Security » Authorization » 基于声明的授权
Claims-Based Authorization¶ 基于声明的授权
When an identity is created it may be assigned one or more claims issued by a trusted party. A claim is name value pair that represents what the subject is, not what the subject can do. For example you may have a Drivers License, issued by a local driving license authority. Your driver’s license has your date of birth on it. In this case the claim name would be DateOfBirth
, the claim value would be your date of birth, for example 8th June 1970
and the issuer would be the driving license authority. Claims based authorization, at its simplest, checks the value of a claim and allows access to a resource based upon that value. For example if you want access to a night club the authorization process might be:
当创建一个身份时,它可以被分配一个或多个由受信任方发出的声明。一个声明是一个名称对,代表该主题是什么,而不是主体可以做什么。例如,您可以有一个由当地的驾驶执照管理局签发的驾照。驾照上有你的出生日期。这时声明的命名将会是DateOfBirth,声明的值将会是你的出生日期--例如1970年6月8日,并且发行人将是驾驶执照管理局。基于声明的授权因其极为简单,检查声明的值,并且基于这个值确定是否允许使用。例如,如果你想进入一个夜总会,其授权过程可能是:
The door security officer would evaluate the value of your date of birth claim and whether they trust the issuer (the driving license authority) before granting you access.
门禁安全员将检查你的出生日期,并且根据他们是否信任签发机关进而确定是否允许进入。
An identity can contain multiple claims with multiple values and can contain multiple claims of the same type.
身份可使用多个值来表示包含多个声明,并且可包含多个相同的类型的生命。
Adding claims checks¶ 添加声明检查
Claim based authorization checks are declarative - the developer embeds them within their code, against a controller or an action within a controller, specifying claims which the current user must possess, and optionally the value the claim must hold to access the requested resource. Claims requirements are policy based, the developer must build and register a policy expressing the claims requirements.
基于声明的授权检查是通过声明实现的,开发者将其嵌入控制器或控制器的方法代码中,该声明包含了用户必须拥有的或者可选的声明值,只有满足该条件的用户请求才能进行连接。声明是基于策略的,开发者必须搭建并注册一个声明所需的策略表达式。
The simplest type of claim policy looks for the presence of a claim and does not check the value.
最简单的声明策略仅查找出现的声明,并不检测相应的值。
First you need to build and register the policy. This takes place as part of the Authorization service configuration, which normally takes part in ConfigureServices()
in your Startup.cs file.
首先需要做的是搭建并注册策略。这作为授权服务配置的一部分,一般在Startup.cs文件的ConfigureServices()。
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc(); services.AddAuthorization(options =>
{
options.AddPolicy("EmployeeOnly", policy => policy.RequireClaim("EmployeeNumber"));
});
}
In this case the EmployeeOnly
policy checks for the presence of an EmployeeNumber
claim on the current identity.
这种情况下,EmployeeOnly策略检查当前的身份是否存在EmployeeNumber声明。
You then apply the policy using the Policy
property on the AuthorizeAttribute
attribute to specify the policy name;
接着,将Policy
特性使用到 AuthorizeAttribute
属性上,来指定策略名称:
[Authorize(Policy = "EmployeeOnly")]
public IActionResult VacationBalance()
{
return View();
}
The AuthorizeAttribute
attribute can be applied to an entire controller, in this instance only identities matching the policy will be allowed access to any Action on the controller.
可将AuthorizeAttribute
属性应用到实体控制器,在这种情况下,只有匹配该策略的身份才被允许使用该控制器的所有方法上。
[Authorize(Policy = "EmployeeOnly")]
public class VacationController : Controller
{
public ActionResult VacationBalance()
{
}
}
If you have a controller that is protected by the AuthorizeAttribute
attribute, but want to allow anonymous access to particular actions you apply the AllowAnonymousAttribute
attribute;
如果有一个被AuthorizeAttribute
属性保护的控制器,但同时想允许匿名用户使用一个特别的方法,你可以应用AllowAnonymousAttribute
属性。
[Authorize(Policy = "EmployeeOnly")]
public class VacationController : Controller
{
public ActionResult VacationBalance()
{
} [AllowAnonymous]
public ActionResult VacationPolicy()
{
}
}
Most claims come with a value. You can specify a list of allowed values when creating the policy. The following example would only succeed for employees whose employee number was 1, 2, 3, 4 or 5.
大多数声明都会使用一个值做为表达。当新建策略时,你可指定一个允许值的列表。下面的例子将实现员工代码为1、2、3、4或5的员工才能成功使用。
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc(); services.AddAuthorization(options =>
{
options.AddPolicy("Founders", policy =>
policy.RequireClaim("EmployeeNumber", "", "", "", "", ""));
}
}
Multiple Policy Evaluation¶ 多策略评估
If you apply multiple policies to a controller or action then all policies must pass before access is granted. For example;
如果在控制器或其中的方法上应用多策略,那么通过所有的策略后才能成功使用。例如:
[Authorize(Policy = "EmployeeOnly")]
public class SalaryController : Controller
{
public ActionResult Payslip()
{
} [Authorize(Policy = "HumanResources")]
public ActionResult UpdateSalary()
{
}
}
In the above example any identity which fulfills the EmployeeOnly
policy can access the Payslip
action as that policy is enforced on the controller. However in order to call the UpdateSalary
action the identity must fulfill both the EmployeeOnly
policy and the HumanResources
policy.
上述例子中,满足EmployeeOnly 策略的身份可以使用Payslip 方法,因为控制器上已经做了强制策略限制。然而,为只有同时满足EmployeeOnly 策略和HumanResources 策略的身份才能调用UpdateSalary 方法。
If you want more complicated policies, such as taking a date of birth claim, calculating an age from it then checking the age is 21 or older then you need to write custom policy handlers.
如果想应用复杂策略,例如声明出生日期时,需要计算年龄并且检查年龄是不是大于等于21岁,这时需要编写custom policy handlers。
Security » Authorization » 基于声明的授权的更多相关文章
- Security » Authorization » 基于资源的授权
Resource Based Authorization¶ 基于资源的授权 68 of 73 people found this helpful Often authorization depends ...
- Security » Authorization » 基于角色的授权
Role based Authorization¶ 基于角色的授权 133 of 153 people found this helpful When an identity is created i ...
- Security » Authorization » 基于视图的授权
View Based Authorization¶ 基于视图的授权 44 of 46 people found this helpful Often a developer will want to ...
- ASP.NET MVC 随想录—— 使用ASP.NET Identity实现基于声明的授权,高级篇
在这篇文章中,我将继续ASP.NET Identity 之旅,这也是ASP.NET Identity 三部曲的最后一篇.在本文中,将为大家介绍ASP.NET Identity 的高级功能,它支持声明式 ...
- Security » Authorization » 基于自定义策略的授权
Custom Policy-Based Authorization¶ 基于自定义策略的授权 98 of 108 people found this helpful Underneath the cov ...
- ASP.NET MVC 随想录——探索ASP.NET Identity 身份验证和基于角色的授权,中级篇
在前一篇文章中,我介绍了ASP.NET Identity 基本API的运用并创建了若干用户账号.那么在本篇文章中,我将继续ASP.NET Identity 之旅,向您展示如何运用ASP.NET Ide ...
- ASP.NET Identity 身份验证和基于角色的授权
ASP.NET Identity 身份验证和基于角色的授权 阅读目录 探索身份验证与授权 使用ASP.NET Identity 身份验证 使用角色进行授权 初始化数据,Seeding 数据库 小结 在 ...
- Asp.Net Core--基于声明的授权
翻译如下: 当创建身份时,其可以被分配由可信方发布的一个或多个声明. 索赔是名称值对,表示主题是什么,而不是主体可以做什么. 例如,您可能有驾驶执照,由当地驾驶执照颁发. 您的驾驶执照上有您的出生日期 ...
- Windows Azure Active Directory (1) 前言 - 基于声明的验证和授权
<Windows Azure Platform 系列文章目录> 在我们介绍整套系统架构之前,我们需要首先定义一些基本的概念. 用户及其属性: 用户值得是要使用某项服务的个体.用户一般都有一 ...
随机推荐
- lsof 命令 系统管理 系统监控
lsof(list open files)是一个列出当前系统打开文件的工具.在linux环境下,任何事物都以文件的形式存在,通过文件不仅仅可以访问常规数据,还可以访问网络连接和硬件. 在终端下输入ls ...
- c#中关键词out和ref的区别
c#中关键词out和ref用来表明以传引用的方式传递参数. 区别如下: 如果方法的参数用out标记,表示方法被调用前不需初始化参数,方法内不能读取此参数的值,在方法返回前必须向此参数写入值: 如果方法 ...
- 如何查看JDK以及JAVA框架的源码
如何查看JDK以及JAVA框架的源码 设置步骤如下: 1.点 “window”-> "Preferences" -> "Java" -> &q ...
- 使用curl命令操作elasticsearch
使用curl命令操作elasticsearch 大岩不灿 发表于 2015年4月25日 浏览 7,426 次 第一:_cat系列_cat系列提供了一系列查询elasticsearch集群状态的接口.你 ...
- XML转换为对象操作类详解
//XML转换为对象操作类 //一,XML与Object转换类 using System.IO; using System.Runtime.Serialization.Formatters.Binar ...
- JS对象之间的关系
JS对象类型 JS中,可以将对象分为"内部对象"."宿主对象"和"自定义对象"三种. 1.本地对象 ECMA-262定义为"独立于 ...
- hdu 1175冒牌连连看
#include <bits/stdc++.h> using namespace std; const int N = 1005; int arr[N][N]; int vis[N][N] ...
- jsp 环境配置记录
1. jdk,下载地址1 环境变量配置: 1)新建 JAVA_HOME 变量 . 变量值填写jdk的安装目录(本人是 C:\Java\jdk1.7.0) 2) 系统变量→寻找 Path 变量→编辑 ...
- PAT乙级 1033. 旧键盘打字(20)
1033. 旧键盘打字(20) 时间限制 200 ms 内存限制 65536 kB 代码长度限制 8000 B 判题程序 Standard 作者 CHEN, Yue 旧键盘上坏了几个键,于是在敲一段文 ...
- [转]Struts1.x系列教程(1):用MyEclipse开发第一个Struts程序
转载地址:http://www.blogjava.net/nokiaguy/archive/2009/01/13/251101.html 本系列教程将详细介绍Struts 1.x的基本原理和使用方法, ...