asp.net core 自定义 Policy 替换 AllowAnonymous 的行为
asp.net core 自定义 policy 替换 allowanonymous 的行为
intro
最近对我们的服务进行了改造,原本内部服务在内部可以匿名调用,现在增加了限制,通过 identity server 来管理 api 和 client,网关和需要访问api的客户端或api服务相互调用通过 client_credencial
的方式来调用,这样一来我们可以清晰知道哪些 api 服务会被哪些 api/client 所调用,而且安全性来说更好。
为了保持后端服务的代码更好的兼容性,希望能够实现相同的代码通过在 startup 里不同的配置实现不同的 authorization 逻辑,原来我们的服务的 authorize
都是以 authorize("policyname")
的形式来写的,这样一来我们只需要修改这个 policy 的授权配置就可以了。对于 allowanonymous 就希望可以通过一种类似的方式来实现,通过自定义一个 policy 来实现自己的逻辑
实现方式
将 action 上的 allowanonymous
替换为 authorize("policyname")
,在没有设置 authorize
的 controller 上增加 authorize("policyname")
public class allowanonymouspolicytransformer : iapplicationmodelconvention { private readonly string _policyname; public allowanonymouspolicytransformer() : this("anonymous") { } public allowanonymouspolicytransformer(string policyname) => _policyname = policyname; public void apply(applicationmodel application) { foreach (var controllermodel in application.controllers) { if (controllermodel.filters.any(_ => _.gettype() == typeof(authorizefilter))) { foreach (var actionmodel in controllermodel.actions) { if (actionmodel.filters.any(_ => _.gettype() == typeof(allowanonymousfilter))) { var allowanonymousfilter = actionmodel.filters.first(_ => _.gettype() == typeof(allowanonymousfilter)); actionmodel.filters.remove(allowanonymousfilter); actionmodel.filters.add(new authorizefilter(_policyname)); } } } else { if (controllermodel.filters.any(_ => _.gettype() == typeof(allowanonymousfilter))) { var allowanonymousfilter = controllermodel.filters.first(_ => _.gettype() == typeof(allowanonymousfilter)); controllermodel.filters.remove(allowanonymousfilter); } controllermodel.filters.add(new authorizefilter(_policyname)); } } } } public static class mvcbuilderextensions { public static imvcbuilder addanonymouspolicytransformer(this imvcbuilder builder) { builder.services.configure<mvcoptions>(options => { options.conventions.insert(0, new allowanonymouspolicytransformer()); }); return builder; } public static imvcbuilder addanonymouspolicytransformer(this imvcbuilder builder, string policyname) { builder.services.configure<mvcoptions>(options => { options.conventions.insert(0, new allowanonymouspolicytransformer(policyname)); }); return builder; } }
controller 中的代码:
[route("api/[controller]")] public class valuescontroller : controller { private readonly ilogger _logger; public valuescontroller(ilogger<valuescontroller> logger) { _logger = logger; } // get api/values [httpget] public actionresult<ienumerable<string>> get() { var msg = $"isauthenticated: {user.identity.isauthenticated} ,username: {user.identity.name}"; _logger.loginformation(msg); return new string[] { msg }; } // get api/values/5 [authorize] [httpget("{id:int}")] public actionresult<string> get(int id) { return "value"; } // ... }
startup 中 configureservices 配置:
var anonymouspolicyname = "anonymous"; services.addauthorization(options => { options.addpolicy(anonymouspolicyname, builder => builder.requireassertion(context => context.user.identity.isauthenticated)); options.defaultpolicy = new authorizationpolicybuilder(headerauthenticationdefaults.authenticationschema) .requireauthenticateduser() .requireassertion(context => context.user.getuserid<int>() > 0) .build(); }); services.addmvc(options => { options.conventions.add(new apicontrollerversionconvention()); }) .addanonymouspolicytransformer(anonymouspolicyname) ;
实现效果
访问原来的匿名接口
userid 为0访问原来的匿名接口
userid 大于0访问原来的匿名接口
userid 为0访问需要登录的接口
userid 大于0访问需要登录的接口
more
注:按照上面的做法已经可以做到自定义 policy 代替 allowanonymous 的行为,但是原来返回的401,现在可能返回到就是 403 了
reference
上一篇: 丁道师带你解读新媒体营销之路
下一篇: 微信公众号怎么判断粉丝的真实性