\n\u5728\u503c\u673a\u67dc\u53f0\u51fa\u793a\u60a8\u7684\u62a4\u7167\u3002\u6536\u5230\u767b\u673a\u724c\u3002<\/li>\n
\n\u51fa\u793a\u767b\u673a\u724c\u8fdb\u5165\u5b89\u68c0\u3002\u901a\u8fc7\u5b89\u68c0\u3002<\/li>\n
\n\u51fa\u793a\u60a8\u7684\u5e38\u65c5\u5ba2\u5361\u8fdb\u5165\u822a\u7a7a\u516c\u53f8\u4f11\u606f\u5ba4\u3002\u8fdb\u5165\u4f11\u606f\u5ba4\u3002<\/li>\n
\n\u51fa\u793a\u60a8\u7684\u767b\u673a\u724c\u767b\u673a\u3002\u8fdb\u5165\u98de\u673a\u3002<\/li>\n<\/ol>\n
Obviously, these steps, also shown in \ufb01gure 24.1, will vary somewhat in real life (I don\u2019t have a frequent-\ufb02yer card!), but we\u2019ll go with them for now. Let\u2019s explore each step a little further.
\n\u663e\u7136\uff0c\u8fd9\u4e9b\u6b65\u9aa4\uff08\u5982\u56fe 24.1 \u6240\u793a\uff09\u5728\u73b0\u5b9e\u751f\u6d3b\u4e2d\u4f1a\u6709\u6240\u4e0d\u540c\uff08\u6211\u6ca1\u6709\u5e38\u65c5\u5ba2\u5361\uff01\uff09\uff0c\u4f46\u6211\u4eec\u73b0\u5728\u5c31\u6765\u4ecb\u7ecd\u4e00\u4e0b\u3002\u8ba9\u6211\u4eec\u8fdb\u4e00\u6b65\u63a2\u8ba8\u6bcf\u4e2a\u6b65\u9aa4\u3002<\/p>\n
![\"alt](\"\/images\/aspnetcoreinaction\/2401-1.jpg\")
\n![\"alt](\"\/images\/aspnetcoreinaction\/2401-2.jpg\")
<\/p>\n
Figure 24.1 When boarding a plane at an airport, you pass through several authorization steps. At each authorization step, you must present a claim in the form of a boarding pass or a frequent-\ufb02yer card. If you\u2019re not authorized, access is denied.
\n\u56fe 24.1 \u5728\u673a\u573a\u767b\u673a\u65f6\uff0c\u60a8\u9700\u8981\u5b8c\u6210\u51e0\u4e2a\u6388\u6743\u6b65\u9aa4\u3002\u5728\u6bcf\u4e2a\u6388\u6743\u6b65\u9aa4\u4e2d\uff0c\u60a8\u5fc5\u987b\u4ee5\u767b\u673a\u724c\u6216\u5e38\u65c5\u5ba2\u5361\u7684\u5f62\u5f0f\u51fa\u793a\u7d22\u8d54\u3002\u5982\u679c\u60a8\u672a\u83b7\u5f97\u6388\u6743\uff0c\u5219\u8bbf\u95ee\u5c06\u88ab\u62d2\u7edd\u3002<\/p>\n
When you arrive at the airport, the \ufb01rst thing you do is go to the check-in counter. Here, you can purchase a plane ticket, but to do so, you need to prove who you are by providing a passport; you authenticate yourself. If you\u2019ve forgotten your passport, you can\u2019t authenticate, and you can\u2019t go any further.
\n\u5f53\u60a8\u5230\u8fbe\u673a\u573a\u65f6\uff0c\u60a8\u505a\u7684\u7b2c\u4e00\u4ef6\u4e8b\u662f\u524d\u5f80\u503c\u673a\u67dc\u53f0\u3002\u5728\u8fd9\u91cc\uff0c\u60a8\u53ef\u4ee5\u8d2d\u4e70\u673a\u7968\uff0c\u4f46\u8981\u8d2d\u4e70\u673a\u7968\uff0c\u60a8\u9700\u8981\u901a\u8fc7\u63d0\u4f9b\u62a4\u7167\u6765\u8bc1\u660e\u60a8\u7684\u8eab\u4efd;\u60a8\u9a8c\u8bc1\u81ea\u5df1\u3002\u5982\u679c\u60a8\u5fd8\u8bb0\u4e86\u62a4\u7167\uff0c\u5219\u65e0\u6cd5\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\uff0c\u4e5f\u65e0\u6cd5\u7ee7\u7eed\u3002<\/p>\n
Once you\u2019ve purchased your ticket, you\u2019re issued a boarding pass, which says which \ufb02ight you\u2019re on. We\u2019ll assume that it also includes a BoardingPassNumber. You can think of this number as an additional claim associated with your identity.
\n\u8d2d\u4e70\u673a\u7968\u540e\uff0c\u60a8\u5c06\u6536\u5230\u4e00\u5f20\u767b\u673a\u724c\uff0c\u4e0a\u9762\u5199\u7740\u60a8\u4e58\u5750\u7684\u822a\u73ed\u3002\u6211\u4eec\u5047\u8bbe\u5b83\u8fd8\u5305\u62ec BoardingPassNumber\u3002\u60a8\u53ef\u4ee5\u5c06\u6b64\u53f7\u7801\u89c6\u4e3a\u4e0e\u60a8\u7684\u8eab\u4efd\u5173\u8054\u7684\u9644\u52a0\u58f0\u660e\u3002<\/p>\n
DEFINITION<\/b> A claim is a piece of information about a user that consists of a type and an optional value.
\n\u5b9a\u4e49:\u58f0\u660e\u662f\u6709\u5173\u7528\u6237\u7684\u4e00\u6761\u4fe1\u606f\uff0c\u7531\u7c7b\u578b\u548c\u53ef\u9009\u503c\u7ec4\u6210\u3002<\/p>\n
The next step is security. The security guards ask you to present your boarding pass for inspection, which they use to check that you have a \ufb02ight and so are allowed deeper into the airport. This is an authorization process: you must have the required claim (a BoardingPassNumber) to proceed.
\n\u4e0b\u4e00\u6b65\u662f\u5b89\u5168\u6027\u3002\u4fdd\u5b89\u8981\u6c42\u60a8\u51fa\u793a\u767b\u673a\u724c\u4ee5\u4f9b\u68c0\u67e5\uff0c\u4ed6\u4eec\u7528\u5b83\u6765\u68c0\u67e5\u60a8\u662f\u5426\u6709\u822a\u73ed\uff0c\u56e0\u6b64\u53ef\u4ee5\u8fdb\u5165\u673a\u573a\u66f4\u6df1\u5904\u3002\u8fd9\u662f\u4e00\u4e2a\u6388\u6743\u8fc7\u7a0b\uff1a\u60a8\u5fc5\u987b\u62e5\u6709\u6240\u9700\u7684\u58f0\u660e \uff08BoardingPassNumber\uff09 \u624d\u80fd\u7ee7\u7eed\u3002<\/p>\n
If you don\u2019t have a valid BoardingPassNumber, there are two possibilities for what happens next:
\n\u5982\u679c\u60a8\u6ca1\u6709\u6709\u6548\u7684 BoardingPassNumber\uff0c\u5219\u63a5\u4e0b\u6765\u6709\u4e24\u79cd\u53ef\u80fd\u7684\u60c5\u51b5\uff1a<\/p>\n
\u2022 If you haven\u2019t yet purchased a ticket\u2014You\u2019ll be directed back to the check-in desk, where you can authenticate and purchase a ticket. At that point, you can try to enter security again.
\n\u5982\u679c\u60a8\u5c1a\u672a\u8d2d\u4e70\u673a\u7968 - \u60a8\u5c06\u88ab\u5f15\u5bfc\u56de\u503c\u673a\u67dc\u53f0\uff0c\u5728\u90a3\u91cc\u60a8\u53ef\u4ee5\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u548c\u8d2d\u4e70\u673a\u7968\u3002\u6b64\u65f6\uff0c\u60a8\u53ef\u4ee5\u5c1d\u8bd5\u518d\u6b21\u8fdb\u5165\u5b89\u68c0\u3002<\/p>\n
\u2022 If you have an invalid ticket\u2014You won\u2019t be allowed through security, and there\u2019s nothing else you can do. If, for example, you show up with a boarding pass a week late for your \ufb02ight, they probably won\u2019t let you through. (Ask me how I know!)
\n\u5982\u679c\u60a8\u7684\u673a\u7968\u65e0\u6548 - \u60a8\u5c06\u4e0d\u88ab\u5141\u8bb8\u901a\u8fc7\u5b89\u68c0\uff0c\u5e76\u4e14\u60a8\u65e0\u80fd\u4e3a\u529b\u3002\u4f8b\u5982\uff0c\u5982\u679c\u60a8\u7684\u822a\u73ed\u767b\u673a\u724c\u665a\u4e86\u4e00\u5468\uff0c\u4ed6\u4eec\u53ef\u80fd\u4e0d\u4f1a\u8ba9\u60a8\u901a\u8fc7\u3002\uff08\u95ee\u6211\u600e\u4e48\u77e5\u9053\u7684\uff01\uff09<\/p>\n
Once you\u2019re through security, you need to wait for your \ufb02ight to start boarding, but unfortunately, there aren\u2019t any seats free. Typical! Luckily, you\u2019re a regular \ufb02yer, and you\u2019ve notched up enough miles to achieve Gold frequent-\ufb02yer status, so you can use the airline lounge.
\n\u901a\u8fc7\u5b89\u68c0\u540e\uff0c\u60a8\u9700\u8981\u7b49\u5f85\u822a\u73ed\u5f00\u59cb\u767b\u673a\uff0c\u4f46\u4e0d\u5e78\u7684\u662f\uff0c\u6ca1\u6709\u4efb\u4f55\u7a7a\u4f4d\u3002\u5178\u578b\uff01\u5e78\u8fd0\u7684\u662f\uff0c\u60a8\u662f\u4e00\u540d\u666e\u901a\u4e58\u5ba2\uff0c\u5e76\u4e14\u60a8\u5df2\u7ecf\u79ef\u7d2f\u4e86\u8db3\u591f\u7684\u91cc\u7a0b\u6765\u83b7\u5f97\u91d1\u5361\u5e38\u65c5\u5ba2\u8eab\u4efd\uff0c\u56e0\u6b64\u60a8\u53ef\u4ee5\u4f7f\u7528\u822a\u7a7a\u516c\u53f8\u4f11\u606f\u5ba4\u3002<\/p>\n
You head to the lounge, where you\u2019re asked to present your Gold frequent-\ufb02yer card to the attendant, and they let you in. This is another example of authorization. You must have a FrequentFlyerClass claim with a value of Gold to proceed.
\n\u60a8\u524d\u5f80\u4f11\u606f\u5ba4\uff0c\u5728\u90a3\u91cc\u60a8\u88ab\u8981\u6c42\u5411\u670d\u52a1\u5458\u51fa\u793a\u60a8\u7684\u9ec4\u91d1\u5e38\u65c5\u5ba2\u5361\uff0c\u4ed6\u4eec\u8ba9\u60a8\u8fdb\u5165\u3002\u8fd9\u662f\u6388\u6743\u7684\u53e6\u4e00\u4e2a\u793a\u4f8b\u3002\u60a8\u5fc5\u987b\u6709\u4e00\u4e2a\u4ef7\u503c\u4e3a Gold \u7684 FrequentFlyerClass \u7d22\u8d54\u624d\u80fd\u7ee7\u7eed\u3002<\/p>\n
NOTE<\/b> You\u2019ve used authorization twice so far in this scenario. Each time, you presented a claim to proceed. In the \ufb01rst case, the presence of any BoardingPassNumber was su\ufb03cient, whereas for the FrequentFlyerClass claim, you needed the speci\ufb01c value of Gold.
\n\u6ce8\u610f\uff1a\u5230\u76ee\u524d\u4e3a\u6b62\uff0c\u5728\u6b64\u65b9\u6848\u4e2d\uff0c\u4f60\u5df2\u4f7f\u7528\u4e24\u6b21\u6388\u6743\u3002\u6bcf\u6b21\uff0c\u60a8\u90fd\u4f1a\u63d0\u51fa\u8981\u7ee7\u7eed\u7684\u7d22\u8d54\u3002\u5728\u7b2c\u4e00\u79cd\u60c5\u51b5\u4e0b\uff0c\u4efb\u4f55 BoardingPassNumber \u7684\u5b58\u5728\u5c31\u8db3\u591f\u4e86\uff0c\u800c\u5bf9\u4e8e FrequentFlyerClass \u58f0\u660e\uff0c\u60a8\u9700\u8981 Gold \u7684\u7279\u5b9a\u503c\u3002<\/p>\n
When you\u2019re boarding the airplane, you have one \ufb01nal authorization step, in which you must present the BoardingPassNumber claim again. You presented this claim earlier, but boarding the aircraft is a distinct action from entering security, so you have to present it again.
\n\u5f53\u60a8\u767b\u673a\u65f6\uff0c\u60a8\u6709\u4e00\u4e2a\u6700\u540e\u7684\u6388\u6743\u6b65\u9aa4\uff0c\u5728\u8be5\u6b65\u9aa4\u4e2d\uff0c\u60a8\u5fc5\u987b\u518d\u6b21\u63d0\u4f9b BoardingPassNumber \u58f0\u660e\u3002\u60a8\u4e4b\u524d\u63d0\u4ea4\u4e86\u6b64\u58f0\u660e\uff0c\u4f46\u767b\u673a\u4e0e\u8fdb\u5165\u5b89\u68c0\u662f\u4e0d\u540c\u7684\u4f5c\uff0c\u56e0\u6b64\u60a8\u5fc5\u987b\u518d\u6b21\u63d0\u4ea4\u3002<\/p>\n
This whole scenario has lots of parallels with requests to a web app:
\n\u6574\u4e2a\u573a\u666f\u4e0e\u5bf9 Web \u5e94\u7528\u7a0b\u5e8f\u7684\u8bf7\u6c42\u6709\u5f88\u591a\u76f8\u4f3c\u4e4b\u5904\uff1a<\/p>\n
\u2022 Both processes start with authentication.
\n\u4e24\u4e2a\u8fc7\u7a0b\u90fd\u4ece\u8eab\u4efd\u9a8c\u8bc1\u5f00\u59cb\u3002
\n\u2022 You must prove who you are to retrieve the claims you need for authorization.
\n\u60a8\u5fc5\u987b\u8bc1\u660e\u60a8\u662f\u8c01\u624d\u80fd\u68c0\u7d22\u6388\u6743\u6240\u9700\u7684\u7d22\u8d54\u3002
\n\u2022 You use authorization to protect sensitive actions like entering security and the airline lounge.
\n\u60a8\u4f7f\u7528\u6388\u6743\u6765\u4fdd\u62a4\u654f\u611f\u4f5c\uff0c\u4f8b\u5982\u8fdb\u5165\u5b89\u68c0\u548c\u822a\u7a7a\u516c\u53f8\u4f11\u606f\u5ba4\u3002<\/p>\n
I\u2019ll reuse this airport scenario throughout the chapter to build a simple web application that simulates the steps you take in an airport. We\u2019ve covered the concept of authorization in general, so in the next section we\u2019ll look at how authorization works in ASP.NET Core. We\u2019ll start with the most basic level of authorization, ensuring that only authenticated users can execute an action, and look at what happens when you try to execute such an action.
\n\u6211\u5c06\u5728\u672c\u7ae0\u4e2d\u91cd\u7528\u8fd9\u4e2a\u673a\u573a\u573a\u666f\u6765\u6784\u5efa\u4e00\u4e2a\u7b80\u5355\u7684 Web \u5e94\u7528\u7a0b\u5e8f\uff0c\u7528\u4e8e\u6a21\u62df\u60a8\u5728\u673a\u573a\u4e2d\u91c7\u53d6\u7684\u6b65\u9aa4\u3002\u6211\u4eec\u5df2\u7ecf\u5927\u81f4\u4ecb\u7ecd\u4e86\u6388\u6743\u7684\u6982\u5ff5\uff0c\u56e0\u6b64\u5728\u4e0b\u4e00\u8282\u4e2d\uff0c\u6211\u4eec\u5c06\u4e86\u89e3\u5982\u4f55\u5728 ASP.NET Core \u4e2d\u5de5\u4f5c\u3002\u6211\u4eec\u5c06\u4ece\u6700\u57fa\u672c\u7684\u6388\u6743\u7ea7\u522b\u5f00\u59cb\uff0c\u786e\u4fdd\u53ea\u6709\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u624d\u80fd\u6267\u884c\u4f5c\uff0c\u5e76\u67e5\u770b\u5f53\u60a8\u5c1d\u8bd5\u6267\u884c\u6b64\u7c7b\u4f5c\u65f6\u4f1a\u53d1\u751f\u4ec0\u4e48\u3002<\/p>\n
24.2 Authorization in ASP.NET Core\u200c<\/h2>\n
24.2 ASP.NET Core \u4e2d\u7684\u6388\u6743<\/p>\n
In this section you\u2019ll see how the authorization principles described in the previous section apply to an ASP.NET Core application. You\u2019ll learn about the role of the [Authorize] attribute and AuthorizationMiddleware in authorizing requests to Razor Pages and MVC actions. Finally, you\u2019ll learn about the process of preventing unauthenticated users from executing endpoints and what happens when users are unauthorized.\u200c
\n\u5728\u672c\u8282\u4e2d\uff0c\u60a8\u5c06\u4e86\u89e3\u4e0a\u4e00\u8282\u4e2d\u63cf\u8ff0\u7684\u6388\u6743\u539f\u5219\u5982\u4f55\u5e94\u7528\u4e8e ASP.NET Core \u5e94\u7528\u7a0b\u5e8f\u3002\u4f60\u5c06\u4e86\u89e3 [Authorize] \u5c5e\u6027\u548c AuthorizationMiddleware \u5728\u6388\u6743\u5bf9 Razor Pages \u548c MVC\u4f5c\u7684\u8bf7\u6c42\u4e2d\u7684\u4f5c\u7528\u3002\u6700\u540e\uff0c\u60a8\u5c06\u4e86\u89e3\u9632\u6b62\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u6267\u884c\u7ec8\u7aef\u8282\u70b9\u7684\u8fc7\u7a0b\uff0c\u4ee5\u53ca\u5f53\u7528\u6237\u672a\u7ecf\u6388\u6743\u65f6\u4f1a\u53d1\u751f\u4ec0\u4e48\u3002<\/p>\n
The ASP.NET Core framework has authorization built in, so you can use it anywhere in your app, but it\u2019s most common to apply authorization via the AuthorizationMiddleware. The AuthorizationMiddleware should be placed after both the routing middleware and the authentication middleware but before the endpoint middleware, as shown in \ufb01gure 24.2.
\nASP.NET Core \u6846\u67b6\u5185\u7f6e\u4e86\u6388\u6743\uff0c\u56e0\u6b64\u60a8\u53ef\u4ee5\u5728\u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u4efb\u4f55\u4f4d\u7f6e\u4f7f\u7528\u5b83\uff0c\u4f46\u6700\u5e38\u89c1\u7684\u662f\u901a\u8fc7 AuthorizationMiddleware \u5e94\u7528\u6388\u6743\u3002AuthorizationMiddleware \u5e94\u8be5\u653e\u5728 routing \u4e2d\u95f4\u4ef6\u548c authentication \u4e2d\u95f4\u4ef6\u4e4b\u540e\uff0c\u4f46\u5728 endpoint middleware \u4e4b\u524d\uff0c\u5982\u56fe 24.2 \u6240\u793a\u3002<\/p>\n
![\"alt](\"\/images\/aspnetcoreinaction\/2402.jpg\")
<\/p>\n
Figure 24.2 Authorization occurs after an endpoint has been selected and after the request is authenticated, but before the action method or Razor Page endpoint is executed.
\n\u56fe 24.2 \u5728\u9009\u62e9\u7ec8\u7ed3\u70b9\u4e4b\u540e\u548c\u5bf9\u8bf7\u6c42\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u4e4b\u540e\uff0c\u4f46\u5728\u6267\u884c\u4f5c\u65b9\u6cd5\u6216 Razor Page \u7ec8\u7ed3\u70b9\u4e4b\u524d\uff0c\u8fdb\u884c\u6388\u6743\u3002<\/p>\n
NOTE<\/b> Remember that in ASP.NET Core, an endpoint refers to the handler selected by the routing middleware, which generates a response when executed. It is typically a Razor Page, a web API controller action method, or a minimal API endpoint handler.
\n\u6ce8\u610f\u8bf7\u8bb0\u4f4f\uff0c\u5728 ASP.NET Core \u4e2d\uff0c\u7ec8\u7aef\u8282\u70b9\u662f\u6307\u8def\u7531\u4e2d\u95f4\u4ef6\u9009\u62e9\u7684\u5904\u7406\u7a0b\u5e8f\uff0c\u8be5\u5904\u7406\u7a0b\u5e8f\u5728\u6267\u884c\u65f6\u751f\u6210\u54cd\u5e94\u3002\u5b83\u901a\u5e38\u662f Razor Page\u3001Web API \u63a7\u5236\u5668\u4f5c\u65b9\u6cd5\u6216\u6700\u5c0f API \u7aef\u70b9\u5904\u7406\u7a0b\u5e8f\u3002<\/p>\n
With this con\ufb01guration, the RoutingMiddleware selects an endpoint to execute based on the request\u2019s URL, such as a Razor Page, as you saw in chapter 14. Metadata about the selected endpoint is available to all middleware that occurs after the routing middleware. This metadata includes details about any authorization requirements for the endpoint, and it\u2019s typically attached by decorating an action or Razor Page with an [Authorize] attribute.
\n\u4f7f\u7528\u6b64\u914d\u7f6e\uff0cRoutingMiddleware \u6839\u636e\u8bf7\u6c42\u7684 URL \u9009\u62e9\u8981\u6267\u884c\u7684\u7ec8\u7ed3\u70b9\uff0c\u4f8b\u5982 Razor Page\uff0c\u5982\u7b2c 14 \u7ae0\u6240\u793a\u3002\u6709\u5173\u6240\u9009\u7ec8\u7aef\u8282\u70b9\u7684\u5143\u6570\u636e\u53ef\u7528\u4e8e\u8def\u7531\u4e2d\u95f4\u4ef6\u4e4b\u540e\u51fa\u73b0\u7684\u6240\u6709\u4e2d\u95f4\u4ef6\u3002\u6b64\u5143\u6570\u636e\u5305\u62ec\u6709\u5173\u7ec8\u7ed3\u70b9\u7684\u4efb\u4f55\u6388\u6743\u8981\u6c42\u7684\u8be6\u7ec6\u4fe1\u606f\uff0c\u901a\u5e38\u901a\u8fc7\u4f7f\u7528 [Authorize] \u5c5e\u6027\u4fee\u9970\u4f5c\u6216 Razor \u9875\u9762\u6765\u9644\u52a0\u3002<\/p>\n
The AuthenticationMiddleware deserializes the encrypted cookie (or bearer token for APIs) associated with the request to create a ClaimsPrincipal. This object is set as the HttpContext.User for the request, so all subsequent middleware can access this value. It contains all the Claims that were added to the cookie when the user authenticated.
\nAuthenticationMiddleware \u53cd\u5e8f\u5217\u5316\u4e0e\u521b\u5efa ClaimsPrincipal \u7684\u8bf7\u6c42\u5173\u8054\u7684\u52a0\u5bc6 Cookie\uff08\u6216 API \u7684\u6301\u6709\u8005\u4ee4\u724c\uff09\u3002\u6b64\u5bf9\u8c61\u8bbe\u7f6e\u4e3a\u8bf7\u6c42\u7684 HttpContext.User\uff0c\u56e0\u6b64\u6240\u6709\u540e\u7eed\u4e2d\u95f4\u4ef6\u90fd\u53ef\u4ee5\u8bbf\u95ee\u6b64\u503c\u3002\u5b83\u5305\u542b\u5728\u7528\u6237\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u65f6\u6dfb\u52a0\u5230 Cookie \u7684\u6240\u6709\u58f0\u660e\u3002<\/p>\n
NOTE<\/b> Remember that the authentication middleware may be placed before the routing middleware when the authentication process is the same for all endpoints.
\n\u6ce8\u610f\uff1a\u8bf7\u8bb0\u4f4f\uff0c\u5f53\u6240\u6709\u7aef\u70b9\u7684\u8eab\u4efd\u9a8c\u8bc1\u8fc7\u7a0b\u90fd\u76f8\u540c\u65f6\uff0c\u53ef\u4ee5\u5c06\u8eab\u4efd\u9a8c\u8bc1\u4e2d\u95f4\u4ef6\u653e\u5728\u8def\u7531\u4e2d\u95f4\u4ef6\u4e4b\u524d\u3002<\/p>\n
Nevertheless, I prefer to place it as shown in \ufb01gure 24.2, after the routing middleware, and always before the authorization middleware.
\n\u5c3d\u7ba1\u5982\u6b64\uff0c\u6211\u66f4\u559c\u6b22\u5c06\u5b83\u5982\u56fe 24.2 \u6240\u793a\uff0c\u653e\u5728 routing middleware \u4e4b\u540e\uff0c\u5e76\u4e14\u603b\u662f\u653e\u5728 authorization middleware \u4e4b\u524d\u3002<\/p>\n
Now we come to the AuthorizationMiddleware. This middleware checks whether the selected endpoint has any authorization requirements, based on the metadata provided by the RoutingMiddleware. If the endpoint has authorization requirements, the AuthorizationMiddleware uses the HttpContext.User to determine whether the current request is authorized to execute the endpoint.
\n\u73b0\u5728\u6211\u4eec\u6765\u770b\u770b AuthorizationMiddleware\u3002\u6b64\u4e2d\u95f4\u4ef6\u6839\u636e RoutingMiddleware \u63d0\u4f9b\u7684\u5143\u6570\u636e\u68c0\u67e5\u6240\u9009\u7aef\u70b9\u662f\u5426\u5177\u6709\u4efb\u4f55\u6388\u6743\u8981\u6c42\u3002\u5982\u679c\u7aef\u70b9\u6709\u6388\u6743\u8981\u6c42\uff0c\u5219 AuthorizationMiddleware \u4f7f\u7528 HttpContext.User \u6765\u786e\u5b9a\u5f53\u524d\u8bf7\u6c42\u662f\u5426\u88ab\u6388\u6743\u6267\u884c\u7aef\u70b9\u3002<\/p>\n
If the request is authorized, the next middleware in the pipeline executes as normal. If the request is not authorized, the AuthorizationMiddleware short-circuits the middleware pipeline, and the endpoint middleware is never executed.
\n\u5982\u679c\u8bf7\u6c42\u83b7\u5f97\u6388\u6743\uff0c\u5219\u7ba1\u9053\u4e2d\u7684\u4e0b\u4e00\u4e2a\u4e2d\u95f4\u4ef6\u5c06\u6b63\u5e38\u6267\u884c\u3002\u5982\u679c\u8bf7\u6c42\u672a\u83b7\u5f97\u6388\u6743\uff0c\u5219 AuthorizationMiddleware \u5c06\u4f7f\u4e2d\u95f4\u4ef6\u7ba1\u9053\u77ed\u8def\uff0c\u5e76\u4e14\u6c38\u8fdc\u4e0d\u4f1a\u6267\u884c\u7aef\u70b9\u4e2d\u95f4\u4ef6\u3002<\/p>\n
NOTE<\/b> The call to UseAuthorization() must always be placed after UseRouting() and UseAuthentication(), but before UseEndpoints(). WebApplication automatically adds all this middleware in the correct order, but if you override the position in the pipeline, such as by calling UseRouting(), you must make sure to maintain this overall order.
\n\u6ce8\u610f\uff1a\u5bf9 UseAuthorization\uff08\uff09 \u7684\u8c03\u7528\u5fc5\u987b\u59cb\u7ec8\u653e\u5728 UseRouting\uff08\uff09 \u548c UseAuthentication\uff08\uff09 \u4e4b\u540e\uff0c\u4f46\u5728 UseEndpoints\uff08\uff09 \u4e4b\u524d\u3002WebApplication \u4f1a\u81ea\u52a8\u4ee5\u6b63\u786e\u7684\u987a\u5e8f\u6dfb\u52a0\u6240\u6709\u8fd9\u4e9b\u4e2d\u95f4\u4ef6\uff0c\u4f46\u662f\u5982\u679c\u4f60\u8986\u76d6\u7ba1\u9053\u4e2d\u7684\u4f4d\u7f6e\uff0c\u4f8b\u5982\u901a\u8fc7\u8c03\u7528 UseRouting\uff08\uff09\uff0c\u5219\u5fc5\u987b\u786e\u4fdd\u4fdd\u6301\u8fd9\u4e2a\u6574\u4f53\u987a\u5e8f\u3002<\/p>\n
The AuthorizationMiddleware is responsible for applying authorization requirements and ensuring that only authorized users can execute protected endpoints. In section you\u2019ll learn how to apply the simplest authorization requirement to an endpoint, and in section 24.2.2 you\u2019ll see how the framework responds when a user is not authorized to execute an endpoint.
\nAuthorizationMiddleware \u8d1f\u8d23\u5e94\u7528\u6388\u6743\u8981\u6c42\u5e76\u786e\u4fdd\u53ea\u6709\u6388\u6743\u7528\u6237\u624d\u80fd\u6267\u884c\u53d7\u4fdd\u62a4\u7684\u7aef\u70b9\u3002\u5728\u90e8\u5206\u60a8\u5c06\u5b66\u4e60\u5982\u4f55\u5c06\u6700\u7b80\u5355\u7684\u6388\u6743\u8981\u6c42\u5e94\u7528\u4e8e Endpoint\uff0c\u5728 Section 24.2.2 \u4e2d\uff0c\u60a8\u5c06\u770b\u5230\u5f53\u7528\u6237\u65e0\u6743\u6267\u884c Endpoint \u65f6\u6846\u67b6\u5982\u4f55\u54cd\u5e94\u3002<\/p>\n
24.2.1 Preventing anonymous users from accessing your application\u200c<\/h3>\n
24.2.1 \u963b\u6b62\u533f\u540d\u7528\u6237\u8bbf\u95ee\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f<\/p>\n
When you think about authorization, you typically think about checking whether a particular user has permission to execute an endpoint. In ASP.NET Core you normally achieve this by checking whether a user has a given claim.
\n\u5728\u8003\u8651\u6388\u6743\u65f6\uff0c\u901a\u5e38\u4f1a\u8003\u8651\u68c0\u67e5\u7279\u5b9a\u7528\u6237\u662f\u5426\u5177\u6709\u6267\u884c\u7ec8\u7aef\u8282\u70b9\u7684\u6743\u9650\u3002\u5728 ASP.NET Core \u4e2d\uff0c\u901a\u5e38\u901a\u8fc7\u68c0\u67e5\u7528\u6237\u662f\u5426\u5177\u6709\u7ed9\u5b9a\u7684\u58f0\u660e\u6765\u5b9e\u73b0\u6b64\u76ee\u7684\u3002<\/p>\n
There\u2019s an even more basic level of authorization we haven\u2019t considered yet: allowing only authenticated users to execute an endpoint. This is even simpler than the claims scenario (which we\u2019ll come to later), as there are only two possibilities:
\n\u8fd8\u6709\u4e00\u4e2a\u66f4\u57fa\u672c\u7684\u6388\u6743\u7ea7\u522b\u6211\u4eec\u8fd8\u6ca1\u6709\u8003\u8651\uff1a\u53ea\u5141\u8bb8\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u6267\u884c\u7aef\u70b9\u3002\u8fd9\u751a\u81f3\u6bd4 claims \u573a\u666f\uff08\u6211\u4eec\u7a0d\u540e\u4f1a\u4ecb\u7ecd\uff09\u8fd8\u8981\u7b80\u5355\uff0c\u56e0\u4e3a\u53ea\u6709\u4e24\u79cd\u53ef\u80fd\u6027\uff1a<\/p>\n
\u2022 The user is authenticated\u2014The action executes as normal.
\n\u7528\u6237\u5df2\u901a\u8fc7 AUTHENTICATED -\u4f5c\u5c06\u6b63\u5e38\u6267\u884c\u3002
\n\u2022 The user is unauthenticated\u2014The user can\u2019t execute the endpoint.
\n\u7528\u6237\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1 - \u7528\u6237\u65e0\u6cd5\u6267\u884c\u7aef\u70b9\u3002<\/p>\n
You can achieve this basic level of authorization by using the [Authorize] attribute, which you saw in chapter 22 when we discussed authorization \ufb01lters. You can apply this attribute to your actions and Razor Pages, as shown in the following listing, to restrict them to authenticated (logged-in) users only. If an unauthenticated user tries to execute an action or Razor Page protected with the [Authorize] attribute, they\u2019ll be redirected to the login page.
\n\u60a8\u53ef\u4ee5\u4f7f\u7528 [Authorize] \u5c5e\u6027\u6765\u5b9e\u73b0\u6b64\u57fa\u672c\u7ea7\u522b\u7684\u6388\u6743\uff0c\u60a8\u5728\u7b2c 22 \u7ae0\u8ba8\u8bba\u6388\u6743\u8fc7\u6ee4\u5668\u65f6\u770b\u5230\u4e86\u8be5\u5c5e\u6027\u3002\u53ef\u4ee5\u5c06\u6b64\u5c5e\u6027\u5e94\u7528\u4e8e\u4f5c\u548c Razor Pages\uff0c\u5982\u4e0b\u9762\u7684\u6e05\u5355\u6240\u793a\uff0c\u4ee5\u5c06\u5b83\u4eec\u9650\u5236\u4e3a\u4ec5\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\uff08\u5df2\u767b\u5f55\uff09\u7684\u7528\u6237\u3002\u5982\u679c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u5c1d\u8bd5\u6267\u884c\u53d7 [Authorize] \u5c5e\u6027\u4fdd\u62a4\u7684\u4f5c\u6216 Razor \u9875\u9762\uff0c\u4ed6\u4eec\u5c06\u88ab\u91cd\u5b9a\u5411\u5230\u767b\u5f55\u9875\u9762\u3002<\/p>\n
Listing 24.1 Applying [Authorize] to an action
\n\u6e05\u5355 24.1 \u5c06 [Authorize] \u5e94\u7528\u4e8e\u4f5c<\/p>\n
public class RecipeApiController : ControllerBase\n{\n public IActionResult List() \u2776\n{\nreturn Ok();\n}\n[Authorize] \u2777\npublic IActionResult View() \u2778\n{\nreturn Ok();\n}\n}<\/code><\/pre>\n\u2776 This action can be executed by anyone, even when not logged in.
\n\u4efb\u4f55\u4eba\u90fd\u53ef\u4ee5\u6267\u884c\u6b64\u4f5c\uff0c\u5373\u4f7f\u672a\u767b\u5f55\u3002
\n\u2777 Applies [Authorize] to individual actions, whole controllers, or Razor Pages
\n\u5c06 [\u6388\u6743] \u5e94\u7528\u4e8e\u5355\u4e2a\u4f5c\u3001\u6574\u4e2a\u63a7\u5236\u5668\u6216 Razor \u9875\u9762
\n\u2778 This action can be executed only by authenticated users.
\n\u6b64\u4f5c\u53ea\u80fd\u7531\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u6267\u884c\u3002<\/p>\n
Applying the [Authorize] attribute to an endpoint attaches metadata to it, indicating that only authenticated users may access the endpoint. As you saw in \ufb01gure 24.2, this metadata is made available to the AuthorizationMiddleware when an endpoint is selected by the RoutingMiddleware.
\n\u5c06 [Authorize] \u5c5e\u6027\u5e94\u7528\u4e8e\u7ec8\u7aef\u8282\u70b9\u4f1a\u5c06\u5143\u6570\u636e\u9644\u52a0\u5230\u8be5\u7ec8\u7aef\u8282\u70b9\uff0c\u6307\u793a\u53ea\u6709\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u624d\u80fd\u8bbf\u95ee\u8be5\u7ec8\u7aef\u8282\u70b9\u3002\u5982\u56fe 24.2 \u6240\u793a\uff0c\u5f53 RoutingMiddleware \u9009\u62e9\u7aef\u70b9\u65f6\uff0c\u6b64\u5143\u6570\u636e\u53ef\u4f9b AuthorizationMiddleware \u4f7f\u7528\u3002<\/p>\n
You can apply the [Authorize] attribute at the action scope, controller scope, Razor Page scope, or globally, as you saw in chapter 21. Any action or Razor Page that has the [Authorize] attribute applied in this way can be executed only by an authenticated user. Unauthenticated users will be redirected to the login page.
\n\u53ef\u4ee5\u5728\u4f5c\u8303\u56f4\u3001\u63a7\u5236\u5668\u8303\u56f4\u3001Razor Page \u8303\u56f4\u6216\u5168\u5c40\u5e94\u7528 [Authorize] \u5c5e\u6027\uff0c\u5982\u7b2c 21 \u7ae0\u6240\u793a\u3002\u4ee5\u8fd9\u79cd\u65b9\u5f0f\u5e94\u7528\u4e86 [Authorize] \u5c5e\u6027\u7684\u4efb\u4f55\u4f5c\u6216 Razor \u9875\u9762\u53ea\u80fd\u7531\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u6267\u884c\u3002\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u5c06\u88ab\u91cd\u5b9a\u5411\u5230\u767b\u5f55\u9875\u9762\u3002<\/p>\n
TIP<\/b> There are several ways to apply the [Authorize] attribute globally. You can read about the options and when to choose which option on my blog: http:\/\/mng.bz\/opQp<\/a>.
\n\u63d0\u793a\uff1a\u6709\u51e0\u79cd\u65b9\u6cd5\u53ef\u4ee5\u5168\u5c40\u5e94\u7528 [Authorize] \u5c5e\u6027\u3002\u60a8\u53ef\u4ee5\u5728\u6211\u7684\u535a\u5ba2\u4e0a\u9605\u8bfb\u6709\u5173\u9009\u9879\u4ee5\u53ca\u4f55\u65f6\u9009\u62e9\u54ea\u4e2a\u9009\u9879\u7684\u4fe1\u606f\uff1ahttp:\/\/mng.bz\/opQp<\/a>\u3002<\/p>\nSometimes, especially when you apply the [Authorize] attribute globally, you might need to poke holes in this authorization requirement. If you apply the [Authorize] attribute globally, any unauthenticated requests are redirected to the login page for your app. But if the [Authorize] attribute is global, when the login page tries to load, you\u2019ll be unauthenticated and redirected to the login page again. And now you\u2019re stuck in an in\ufb01nite redirect loop.
\n\u6709\u65f6\uff0c\u5c24\u5176\u662f\u5728\u5168\u5c40\u5e94\u7528 [Authorize] \u5c5e\u6027\u65f6\uff0c\u53ef\u80fd\u9700\u8981\u5728\u6b64\u6388\u6743\u8981\u6c42\u4e2d\u6233\u6f0f\u6d1e\u3002\u5982\u679c\u5168\u5c40\u5e94\u7528 [Authorize] \u5c5e\u6027\uff0c\u5219\u4efb\u4f55\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8bf7\u6c42\u90fd\u5c06\u91cd\u5b9a\u5411\u5230\u5e94\u7528\u7684\u767b\u5f55\u9875\u9762\u3002\u4f46\u662f\uff0c\u5982\u679c [Authorize] \u5c5e\u6027\u662f\u5168\u5c40\u5c5e\u6027\uff0c\u5219\u5f53\u767b\u5f55\u9875\u5c1d\u8bd5\u52a0\u8f7d\u65f6\uff0c\u4f60\u5c06\u88ab\u53d6\u6d88\u8eab\u4efd\u9a8c\u8bc1\u5e76\u518d\u6b21\u91cd\u5b9a\u5411\u5230\u767b\u5f55\u9875\u3002\u73b0\u5728\u4f60\u9677\u5165\u4e86\u4e00\u4e2a\u65e0\u9650\u7684\u91cd\u5b9a\u5411\u5faa\u73af\u4e2d\u3002<\/p>\n
To get around this, you can direct speci\ufb01c endpoints to ignore the [Authorize] attribute by applying the [AllowAnonymous] attribute to an action or Razor Page, as shown in the next listing. This allows unauthenticated users to execute the action, so you can avoid the redirect loop that would otherwise result.
\n\u82e5\u8981\u89e3\u51b3\u6b64\u95ee\u9898\uff0c\u53ef\u4ee5\u901a\u8fc7\u5c06 [AllowAnonymous] \u5c5e\u6027\u5e94\u7528\u4e8e\u4f5c\u6216 Razor \u9875\u9762\uff0c\u6307\u793a\u7279\u5b9a\u7ec8\u7ed3\u70b9\u5ffd\u7565 [Authorize] \u5c5e\u6027\uff0c\u5982\u4e0b\u4e00\u4e2a\u5217\u8868\u6240\u793a\u3002\u8fd9\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u6267\u884c\u4f5c\uff0c\u56e0\u6b64\u60a8\u53ef\u4ee5\u907f\u514d\u5426\u5219\u4f1a\u5bfc\u81f4\u7684\u91cd\u5b9a\u5411\u5faa\u73af\u3002<\/p>\n
Listing 24.2 Applying [AllowAnonymous] to allow unauthenticated access
\n\u6e05\u5355 24.2 \u5e94\u7528 [AllowAnonymous] \u4ee5\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8bbf\u95ee<\/p>\n
[Authorize] \u2776\npublic class AccountController : ControllerBase\n{\npublic IActionResult ManageAccount() \u2777\n{\nreturn Ok();\n}\n[AllowAnonymous] \u2778\npublic IActionResult Login() \u2779\n{\nreturn Ok();\n}\n}<\/code><\/pre>\n\u2776 Applied at the controller scope, so the user must be authenticated for all actions on the controller
\n\u5728\u63a7\u5236\u5668\u8303\u56f4\u5185\u5e94\u7528\uff0c\u56e0\u6b64\u7528\u6237\u5fc5\u987b\u5bf9\u63a7\u5236\u5668\u4e0a\u7684\u6240\u6709\u4f5c\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1
\n\u2777 Only authenticated users may execute ManageAccount.
\n\u53ea\u6709\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u624d\u80fd\u6267\u884c ManageAccount\u3002
\n\u2778 [AllowAnonymous] overrides [Authorize] to allow unauthenticated users.
\n[AllowAnonymous] \u8986\u76d6 [Authorize] \u4ee5\u5141\u8bb8\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u3002
\n\u2779 Login can be executed by anonymous users.
\n\u533f\u540d\u7528\u6237\u53ef\u4ee5\u6267\u884c\u767b\u5f55\u3002<\/p>\n
WARNING<\/b> If you apply the [Authorize] attribute globally, be sure to add the [AllowAnonymous] attribute to your login actions, error actions, password reset actions, and any other actions that you need unauthenticated users to execute. If you\u2019re using the default Identity UI described in chapter 23, this is already con\ufb01gured for you.
\n\u8b66\u544a\uff1a\u5982\u679c\u5168\u5c40\u5e94\u7528 [Authorize] \u5c5e\u6027\uff0c\u8bf7\u786e\u4fdd\u5c06 [AllowAnonymous] \u5c5e\u6027\u6dfb\u52a0\u5230\u767b\u5f55\u4f5c\u3001\u9519\u8bef\u4f5c\u3001\u5bc6\u7801\u91cd\u7f6e\u4f5c\u4ee5\u53ca\u9700\u8981\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u6267\u884c\u7684\u4efb\u4f55\u5176\u4ed6\u4f5c\u3002\u5982\u679c\u60a8\u4f7f\u7528\u7684\u662f\u7b2c 23 \u7ae0\u4e2d\u63cf\u8ff0\u7684\u9ed8\u8ba4\u8eab\u4efd UI\uff0c\u5219\u5df2\u4e3a\u60a8\u914d\u7f6e\u4e86\u6b64 UI\u3002<\/p>\n
If an unauthenticated user attempts to execute an action protected by the [Authorize] attribute, traditional web apps redirect them to the login page. But what about APIs that don\u2019t have a user interface? And what about more complex scenarios, where a user is logged in but doesn\u2019t have the necessary claims to execute an action? In section we\u2019ll look at how the ASP.NET Core authentication services handle all this for you.
\n\u5982\u679c\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u5c1d\u8bd5\u6267\u884c\u53d7 [Authorize] \u5c5e\u6027\u4fdd\u62a4\u7684\u4f5c\uff0c\u5219\u4f20\u7edf Web \u5e94\u7528\u7a0b\u5e8f\u4f1a\u5c06\u5176\u91cd\u5b9a\u5411\u5230\u767b\u5f55\u9875\u9762\u3002\u4f46\u662f\u6ca1\u6709\u7528\u6237\u754c\u9762\u7684 API \u5462\uff1f\u5bf9\u4e8e\u66f4\u590d\u6742\u7684\u60c5\u51b5\uff0c\u5373\u7528\u6237\u5df2\u767b\u5f55\u4f46\u6ca1\u6709\u6267\u884c\u4f5c\u6240\u9700\u7684\u58f0\u660e\uff0c\u8be5\u600e\u4e48\u529e\uff1f\u5728\u90e8\u5206\u6211\u4eec\u5c06\u4e86\u89e3 ASP.NET Core \u8eab\u4efd\u9a8c\u8bc1\u670d\u52a1\u5982\u4f55\u4e3a\u60a8\u5904\u7406\u6240\u6709\u8fd9\u4e9b\u3002<\/p>\n
24.2.2 Handling unauthorized requests\u200c<\/h3>\n
24.2.2 \u5904\u7406\u672a\u7ecf\u6388\u6743\u7684\u8bf7\u6c42<\/p>\n
In the previous section you saw how to apply the [Authorize] attribute to an action to ensure that only authenticated users can execute it. In section 24.3 we\u2019ll look at more complex examples that require you to also have a speci\ufb01c claim. In both cases, you must meet one or more authorization requirements (for example, you must be authenticated) to execute the action.\u200c
\n\u5728\u4e0a\u4e00\u8282\u4e2d\uff0c\u60a8\u4e86\u89e3\u4e86\u5982\u4f55\u5c06 [Authorize] \u5c5e\u6027\u5e94\u7528\u4e8e\u4f5c\uff0c\u4ee5\u786e\u4fdd\u53ea\u6709\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u624d\u80fd\u6267\u884c\u8be5\u4f5c\u3002\u5728 Section 24.3 \u4e2d\uff0c\u6211\u4eec\u5c06\u67e5\u770b\u66f4\u590d\u6742\u7684\u793a\u4f8b\uff0c\u8fd9\u4e9b\u793a\u4f8b\u8981\u6c42\u60a8\u4e5f\u6709\u4e00\u4e2a\u7279\u5b9a\u7684\u58f0\u660e\u3002\u5728\u8fd9\u4e24\u79cd\u60c5\u51b5\u4e0b\uff0c\u60a8\u90fd\u5fc5\u987b\u6ee1\u8db3\u4e00\u4e2a\u6216\u591a\u4e2a\u6388\u6743\u8981\u6c42\uff08\u4f8b\u5982\uff0c\u60a8\u5fc5\u987b\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\uff09\u624d\u80fd\u6267\u884c\u4f5c\u3002<\/p>\n
If the user meets the authorization requirements, the request passes unimpeded through the AuthorizationMiddleware, and the endpoint is executed in the EndpointMiddleware. If they don\u2019t meet the requirements for the selected endpoint, the AuthorizationMiddleware will short-circuit the request. Depending on why the request failed authorization, the AuthorizationMiddleware generates one of two di\ufb00erent types of responses, as shown in \ufb01gure 24.3:
\n\u5982\u679c\u7528\u6237\u6ee1\u8db3\u6388\u6743\u8981\u6c42\uff0c\u5219\u8bf7\u6c42\u901a\u8fc7 AuthorizationMiddleware \u7545\u901a\u65e0\u963b\uff0c\u7aef\u70b9\u5728 EndpointMiddleware \u4e2d\u6267\u884c\u3002\u5982\u679c\u5b83\u4eec\u4e0d\u6ee1\u8db3\u6240\u9009\u7ec8\u7aef\u8282\u70b9\u7684\u8981\u6c42\uff0c\u5219 AuthorizationMiddleware \u5c06\u4f7f\u8bf7\u6c42\u77ed\u8def\u3002\u6839\u636e\u8bf7\u6c42\u6388\u6743\u5931\u8d25\u7684\u539f\u56e0\uff0c AuthorizationMiddleware \u751f\u6210\u4e24\u79cd\u4e0d\u540c\u7c7b\u578b\u7684\u54cd\u5e94\u4e4b\u4e00\uff0c\u5982\u56fe 24.3 \u6240\u793a\uff1a<\/p>\n
\u2022 Challenge\u2014This response indicates that the user was not authorized to execute the action because they weren\u2019t yet logged in.
\n\u2022 \u8d28\u8be2 - \u6b64\u54cd\u5e94\u8868\u793a\u7528\u6237\u7531\u4e8e\u5c1a\u672a\u767b\u5f55\u800c\u65e0\u6743\u6267\u884c\u4f5c\u3002<\/p>\n
\u2022 Forbid\u2014This response indicates that the user was logged in but didn\u2019t meet the requirements to execute the action. They didn\u2019t have a required claim, for example.
\n\u2022 \u7981\u6b62 - \u6b64\u54cd\u5e94\u8868\u793a\u7528\u6237\u5df2\u767b\u5f55\uff0c\u4f46\u4e0d\u7b26\u5408\u6267\u884c\u4f5c\u7684\u8981\u6c42\u3002\u4f8b\u5982\uff0c\u4ed6\u4eec\u6ca1\u6709\u5fc5\u9700\u7684\u7d22\u8d54\u3002<\/p>\n
![\"alt](\"\/images\/aspnetcoreinaction\/2403.jpg\")
<\/p>\n
Figure 24.3 The three types of response to an authorization attempt. In the left example, the request contains an authentication cookie, so the user is authenticated in the AuthenticationMiddleware. The AuthorizationMiddleware con\ufb01rms that the authenticated user can access the selected endpoint, so the endpoint is executed. In the center example, the request is not authenticated, so the Authorization- Middleware generates a challenge response. In the right example, the request is authenticated, but the user does not have permission to execute the endpoint, so a forbid response is generated.
\n\u56fe 24.3 \u5bf9\u6388\u6743\u5c1d\u8bd5\u7684\u4e09\u79cd\u54cd\u5e94\u7c7b\u578b\u3002\u5728\u5de6\u4fa7\u793a\u4f8b\u4e2d\uff0c\u8bf7\u6c42\u5305\u542b\u4e00\u4e2a\u8eab\u4efd\u9a8c\u8bc1 cookie\uff0c\u56e0\u6b64\u5728 AuthenticationMiddleware \u4e2d\u5bf9\u7528\u6237\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u3002AuthorizationMiddleware \u786e\u8ba4\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u53ef\u4ee5\u8bbf\u95ee\u9009\u5b9a\u7684\u7ec8\u7aef\u8282\u70b9\uff0c\u56e0\u6b64\u5c06\u6267\u884c\u7ec8\u7aef\u8282\u70b9\u3002\u5728\u4e2d\u95f4\u7684\u793a\u4f8b\u4e2d\uff0c\u8bf7\u6c42\u672a\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\uff0c\u56e0\u6b64 Authorization- Middleware \u751f\u6210\u8d28\u8be2\u54cd\u5e94\u3002\u5728\u6b63\u786e\u7684\u793a\u4f8b\u4e2d\uff0c\u8bf7\u6c42\u5df2\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\uff0c\u4f46\u7528\u6237\u6ca1\u6709\u6267\u884c\u7ec8\u7aef\u8282\u70b9\u7684\u6743\u9650\uff0c\u56e0\u6b64\u4f1a\u751f\u6210 forbid \u54cd\u5e94\u3002<\/p>\n
NOTE<\/b> If you apply the [Authorize] attribute in basic form, as you did in section 24.2.1, you will generate only challenge responses. In this case, a challenge response will be generated for unauthenticated users, but authenticated users will always be authorized.
\n\u6ce8\u610f\uff1a\u5982\u679c\u4ee5\u57fa\u672c\u5f62\u5f0f\u5e94\u7528 [Authorize] \u5c5e\u6027\uff0c\u5c31\u50cf\u5728\u7b2c 24.2.1 \u8282\u4e2d\u6240\u505a\u7684\u90a3\u6837\uff0c\u60a8\u5c06\u4ec5\u751f\u6210\u8d28\u8be2\u54cd\u5e94\u3002\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u5c06\u4e3a\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u751f\u6210\u8d28\u8be2\u54cd\u5e94\uff0c\u4f46\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u5c06\u59cb\u7ec8\u83b7\u5f97\u6388\u6743\u3002<\/p>\n
The exact HTTP response generated by a challenge or forbid response typically depends on the type of application you\u2019re building and so the type of authentication your application uses: a traditional web application with Razor Pages, or an API application.
\n\u8d28\u8be2\u6216\u7981\u6b62\u54cd\u5e94\u751f\u6210\u7684\u786e\u5207 HTTP \u54cd\u5e94\u901a\u5e38\u53d6\u51b3\u4e8e\u8981\u6784\u5efa\u7684\u5e94\u7528\u7a0b\u5e8f\u7c7b\u578b\uff0c\u56e0\u6b64\u5e94\u7528\u7a0b\u5e8f\u4f7f\u7528\u7684\u8eab\u4efd\u9a8c\u8bc1\u7c7b\u578b\uff1a\u5177\u6709 Razor Pages \u7684\u4f20\u7edf Web \u5e94\u7528\u7a0b\u5e8f\u6216 API \u5e94\u7528\u7a0b\u5e8f\u3002<\/p>\n
For traditional web apps using cookie authentication, such as when you use ASP.NET Core Identity, as in chapter 23, the challenge and forbid responses generate an HTTP redirect to a page in your application. A challenge response indicates the user isn\u2019t yet authenticated, so they\u2019re redirected to the login page for the app. After logging in, they can attempt to execute the protected resource again. A forbid response means the request was from a user that already logged in, but they\u2019re still not allowed to execute the action.
\n\u5bf9\u4e8e\u4f7f\u7528 Cookie \u8eab\u4efd\u9a8c\u8bc1\u7684\u4f20\u7edf Web \u5e94\u7528\u7a0b\u5e8f\uff0c\u4f8b\u5982\u5f53\u60a8\u4f7f\u7528 ASP.NET Core Identity \u65f6\uff08\u5982\u7b2c 23 \u7ae0\u6240\u793a\uff09\uff0cchallenge \u548c forbid \u54cd\u5e94\u4f1a\u751f\u6210\u6307\u5411\u5e94\u7528\u7a0b\u5e8f\u4e2d\u9875\u9762\u7684 HTTP \u91cd\u5b9a\u5411\u3002\u8d28\u8be2\u54cd\u5e94\u6307\u793a\u7528\u6237\u5c1a\u672a\u901a\u8fc7\u8eab\u4efd\u9a8c\u8bc1\uff0c\u56e0\u6b64\u4ed6\u4eec\u5c06\u88ab\u91cd\u5b9a\u5411\u5230\u5e94\u7528\u7a0b\u5e8f\u7684\u767b\u5f55\u9875\u9762\u3002\u767b\u5f55\u540e\uff0c\u4ed6\u4eec\u53ef\u4ee5\u5c1d\u8bd5\u518d\u6b21\u6267\u884c\u53d7\u4fdd\u62a4\u7684\u8d44\u6e90\u3002\u7981\u6b62\u54cd\u5e94\u8868\u793a\u8bf7\u6c42\u6765\u81ea\u5df2\u767b\u5f55\u7684\u7528\u6237\uff0c\u4f46\u4ecd\u4e0d\u5141\u8bb8\u4ed6\u4eec\u6267\u884c\u8be5\u4f5c\u3002<\/p>\n
Consequently, the user is redirected to a \u201cforbidden\u201d or \u201caccess denied\u201d web page, as shown in \ufb01gure 24.4, which informs them they can\u2019t execute the action or Razor Page.
\n\u56e0\u6b64\uff0c\u7528\u6237\u5c06\u88ab\u91cd\u5b9a\u5411\u5230 \u201cforbidden\u201d \u6216 \u201caccess denied\u201d \u7f51\u9875\uff0c\u5982\u56fe 24.4 \u6240\u793a\uff0c\u8be5\u7f51\u9875\u901a\u77e5\u4ed6\u4eec\u65e0\u6cd5\u6267\u884c\u4f5c\u6216 Razor Page\u3002<\/p>\n
![\"alt](\"\/images\/aspnetcoreinaction\/2404.jpg\")
<\/p>\n
Figure 24.4 A forbid response in traditional web apps using cookie authentication. If you don\u2019t have permission to execute a Razor Page and you\u2019re already logged in, you\u2019ll be redirected to an \u201caccess denied\u201d page.
\n\u56fe 24.4 \u4f20\u7edf Web \u5e94\u7528\u7a0b\u5e8f\u4e2d\u4f7f\u7528 cookie \u8eab\u4efd\u9a8c\u8bc1\u7684 forbid \u54cd\u5e94\u3002\u5982\u679c\u60a8\u6ca1\u6709\u6267\u884c Razor \u9875\u9762\u7684\u6743\u9650\uff0c\u5e76\u4e14\u60a8\u5df2\u7ecf\u767b\u5f55\uff0c\u60a8\u5c06\u88ab\u91cd\u5b9a\u5411\u5230\u201c\u62d2\u7edd\u8bbf\u95ee\u201d\u9875\u9762\u3002<\/p>\n
The preceding behavior is standard for traditional web apps, but API apps typically use a di\ufb00erent approach to authentication, as you\u2019ll see in chapter 25. Instead of logging in and using the API directly, you\u2019d typically log in to a third- party application that provides a token to the client-sidesingle-page application (SPA) or mobile app. The client-side app sends this token when it makes a request to your API.
\n\u4e0a\u8ff0\u884c\u4e3a\u662f\u4f20\u7edf Web \u5e94\u7528\u7a0b\u5e8f\u7684\u6807\u51c6\u884c\u4e3a\uff0c\u4f46 API \u5e94\u7528\u7a0b\u5e8f\u901a\u5e38\u4f7f\u7528\u4e0d\u540c\u7684\u8eab\u4efd\u9a8c\u8bc1\u65b9\u6cd5\uff0c\u5982\u7b2c 25 \u7ae0\u6240\u793a\u3002\u60a8\u901a\u5e38\u4e0d\u4f1a\u76f4\u63a5\u767b\u5f55\u5e76\u4f7f\u7528 API\uff0c\u800c\u662f\u767b\u5f55\u5230\u5411\u5ba2\u6237\u7aef\u63d0\u4f9b\u4ee4\u724c\u7684\u7b2c\u4e09\u65b9\u5e94\u7528\u7a0b\u5e8f\u5355\u9875\u5e94\u7528\u7a0b\u5e8f \uff08SPA\uff09 \u6216\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u3002\u5ba2\u6237\u7aef\u5e94\u7528\u7a0b\u5e8f\u5728\u5411 API \u53d1\u51fa\u8bf7\u6c42\u65f6\u53d1\u9001\u6b64\u4ee4\u724c\u3002<\/p>\n
Authenticating a request for an API app is essentially identical to a traditional web app that uses cookies, as you\u2019ll see in chapter 25; AuthenticationMiddleware deserializes the credentials to create the ClaimsPrincipal. The di\ufb00erence is in how an API handles authorization failures.
\n\u5bf9 API \u5e94\u7528\u7a0b\u5e8f\u7684\u8bf7\u6c42\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u4e0e\u4f7f\u7528 cookie \u7684\u4f20\u7edf Web \u5e94\u7528\u7a0b\u5e8f\u57fa\u672c\u76f8\u540c\uff0c\u5982\u7b2c 25 \u7ae0\u6240\u793a;AuthenticationMiddleware \u53cd\u5e8f\u5217\u5316\u51ed\u636e\u4ee5\u521b\u5efa ClaimsPrincipal\u3002\u533a\u522b\u5728\u4e8e API \u5904\u7406\u6388\u6743\u5931\u8d25\u7684\u65b9\u5f0f\u3002<\/p>\n
When an API app generates a challenge response, it returns a 401 Unauthorized error response to the caller. Similarly, when the app generates a forbid response, it returns a 403 Forbidden response. The traditional web app essentially handled these errors by automatically redirecting unauthorized users to the login or \u201caccess denied\u201d page, but the API app doesn\u2019t do this. It\u2019s up to the client-side SPA or mobile app to detect these errors and handle them as appropriate.
\n\u5f53 API \u5e94\u7528\u751f\u6210\u8d28\u8be2\u54cd\u5e94\u65f6\uff0c\u5b83\u4f1a\u5411\u8c03\u7528\u65b9\u8fd4\u56de 401 Unauthorized \u9519\u8bef\u54cd\u5e94\u3002\u540c\u6837\uff0c\u5f53\u5e94\u7528\u7a0b\u5e8f\u751f\u6210 forbid \u54cd\u5e94\u65f6\uff0c\u5b83\u4f1a\u8fd4\u56de 403 Forbidden \u54cd\u5e94\u3002\u4f20\u7edf\u7684 Web \u5e94\u7528\u7a0b\u5e8f\u57fa\u672c\u4e0a\u662f\u901a\u8fc7\u81ea\u52a8\u5c06\u672a\u7ecf\u6388\u6743\u7684\u7528\u6237\u91cd\u5b9a\u5411\u5230\u767b\u5f55\u6216 \u201caccess denied\u201d \u9875\u9762\u6765\u5904\u7406\u8fd9\u4e9b\u9519\u8bef\uff0c\u4f46 API \u5e94\u7528\u7a0b\u5e8f\u4e0d\u4f1a\u8fd9\u6837\u505a\u3002\u5ba2\u6237\u7aef SPA \u6216\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u8d1f\u8d23\u68c0\u6d4b\u8fd9\u4e9b\u9519\u8bef\u5e76\u6839\u636e\u9700\u8981\u5904\u7406\u5b83\u4eec\u3002<\/p>\n
TIP<\/b> This di\ufb00erence in authorization behavior is one of the reasons I generally recommend creating separate apps for your APIs and Razor pages apps; it\u2019s possible to have both in the same app, but the con\ufb01guration is often more complex.
\n\u63d0\u793a\uff1a\u6388\u6743\u884c\u4e3a\u7684\u8fd9\u79cd\u5dee\u5f02\u662f\u6211\u901a\u5e38\u5efa\u8bae\u4e3a\u60a8\u7684 API \u548c Razor \u9875\u9762\u5e94\u7528\u7a0b\u5e8f\u521b\u5efa\u5355\u72ec\u5e94\u7528\u7a0b\u5e8f\u7684\u539f\u56e0\u4e4b\u4e00;\u53ef\u4ee5\u5728\u540c\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u4e2d\u540c\u65f6\u62e5\u6709\u4e24\u8005\uff0c\u4f46\u914d\u7f6e\u901a\u5e38\u66f4\u590d\u6742\u3002<\/p>\n
The di\ufb00erent behavior between traditional web apps and SPAs can be confusing initially, but you generally don\u2019t need to worry about that too much in practice. Whether you\u2019re building an API app or a traditional MVC web app, the authorization code in your app looks the same in both cases.
\n\u4f20\u7edf Web \u5e94\u7528\u7a0b\u5e8f\u548c SPA \u4e4b\u95f4\u7684\u4e0d\u540c\u884c\u4e3a\u6700\u521d\u53ef\u80fd\u4f1a\u4ee4\u4eba\u56f0\u60d1\uff0c\u4f46\u5728\u5b9e\u8df5\u4e2d\uff0c\u60a8\u901a\u5e38\u4e0d\u9700\u8981\u592a\u62c5\u5fc3\u8fd9\u4e00\u70b9\u3002\u65e0\u8bba\u60a8\u662f\u6784\u5efa API \u5e94\u7528\u7a0b\u5e8f\u8fd8\u662f\u4f20\u7edf\u7684 MVC Web \u5e94\u7528\u7a0b\u5e8f\uff0c\u5e94\u7528\u7a0b\u5e8f\u4e2d\u7684\u6388\u6743\u4ee3\u7801\u5728\u8fd9\u4e24\u79cd\u60c5\u51b5\u4e0b\u770b\u8d77\u6765\u90fd\u76f8\u540c\u3002<\/p>\n
Apply [Authorize] attributes to your endpoints, and let the framework take care of the di\ufb00erences for you.
\n\u5c06 [Authorize] \u5c5e\u6027\u5e94\u7528\u4e8e\u60a8\u7684\u7ec8\u7aef\u8282\u70b9\uff0c\u8ba9\u6846\u67b6\u4e3a\u60a8\u5904\u7406\u5dee\u5f02\u3002<\/p>\n
NOTE<\/b> In chapter 23 you saw how to con\ufb01gure ASP.NET Core Identity in a Razor Pages app. This chapter assumes that you\u2019re building a Razor Pages app too, but the chapter is equally applicable if you\u2019re building an API, as you\u2019ll see in chapter 25. Authorization policies are applied in the same way, whichever style of app you\u2019re building. Only the \ufb01nal response of unauthorized requests di\ufb00ers.
\n\u6ce8\u610f\uff1a\u5728\u7b2c 23 \u7ae0\u4e2d\uff0c\u4f60\u4e86\u89e3\u4e86\u5982\u4f55\u5728 Razor Pages \u5e94\u7528\u4e2d\u914d\u7f6e ASP.NET \u6838\u5fc3\u6807\u8bc6\u3002\u672c\u7ae0\u5047\u5b9a\u4f60\u4e5f\u5728\u6784\u5efa Razor Pages \u5e94\u7528\uff0c\u4f46\u5982\u679c\u4f60\u6b63\u5728\u6784\u5efa API\uff0c\u5219\u672c\u7ae0\u540c\u6837\u9002\u7528\uff0c\u5982\u7b2c 25 \u7ae0\u6240\u793a\u3002\u65e0\u8bba\u60a8\u6b63\u5728\u6784\u5efa\u54ea\u79cd\u98ce\u683c\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u6388\u6743\u7b56\u7565\u90fd\u4ee5\u76f8\u540c\u7684\u65b9\u5f0f\u5e94\u7528\u3002\u53ea\u6709\u672a\u6388\u6743\u8bf7\u6c42\u7684\u6700\u7ec8\u54cd\u5e94\u4e0d\u540c\u3002<\/p>\n
You\u2019ve seen how to apply the most basic authorization requirement\u2014restricting an endpoint to authenticated users \u2014but most apps need something more subtle than this all-or- nothing approach. Consider the airport scenario from section 24.1. Being authenticated (having a passport) isn\u2019t enough to get you through security. Instead, you also need a speci\ufb01c claim: BoardingPassNumber. In the next section we\u2019ll look at how you can implement a similar requirement in ASP.NET Core.\u200c
\n\u60a8\u5df2\u7ecf\u4e86\u89e3\u4e86\u5982\u4f55\u5e94\u7528\u6700\u57fa\u672c\u7684\u6388\u6743\u8981\u6c42\uff0c\u5373\u5c06\u7ec8\u7aef\u8282\u70b9\u9650\u5236\u4e3a\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\uff0c\u4f46\u5927\u591a\u6570\u5e94\u7528\u7a0b\u5e8f\u9700\u8981\u6bd4\u8fd9\u79cd\u5168\u6709\u6216\u5168\u65e0\u65b9\u6cd5\u66f4\u5fae\u5999\u7684\u4e1c\u897f\u3002\u8003\u8651 24.1 \u8282\u4e2d\u7684\u673a\u573a\u573a\u666f\u3002\u901a\u8fc7\u8eab\u4efd\u9a8c\u8bc1\uff08\u62e5\u6709\u62a4\u7167\uff09\u4e0d\u8db3\u4ee5\u8ba9\u60a8\u901a\u8fc7\u5b89\u68c0\u3002\u76f8\u53cd\uff0c\u60a8\u8fd8\u9700\u8981\u4e00\u4e2a\u7279\u5b9a\u7684\u58f0\u660e\uff1aBoardingPassNumber\u3002\u5728\u4e0b\u4e00\u8282\u4e2d\uff0c\u6211\u4eec\u5c06\u4e86\u89e3\u5982\u4f55\u5728 ASP.NET Core \u4e2d\u5b9e\u73b0\u7c7b\u4f3c\u7684\u8981\u6c42\u3002<\/p>\n
24.3 Using policies for claims- based authorization\u200c<\/h2>\n
24.3 \u4f7f\u7528\u7b56\u7565\u8fdb\u884c\u57fa\u4e8e\u58f0\u660e\u7684\u6388\u6743<\/p>\n
In the previous section, you saw how to require that users be logged in to access an endpoint. In this section you\u2019ll see how to apply additional requirements. You\u2019ll learn to use authorization policies to perform claims-based authorization to require that a logged-in user have the required claims to execute a given endpoint.
\n\u5728\u4e0a\u4e00\u8282\u4e2d\uff0c\u60a8\u4e86\u89e3\u4e86\u5982\u4f55\u8981\u6c42\u7528\u6237\u767b\u5f55\u624d\u80fd\u8bbf\u95ee\u7ec8\u7aef\u8282\u70b9\u3002\u5728\u672c\u8282\u4e2d\uff0c\u60a8\u5c06\u4e86\u89e3\u5982\u4f55\u5e94\u7528\u5176\u4ed6\u8981\u6c42\u3002\u60a8\u5c06\u5b66\u4e60\u5982\u4f55\u4f7f\u7528\u6388\u6743\u7b56\u7565\u6765\u6267\u884c\u57fa\u4e8e\u58f0\u660e\u7684\u6388\u6743\uff0c\u4ee5\u8981\u6c42\u767b\u5f55\u7528\u6237\u5177\u6709\u6267\u884c\u7ed9\u5b9a\u7ec8\u7aef\u8282\u70b9\u6240\u9700\u7684\u58f0\u660e\u3002<\/p>\n
In chapter 23 you saw that authentication in ASP.NET Core centers on a ClaimsPrincipal object, which represents the user. This object has a collection of claims that contain pieces of information about the user, such as their name, email, and date of birth.
\n\u5728\u7b2c 23 \u7ae0\u4e2d\uff0c\u60a8\u770b\u5230 ASP.NET Core \u4e2d\u7684\u8eab\u4efd\u9a8c\u8bc1\u4ee5\u8868\u793a\u7528\u6237\u7684 ClaimsPrincipal \u5bf9\u8c61\u4e3a\u4e2d\u5fc3\u3002\u6b64\u5bf9\u8c61\u5177\u6709\u4e00\u7ec4\u58f0\u660e\uff0c\u5176\u4e2d\u5305\u542b\u6709\u5173\u7528\u6237\u7684\u4fe1\u606f\u7247\u6bb5\uff0c\u4f8b\u5982\u5176\u59d3\u540d\u3001\u7535\u5b50\u90ae\u4ef6\u548c\u51fa\u751f\u65e5\u671f\u3002<\/p>\n
You can use this information to customize the app for each user, by displaying a welcome message addressing the user by name, for example, but you can also use claims for authorization. For example, you might authorize a user only if they have a speci\ufb01c claim (such as BoardingPassNumber) or if a claim has a speci\ufb01c value (FrequentFlyerClass claim with the value Gold).
\n\u60a8\u53ef\u4ee5\u4f7f\u7528\u6b64\u4fe1\u606f\u4e3a\u6bcf\u4e2a\u7528\u6237\u81ea\u5b9a\u4e49\u5e94\u7528\u7a0b\u5e8f\uff0c\u4f8b\u5982\uff0c\u901a\u8fc7\u663e\u793a\u6309\u540d\u79f0\u79f0\u547c\u7528\u6237\u7684\u6b22\u8fce\u6d88\u606f\uff0c\u4f46\u60a8\u4e5f\u53ef\u4ee5\u4f7f\u7528\u58f0\u660e\u8fdb\u884c\u6388\u6743\u3002\u4f8b\u5982\uff0c\u4ec5\u5f53\u7528\u6237\u5177\u6709\u7279\u5b9a\u58f0\u660e\uff08\u5982 BoardingPassNumber\uff09\u6216\u58f0\u660e\u5177\u6709\u7279\u5b9a\u503c\uff08\u503c\u4e3a Gold \u7684 FrequentFlyerClass \u58f0\u660e\uff09\u65f6\uff0c\u4f60\u624d\u53ef\u4ee5\u6388\u6743\u7528\u6237\u3002<\/p>\n
In ASP.NET Core the rules that de\ufb01ne whether a user is authorized are encapsulated in a policy.
\n\u5728 ASP.NET Core \u4e2d\uff0c\u5b9a\u4e49\u7528\u6237\u662f\u5426\u83b7\u5f97\u6388\u6743\u7684\u89c4\u5219\u5c01\u88c5\u5728\u7b56\u7565\u4e2d\u3002<\/p>\n
DEFINITION<\/b> A policy de\ufb01nes the requirements you must meet for a request to be authorized.
\n\u5b9a\u4e49\uff1a\u7b56\u7565\u5b9a\u4e49\u8981\u6388\u6743\u8bf7\u6c42\u5fc5\u987b\u6ee1\u8db3\u7684\u8981\u6c42\u3002<\/p>\n
Policies can be applied to an endpoint using the [Authorize] attribute, similar to the way you saw in section 24.2.1. This listing shows a Razor Page PageModel that represents the \ufb01rst authorization step in the airport scenario. The AirportSecurity.cshtml Razor Page is protected by an [Authorize] attribute, but you\u2019ve also provided a policy name, "CanEnterSecurity", as shown in the following listing.
\n\u53ef\u4ee5\u4f7f\u7528 [Authorize] \u5c5e\u6027\u5c06\u7b56\u7565\u5e94\u7528\u4e8e\u7ec8\u7aef\u8282\u70b9\uff0c\u7c7b\u4f3c\u4e8e\u60a8\u5728\u7b2c 24.2.1 \u8282\u4e2d\u770b\u5230\u7684\u65b9\u5f0f\u3002\u6b64\u5217\u8868\u663e\u793a\u4e86\u4e00\u4e2a Razor Page PageModel\uff0c\u5b83\u8868\u793a airport \u573a\u666f\u4e2d\u7684\u7b2c\u4e00\u4e2a\u6388\u6743\u6b65\u9aa4\u3002AirportSecurity.cshtml Razor \u9875\u9762\u53d7 [Authorize] \u5c5e\u6027\u4fdd\u62a4\uff0c\u4f46\u4f60\u8fd8\u63d0\u4f9b\u4e86\u7b56\u7565\u540d\u79f0\u201cCanEnterSecurity\u201d\uff0c\u5982\u4ee5\u4e0b\u5217\u8868\u6240\u793a\u3002<\/p>\n
Listing 24.3 Applying an authorization policy to a Razor Page
\n\u6e05\u5355 24.3 \u5c06\u6388\u6743\u7b56\u7565\u5e94\u7528\u4e8e Razor \u9875\u9762<\/p>\n
[Authorize("CanEnterSecurity")] \u2776\npublic class AirportSecurityModel : PageModel\n{\npublic void OnGet() \u2777\n{\n}\n}<\/code><\/pre>\n\u2776 Applying the \u201cCanEnterSecurity\u201d policy using [Authorize]
\n\u4f7f\u7528 [Authorize]\u5e94\u7528\u201cCanEnterSecurity\u201d\u7b56\u7565 <\/p>\n
\u2777 Only users that satisfy the \u201cCanEnterSecurity\u201d policy can execute the Razor Page.
\n\u53ea\u6709\u6ee1\u8db3\u201cCanEnterSecurity\u201d\u7b56\u7565\u7684\u7528\u6237\u624d\u80fd\u6267\u884c Razor \u9875\u9762\u3002<\/p>\n
If a user attempts to execute the AirportSecurity.cshtml Razor Page, the authorization middleware veri\ufb01es whether the user satis\ufb01es the policy\u2019s requirements (we\u2019ll look at the policy itself shortly). This gives one of three possible outcomes:
\n\u5982\u679c\u7528\u6237\u5c1d\u8bd5\u6267\u884c AirportSecurity.cshtml Razor \u9875\u9762\uff0c\u6388\u6743\u4e2d\u95f4\u4ef6\u4f1a\u9a8c\u8bc1\u7528\u6237\u662f\u5426\u6ee1\u8db3\u7b56\u7565\u7684\u8981\u6c42\uff08\u6211\u4eec\u7a0d\u540e\u5c06\u4ecb\u7ecd\u7b56\u7565\u672c\u8eab\uff09\u3002\u8fd9\u5c06\u7ed9\u51fa\u4ee5\u4e0b\u4e09\u79cd\u53ef\u80fd\u7684\u7ed3\u679c\u4e4b\u4e00\uff1a<\/p>\n
\u2022 The user satis\ufb01es the policy\u2014The middleware pipeline continues, and the EndpointMiddleware executes the Razor Page as normal.
\n\u7528\u6237\u6ee1\u8db3\u7b56\u7565 - \u4e2d\u95f4\u4ef6\u7ba1\u9053\u7ee7\u7eed\uff0c\u5e76\u4e14 EndpointMiddleware \u7167\u5e38\u6267\u884c Razor Page\u3002<\/p>\n
\u2022 The user is unauthenticated\u2014The user is redirected to the login page.
\n\u7528\u6237\u672a\u901a\u8fc7 IF - \u7528\u6237\u88ab\u91cd\u5b9a\u5411\u5230\u767b\u5f55\u9875\u9762\u3002<\/p>\n
\u2022 The user is authenticated but doesn\u2019t satisfy the policy\u2014The user is redirected to a \u201cforbidden\u201d or \u201caccess denied\u201d page.
\n\u7528\u6237\u5df2\u901a\u8fc7\u8eab\u4efd\u9a8c\u8bc1\uff0c\u4f46\u4e0d\u6ee1\u8db3\u7b56\u7565 - \u7528\u6237\u88ab\u91cd\u5b9a\u5411\u5230\u201c\u7981\u6b62\u201d\u6216\u201c\u62d2\u7edd\u8bbf\u95ee\u201d\u9875\u9762\u3002<\/p>\n
These three outcomes correlate with real-life outcomes you might expect when trying to pass through security at the airport:
\n\u8fd9\u4e09\u79cd\u7ed3\u679c\u4e0e\u60a8\u5728\u5c1d\u8bd5\u901a\u8fc7\u673a\u573a\u5b89\u68c0\u65f6\u53ef\u80fd\u9884\u671f\u7684\u73b0\u5b9e\u7ed3\u679c\u76f8\u5173\uff1a<\/p>\n
\u2022 You have a valid boarding pass\u2014You can enter security as normal.
\n\u60a8\u6301\u6709\u6709\u6548\u7684\u767b\u673a\u724c - \u60a8\u53ef\u4ee5\u6b63\u5e38\u8fdb\u5165\u5b89\u68c0\u3002<\/p>\n
\u2022 You don\u2019t have a boarding pass\u2014You\u2019re redirected to purchase a ticket.
\n\u60a8\u6ca1\u6709\u767b\u673a\u724c - \u60a8\u5c06\u88ab\u91cd\u5b9a\u5411\u5230\u8d2d\u4e70\u673a\u7968\u3002<\/p>\n
\u2022 Your boarding pass is invalid (you turned up a day late, for example)\u2014You\u2019re blocked from entering.
\n\u60a8\u7684\u767b\u673a\u724c\u65e0\u6548\uff08\u4f8b\u5982\uff0c\u60a8\u8fdf\u5230\u4e00\u5929\uff09- \u60a8\u88ab\u963b\u6b62\u8fdb\u5165\u3002<\/p>\n
Listing 24.3 shows how you can apply a policy to a Razor Page using the [Authorize] attribute, but you still need to de\ufb01ne the CanEnterSecurity policy.
\n\u6e05\u5355 24.3 \u663e\u793a\u4e86\u5982\u4f55\u4f7f\u7528 [Authorize] \u5c5e\u6027\u5c06\u7b56\u7565\u5e94\u7528\u4e8e Razor \u9875\u9762\uff0c\u4f46\u60a8\u4ecd\u7136\u9700\u8981\u5b9a\u4e49 CanEnterSecurity \u7b56\u7565\u3002<\/p>\n
You add policies to an ASP.NET Core application in Program.cs, as shown in listing 24.4. First, you add the authorization services and return an AuthorizationBuilder object using AddAuthorizationBuilder(). You can then add policies to the builder by calling AddPolicy(). You de\ufb01ne the policy itself by calling methods in a lambda method on a AuthorizationPolicyBuilder (called policyBuilder here).
\n\u60a8\u53ef\u4ee5\u5728 Program.cs \u4e2d\u5c06\u7b56\u7565\u6dfb\u52a0\u5230 ASP.NET Core \u5e94\u7528\u7a0b\u5e8f\uff0c\u5982\u6e05\u5355 24.4 \u6240\u793a\u3002\u9996\u5148\uff0c\u6dfb\u52a0\u6388\u6743\u670d\u52a1\u5e76\u4f7f\u7528 AddAuthorizationBuilder\uff08\uff09 \u8fd4\u56de AuthorizationBuilder \u5bf9\u8c61\u3002\u7136\u540e\uff0c\u60a8\u53ef\u4ee5\u901a\u8fc7\u8c03\u7528 AddPolicy\uff08\uff09 \u5c06\u7b56\u7565\u6dfb\u52a0\u5230\u751f\u6210\u5668\u4e2d\u3002\u60a8\u53ef\u4ee5\u901a\u8fc7\u5728 AuthorizationPolicyBuilder\uff08\u6b64\u5904\u79f0\u4e3a policyBuilder\uff09\u4e0a\u8c03\u7528 lambda \u65b9\u6cd5\u4e2d\u7684\u65b9\u6cd5\u6765\u5b9a\u4e49\u7b56\u7565\u672c\u8eab\u3002<\/p>\n
Listing 24.4 Adding an authorization policy using AuthorizationPolicyBuilder
\n\u6e05\u5355 24.4 \u4f7f\u7528 AuthorizationPolicyBuilder \u6dfb\u52a0\u6388\u6743\u7b56\u7565<\/p>\n
WebApplicationBuilder builder = WebApplication.CreateBuilder(args);\nbuilder.Services.AddAuthorizationBuilder() \u2776\n.AddPolicy( \u2777\n"CanEnterSecurity", \u2778\npolicyBuilder => policyBuilder \u2779\n.RequireClaim("BoardingPassNumber")); \u2779\n});\n\/\/ Additional configuration<\/code><\/pre>\n\u2776 Calls AddAuthorizationBuilder to add the required authorization services
\n\u8c03\u7528 AddAuthorizationBuilder \u4ee5\u6dfb\u52a0\u6240\u9700\u7684\u6388\u6743\u670d\u52a1
\n\u2777 Adds a new policy
\n\u6dfb\u52a0\u65b0\u7b56\u7565
\n\u2778 Provides a name for the policy
\n\u4e3a\u7b56\u7565\u63d0\u4f9b\u540d\u79f0
\n\u2779 Defines the policy requirements using AuthorizationPolicyBuilder
\n\u4f7f\u7528 AuthorizationPolicyBuilder \u5b9a\u4e49\u7b56\u7565\u8981\u6c42<\/p>\n
When you call AddPolicy you provide a name for the policy, which should match the value you use in your [Authorize] attributes, and you de\ufb01ne the requirements of the policy. In this example, you have a single simple requirement: the user must have a claim of type BoardingPassNumber. If a user has this claim, whatever its value, the policy is satis\ufb01ed, and the user will be authorized.
\n\u8c03\u7528 AddPolicy \u65f6\uff0c\u60a8\u9700\u8981\u4e3a\u7b56\u7565\u63d0\u4f9b\u4e00\u4e2a\u540d\u79f0\uff0c\u8be5\u540d\u79f0\u5e94\u4e0e\u60a8\u5728 [Authorize] \u5c5e\u6027\u4e2d\u4f7f\u7528\u7684\u503c\u5339\u914d\uff0c\u5e76\u5b9a\u4e49\u7b56\u7565\u7684\u8981\u6c42\u3002\u5728\u6b64\u793a\u4f8b\u4e2d\uff0c\u60a8\u6709\u4e00\u4e2a\u7b80\u5355\u7684\u8981\u6c42\uff1a\u7528\u6237\u5fc5\u987b\u5177\u6709 BoardingPassNumber \u7c7b\u578b\u7684\u58f0\u660e\u3002\u5982\u679c\u7528\u6237\u5177\u6709\u6b64\u58f0\u660e\uff0c\u5219\u65e0\u8bba\u5176\u503c\u5982\u4f55\uff0c\u90fd\u6ee1\u8db3\u7b56\u7565\uff0c\u5e76\u4e14\u7528\u6237\u5c06\u83b7\u5f97\u6388\u6743\u3002<\/p>\n
NOTE<\/b> A claim is information about the user, as a key-value pair. A policy de\ufb01nes the requirements for successful authorization. A policy may require that a user have a given claim, or it may specify more complex requirements, as you\u2019ll see shortly.
\n\u6ce8\u610f\uff1a\u58f0\u660e\u662f\u6709\u5173\u7528\u6237\u7684\u4fe1\u606f\uff0c\u4ee5\u952e\u503c\u5bf9\u7684\u5f62\u5f0f\u3002\u7b56\u7565\u5b9a\u4e49\u6210\u529f\u6388\u6743\u7684\u8981\u6c42\u3002\u7b56\u7565\u53ef\u80fd\u8981\u6c42\u7528\u6237\u5177\u6709\u7ed9\u5b9a\u7684\u58f0\u660e\uff0c\u6216\u8005\u5b83\u53ef\u80fd\u6307\u5b9a\u66f4\u590d\u6742\u7684\u8981\u6c42\uff0c\u60a8\u5f88\u5feb\u5c31\u4f1a\u770b\u5230\u3002<\/p>\n
AuthorizationPolicyBuilder contains several methods for creating simple policies like this, as shown in table 24.1. For example, an overload of the RequireClaim() method lets you specify a speci\ufb01c value that a claim must have. The following would let you create a policy where the "BoardingPassNumber" claim must have a value of "A1234":
\nAuthorizationPolicyBuilder\u5305\u542b\u51e0\u79cd\u7528\u4e8e\u521b\u5efa\u6b64\u7c7b\u7b80\u5355\u7b56\u7565\u7684\u65b9\u6cd5\uff0c\u5982\u8868 24.1 \u6240\u793a\u3002\u4f8b\u5982\uff0cRequireClaim\uff08\uff09 \u65b9\u6cd5\u7684\u91cd\u8f7d\u5141\u8bb8\u60a8\u6307\u5b9a\u58f0\u660e\u5fc5\u987b\u5177\u6709\u7684\u7279\u5b9a\u503c\u3002\u4e0b\u9762\u5c06\u5141\u8bb8\u4f60\u521b\u5efa\u4e00\u4e2a\u7b56\u7565\uff0c\u5176\u4e2d \u201cBoardingPassNumber\u201d \u58f0\u660e\u7684\u503c\u5fc5\u987b\u4e3a\u201cA1234\u201d\uff1a<\/p>\n
policyBuilder => policyBuilder.RequireClaim("BoardingPassNumber", "A1234");<\/code><\/pre>\nTable 24.1 Simple policy builder methods on AuthorizationPolicyBuilder
\n\u8868 24.1 AuthorizationPolicyBuilder \u4e0a\u7684\u7b80\u5355\u7b56\u7565\u751f\u6210\u5668\u65b9\u6cd5<\/p>\n
![\"alt](\"\/images\/aspnetcoreinaction\/2405.jpg\")
<\/p>\n![\"alt](\"\/images\/aspnetcoreinaction\/2406.jpg\")
<\/p>\n![\"alt](\"\/images\/aspnetcoreinaction\/2407.png\")
<\/p>\n![\"alt](\"\/images\/aspnetcoreinaction\/2408.jpg\")
<\/p>\n