我有一个基于自定义策略的授权处理程序,如下所示。身份验证是在用户点击此应用程序之前进行的,因此我只需要授权。我收到错误消息:
未指定authenticationScheme,也没有DefaultForbidScheme。
如果授权检查成功,那么我不会收到错误,一切都很好。仅当授权检查失败时,才会发生此错误。我希望失败时会返回401。
public class EasRequirement : IAuthorizationRequirement
{
public EasRequirement(string easBaseAddress, string applicationName, bool bypassAuthorization)
{
_client = GetConfiguredClient(easBaseAddress);
_applicationName = applicationName;
_bypassAuthorization = bypassAuthorization;
}
public async Task<bool> IsAuthorized(ActionContext actionContext)
{
...
}
}
public class EasHandler : AuthorizationHandler<EasRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, EasRequirement requirement)
{
var mvcContext = context.Resource as ActionContext;
bool isAuthorized;
try
{
isAuthorized = requirement.IsAuthorized(mvcContext).Result;
}
catch (Exception)
{
// TODO: log the error?
isAuthorized = false;
}
if (isAuthorized)
{
context.Succeed(requirement);
return Task.CompletedTask;
}
context.Fail();
return Task.FromResult(0);
}
}
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
var easBaseAddress = Configuration.GetSection("EasBaseAddress").Value;
var applicationName = Configuration.GetSection("ApplicationName").Value;
var bypassAuthorization = bool.Parse(Configuration.GetSection("BypassEasAuthorization").Value);
var policy = new AuthorizationPolicyBuilder()
.AddRequirements(new EasRequirement(easBaseAddress, applicationName, bypassAuthorization))
.Build();
services.AddAuthorization(options =>
{
options.AddPolicy("EAS", policy);
});
services.AddMvc()
.SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.AddSingleton<IAuthorizationHandler, EasHandler>();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseMvc();
}
}
答案 0 :(得分:5)
授权和身份验证在ASP.NET Core中紧密相连。如果授权失败,它将被传递给身份验证处理程序以处理授权失败。
因此,即使您不需要实际的身份验证来标识用户,您仍将需要设置一些身份验证方案,以处理禁止和挑战结果(403和401)。
为此,您需要调用AddAuthentication()并配置默认的禁止/挑战方案:
services.AddAuthentication(options =>
{
options.DefaultChallengeScheme = "scheme name";
// you can also skip this to make the challenge scheme handle the forbid as well
options.DefaultForbidScheme = "scheme name";
// of course you also need to register that scheme, e.g. using
options.AddScheme<MySchemeHandler>("scheme name", "scheme display name");
});
MySchemeHandler需要实现IAuthenticationHandler,在您的情况下,您尤其需要实现ChallengeAsync和ForbidAsync:
public class MySchemeHandler : IAuthenticationHandler
{
private HttpContext _context;
Task InitializeAsync(AuthenticationScheme scheme, HttpContext context)
{
_context = context;
}
Task<AuthenticateResult> AuthenticateAsync()
=> Task.FromResult(AuthenticateResult.NoResult());
Task ChallengeAsync(AuthenticationProperties properties)
{
// do something
}
Task ForbidAsync(AuthenticationProperties properties);
{
// do something
}
}
答案 1 :(得分:3)
对于IIS / IIS Express,只需在接受的答案中添加此行而不是上面的所有行,即可获得您期望的适当403响应;
long[]