gpt4 book ai didi

c# - Windows Authentication Asp.net core 2 数据库角色授权

转载 作者:太空狗 更新时间:2023-10-30 00:48:03 26 4
gpt4 key购买 nike

我正在开发一个将使用 Asp.Net Core 2.1 和 Windows 身份验证的 Intranet 应用程序。我可以很好地从 IIS 获得传递,但我想使用存储在数据库中的角色进行授权。

我有一个 IClaimsTransformeration 类,它根据 LAN Id 从数据库中获取角色,并使用角色键将它们添加到声明列表中。

public class MyClaimsTransformer : IClaimsTransformation
{
private readonly IUnitOfWorkMtuSecurity _unitOfWork;

public MyClaimsTransformer(IUnitOfWorkMtuSecurity unitOfWork)
{
_unitOfWork = unitOfWork;
}

// Each time HttpContext.AuthenticateAsync() or HttpContext.SignInAsync(...) is called the claims transformer is invoked. So this might be invoked multiple times.
public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
var identity = principal.Identities.FirstOrDefault(x => x.IsAuthenticated);
if (identity == null) return principal;

//var user = await _userManager.GetUserAsync(principal);
var user = identity.Name;
if (user == null) return principal;

//Get user with roles from repository.
var dbUser = _unitOfWork.UserInformations.GetUserWithRoles(user);

// Inject DbRoles into Claims list
foreach (var role in dbUser.UserInformationUserRoles.Select((r=>r.UserRole)))
{
var claim = new Claim(ClaimTypes.Role, role.Name);
identity.AddClaim(claim);
}

return new ClaimsPrincipal(identity);
}
}

我在 startup.cs 中将 IClaimsTransformation 添加到我的服务

services.AddScoped<IClaimsTransformation, MyClaimsTransformer>();

然后我将属性添加到我的 Controller

[Authorize(Roles = "Administrator")]

当我运行我的应用程序时,出现以下错误:

An unhandled exception occurred while processing the request. InvalidOperationException: No authenticationScheme was specified, and there was no DefaultForbidScheme found. Microsoft.AspNetCore.Authentication.AuthenticationService.ForbidAsync(HttpContext context, string scheme, AuthenticationProperties properties)

在 startup.cs 中,我将以下内容添加到服务中

services.AddAuthentication(IISDefaults.AuthenticationScheme);

这消除了错误,但无论如何我都会收到 403 错误。

You don't have authorization to view this page. HTTP ERROR 403

当我查看 MyClaimsTransformer 的返回值时,我可以看到管理员角色已添加到声明列表中,但无论怎样我都会收到 403 错误。

有人对我缺少的东西有什么建议吗?

如果我在我的 View 中使用以下语法,它在 View 级别起作用:

 @if (User.HasClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "Administrator"))
{
<li><a asp-area="" asp-controller="UserInformationAdmin" asp-action="Index">Admin</a></li>
}

不过我必须指定整个架构 url。

最佳答案

ClaimIdentity 的 RoleClaimType 为“http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid

它必须是“http://schemas.microsoft.com/ws/2008/06/identity/claims/role”的 RoleClaimType

由于这是一个只读属性,我更改了 TransformAsync 方法以创建一个新的 ClaimsPrincipal,而不是尝试将数据库角色添加到现有的声明中。我的应用程序不需要任何 AD 组,因此它只使用 Windows 进行身份验证。下面的代码似乎有效。

public class MyClaimsTransformer : IClaimsTransformation
{
private readonly IUnitOfWorkSecurity _unitOfWork;

public MyClaimsTransformer(IUnitOfWorkSecurity unitOfWork)
{
_unitOfWork = unitOfWork;
}

// Each time HttpContext.AuthenticateAsync() or HttpContext.SignInAsync(...) is called the claims transformer is invoked. So this might be invoked multiple times.
public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
var identity = principal.Identities.FirstOrDefault(x => x.IsAuthenticated);
if (identity == null) return principal;

var user = identity.Name;
if (user == null) return principal;

//Get user with roles from repository.
var dbUser = _unitOfWork.UserInformations.GetUserWithRoles(user);

var claims = new List<Claim>();

//The claim identity uses a claim with the claim type below to determine the name property.
claims.Add(new Claim(@"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", user, "Name"));

//todo: We should probably create a cache for this
// Get User Roles from database and add to list of claims.
foreach (var role in dbUser.UserInformationUserRoles.Select((r=>r.UserRole)))
{
claims.Add(new Claim(ClaimTypes.Role, role.Name));
}

var newClaimsIdentity = new ClaimsIdentity(claims,"Kerberos","", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role");

var newClaimsPrincipal = new ClaimsPrincipal(newClaimsIdentity);

return new ClaimsPrincipal(newClaimsPrincipal);
}
}

关于c# - Windows Authentication Asp.net core 2 数据库角色授权,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50749519/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com