @date 2016-9-25 * @author shaobn */ public static void getMethod_ ...

  6. Android APK反编译easy 详解

    在学习Android开发的过程你,你往往会去借鉴别人的应用是怎么开发的,那些漂亮的动画和精致的布局可能会让你爱不释手,作为一个开发者,你可能会很想知道这些效果界面是怎么去实现的,这时,你便可以对改应用 ...

  7. 四、Salesforce Styles_1

    1.静态变量的使用:<apex:stylesheet value="{!$Resource.TestStyles}"/>2.<apex:page><s ...

  8. Java调用脚本

    几个参考: java调用shell http://www.cnblogs.com/Seamanm/archive/2010/10/04/1842059.html java程序中调用linux命令    ...

  9. Poj(1251),Prim字符的最小生成树

    题目链接:http://poj.org/problem?id=1251 字符用%s好了,方便一点. #include <stdio.h> #include <string.h> ...

  10. response.setContentType设置

    response.setContentType(MIME)的作用是使客户端浏览器,区分不同种类的数据,并根据不同的MIME调用浏览器内不同的程序嵌入模块来处理相应的数据.例如web浏览器就是通过MIM ...