Security » Authorization » 基于声明的授权
Claims-Based Authorization¶ 基于声明的授权
When an identity is created it may be assigned one or more claims issued by a trusted party. A claim is name value pair that represents what the subject is, not what the subject can do. For example you may have a Drivers License, issued by a local driving license authority. Your driver’s license has your date of birth on it. In this case the claim name would be DateOfBirth, the claim value would be your date of birth, for example 8th June 1970 and the issuer would be the driving license authority. Claims based authorization, at its simplest, checks the value of a claim and allows access to a resource based upon that value. For example if you want access to a night club the authorization process might be:
当创建一个身份时,它可以被分配一个或多个由受信任方发出的声明。一个声明是一个名称对,代表该主题是什么,而不是主体可以做什么。例如,您可以有一个由当地的驾驶执照管理局签发的驾照。驾照上有你的出生日期。这时声明的命名将会是DateOfBirth,声明的值将会是你的出生日期--例如1970年6月8日,并且发行人将是驾驶执照管理局。基于声明的授权因其极为简单,检查声明的值,并且基于这个值确定是否允许使用。例如,如果你想进入一个夜总会,其授权过程可能是:
The door security officer would evaluate the value of your date of birth claim and whether they trust the issuer (the driving license authority) before granting you access.
门禁安全员将检查你的出生日期,并且根据他们是否信任签发机关进而确定是否允许进入。
An identity can contain multiple claims with multiple values and can contain multiple claims of the same type.
身份可使用多个值来表示包含多个声明,并且可包含多个相同的类型的生命。
Adding claims checks¶ 添加声明检查
Claim based authorization checks are declarative - the developer embeds them within their code, against a controller or an action within a controller, specifying claims which the current user must possess, and optionally the value the claim must hold to access the requested resource. Claims requirements are policy based, the developer must build and register a policy expressing the claims requirements.
基于声明的授权检查是通过声明实现的,开发者将其嵌入控制器或控制器的方法代码中,该声明包含了用户必须拥有的或者可选的声明值,只有满足该条件的用户请求才能进行连接。声明是基于策略的,开发者必须搭建并注册一个声明所需的策略表达式。
The simplest type of claim policy looks for the presence of a claim and does not check the value.
最简单的声明策略仅查找出现的声明,并不检测相应的值。
First you need to build and register the policy. This takes place as part of the Authorization service configuration, which normally takes part in ConfigureServices() in your Startup.cs file.
首先需要做的是搭建并注册策略。这作为授权服务配置的一部分,一般在Startup.cs文件的ConfigureServices()。
public void ConfigureServices(IServiceCollection services) { services.AddMvc(); services.AddAuthorization(options => { options.AddPolicy("EmployeeOnly", policy => policy.RequireClaim("EmployeeNumber")); }); }
In this case the EmployeeOnly policy checks for the presence of an EmployeeNumber claim on the current identity.
这种情况下,EmployeeOnly策略检查当前的身份是否存在EmployeeNumber声明。
You then apply the policy using the Policy property on the AuthorizeAttribute attribute to specify the policy name;
接着,将Policy 特性使用到 AuthorizeAttribute 属性上,来指定策略名称:
[Authorize(Policy = "EmployeeOnly")] public IActionResult VacationBalance() { return View(); }
The AuthorizeAttribute attribute can be applied to an entire controller, in this instance only identities matching the policy will be allowed access to any Action on the controller.
可将AuthorizeAttribute属性应用到实体控制器,在这种情况下,只有匹配该策略的身份才被允许使用该控制器的所有方法上。
[Authorize(Policy = "EmployeeOnly")] public class VacationController : Controller { public ActionResult VacationBalance() { } }
If you have a controller that is protected by the AuthorizeAttribute attribute, but want to allow anonymous access to particular actions you apply the AllowAnonymousAttribute attribute;
如果有一个被AuthorizeAttribute 属性保护的控制器,但同时想允许匿名用户使用一个特别的方法,你可以应用AllowAnonymousAttribute 属性。
[Authorize(Policy = "EmployeeOnly")] public class VacationController : Controller { public ActionResult VacationBalance() { } [AllowAnonymous] public ActionResult VacationPolicy() { } }
Most claims come with a value. You can specify a list of allowed values when creating the policy. The following example would only succeed for employees whose employee number was 1, 2, 3, 4 or 5.
大多数声明都会使用一个值做为表达。当新建策略时,你可指定一个允许值的列表。下面的例子将实现员工代码为1、2、3、4或5的员工才能成功使用。
public void ConfigureServices(IServiceCollection services) { services.AddMvc(); services.AddAuthorization(options => { options.AddPolicy("Founders", policy => policy.RequireClaim("EmployeeNumber", "1", "2", "3", "4", "5")); } }
Multiple Policy Evaluation¶ 多策略评估
If you apply multiple policies to a controller or action then all policies must pass before access is granted. For example;
如果在控制器或其中的方法上应用多策略,那么通过所有的策略后才能成功使用。例如:
[Authorize(Policy = "EmployeeOnly")] public class SalaryController : Controller { public ActionResult Payslip() { } [Authorize(Policy = "HumanResources")] public ActionResult UpdateSalary() { } }
In the above example any identity which fulfills the EmployeeOnly policy can access the Payslip action as that policy is enforced on the controller. However in order to call the UpdateSalary action the identity must fulfill both the EmployeeOnly policy and the HumanResources policy.
上述例子中,满足EmployeeOnly 策略的身份可以使用Payslip 方法,因为控制器上已经做了强制策略限制。然而,为只有同时满足EmployeeOnly 策略和HumanResources 策略的身份才能调用UpdateSalary 方法。
If you want more complicated policies, such as taking a date of birth claim, calculating an age from it then checking the age is 21 or older then you need to write custom policy handlers.
如果想应用复杂策略,例如声明出生日期时,需要计算年龄并且检查年龄是不是大于等于21岁,这时需要编写custom policy handlers。
