services.AddAuthorization(options =>
{
options.AddPolicy("AdminPolicy",
policyBuilder => policyBuilder
.RequireRole("Admin")//Claim的Role是Admin
.RequireUserName("Eleven")//Claim的Name是Eleven
.RequireClaim(ClaimTypes.Email)//必須有某個Cliam
//.Combine(qqEmailPolicy)
);//內置
options.AddPolicy("UserPolicy",
policyBuilder => policyBuilder.RequireAssertion(context =>
context.User.HasClaim(c => c.Type == ClaimTypes.Role)
&& context.User.Claims.First(c => c.Type.Equals(ClaimTypes.Role)).Value =https://www.cnblogs.com/delaywu/archive/2021/02/21/="Admin")
//.Combine(qqEmailPolicy)
);//自定義
//policy層面 沒有Requirements
//options.AddPolicy("QQEmail", policyBuilder => policyBuilder.Requirements.Add(new QQEmailRequirement()));
options.AddPolicy("DoubleEmail", policyBuilder => policyBuilder.Requirements.Add(new DoubleEmailRequirement()));
});
services.AddSingleton<IAuthorizationHandler, ZhaoxiMailHandler>();
services.AddSingleton<IAuthorizationHandler, QQMailHandler>();
上面是系統自帶的策略,但是這種情況可能比較雞肋,那么自定義策略使得比較靈活,
自定義 策略,繼承 IAuthorizationRequirement,在 HandleRequirementAsync 實作自己自定義的策略規則,比如下面是實作用戶資訊,支持2種用戶郵箱才允許訪問特定頁面或介面等,
/// <summary>
/// 兩種郵箱都能支持
///
/// </summary>
public class DoubleEmailRequirement : IAuthorizationRequirement
{
}
public class QQMailHandler : AuthorizationHandler<DoubleEmailRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, DoubleEmailRequirement requirement)
{
if (context.User != null && context.User.HasClaim(c => c.Type == ClaimTypes.Email))
{
var email = context.User.FindFirst(c => c.Type == ClaimTypes.Email).Value;
if (email.EndsWith("@qq.com", StringComparison.OrdinalIgnoreCase))
{
context.Succeed(requirement);
}
else
{
//context.Fail();//不設定失敗
}
}
return Task.CompletedTask;
}
}
public class ZhaoxiMailHandler : AuthorizationHandler<DoubleEmailRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, DoubleEmailRequirement requirement)
{
if (context.User != null && context.User.HasClaim(c => c.Type == ClaimTypes.Email))
{
var email = context.User.FindFirst(c => c.Type == ClaimTypes.Email).Value;
if (email.EndsWith("@ZhaoxiEdu.Net", StringComparison.OrdinalIgnoreCase))
{
context.Succeed(requirement);
}
else
{
//context.Fail();
}
}
return Task.CompletedTask;
}
}
登錄過后,會根據用戶資訊對比策略中資訊,
[Authorize(AuthenticationSchemes = "Cookies", Policy = "AdminPolicy")]
public IActionResult InfoAdminPolicy()
{
return View();
}
[Authorize(AuthenticationSchemes = "Cookies", Policy = "UserPolicy")]
public IActionResult InfoUserPolicy()
{
return View();
}
[Authorize(AuthenticationSchemes = "Cookies", Policy = "QQEmail")]
public IActionResult InfoQQEmail()
{
return View();
}
[Authorize(AuthenticationSchemes = "Cookies", Policy = "DoubleEmail")]
public IActionResult InfoDoubleEmail()
{
return View();
}
用戶登錄 資訊
[AllowAnonymous]
public async Task<IActionResult> LoginCustomScheme(string name, string password)
{
//base.HttpContext.RequestServices.
//IAuthenticationService
if ("ElevenCustomScheme".Equals(name, StringComparison.CurrentCultureIgnoreCase)
&& password.Equals("123456"))
{
var claimIdentity = new ClaimsIdentity("Custom");
claimIdentity.AddClaim(new Claim(ClaimTypes.Name, name));
claimIdentity.AddClaim(new Claim(ClaimTypes.Email, "[email protected]"));
await base.HttpContext.SignInAsync("CustomScheme", new ClaimsPrincipal(claimIdentity), new AuthenticationProperties
{
ExpiresUtc = DateTime.UtcNow.AddMinutes(30),
});//登錄為默認的scheme cookies
return new JsonResult(new
{
Result = true,
Message = "登錄成功"
});
}
else
{
await Task.CompletedTask;
return new JsonResult(new
{
Result = false,
Message = "登錄失敗"
});
}
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/net/261948.html
標籤:.NET技术
上一篇:你可能不知道的按位與、或運算技巧