根据 SOC 负责人的说法,将授权与响应重定向混合起来似乎并不是一个好的做法。
相反,您可以将授权逻辑包装到策略中,然后调用 IAuthorizationService 并在您需要的任何地方/任何时间进行重定向。
假设您已经定义了“高级会员”政策。然后,您可以毫不费力地使用中间件/资源过滤器/操作过滤器甚至操作方法重定向请求。例如,我创建MembershipResourceFilter
如下:
public class MembershipResourceFilter : IAsyncResourceFilter
{
public async Task OnResourceExecutionAsync(ResourceExecutingContext context, ResourceExecutionDelegate next)
{
var HttpContext = context.HttpContext;
var authZ = HttpContext.RequestServices.GetRequiredService<IAuthorizationService>();
var routeData= context.RouteData;
var result = await authZ.AuthorizeAsync(HttpContext.User, routeData,"premium membership");
if(!result.Succeeded)
{
context.Result = new RedirectToActionResult("Upgrade", "Subscription", new { ReturnUrl = HttpContext.Request.Path });
}
await next();
}
}
我使用以下策略测试了上面的代码,它对我来说效果很好。
services.AddAuthorization(o =>{
o.AddPolicy("premium membership", pb => pb
.RequireAuthenticatedUser()
.RequireAssertion((context)=>{
// check current context.User has premium membership
var user = context.User;
var routeData = context.Resource as RouteData;
if(routeData != null){
try{
var controller = routeData.Values["controller"]?.ToString();
var action = routeData.Values["action"]?.ToString();
// now you get the route value
if(controller == "Home" && action == "Action"){
// ...
return true;
}
}catch{
return false;
}
}
return false;
})
);
});
[Edit]
如果您不想更改[Authorize("Premium")]
,您可以创建一个简单的中间件而不是资源过滤器:
...
app.UseAuthentication();
app.UseRouting();
app.Use(async(ctx,next)=>{
var ep= ctx.Features.Get<IEndpointFeature>()?.Endpoint;
var authAttr = ep?.Metadata?.GetMetadata<AuthorizeAttribute>()
if(authAttr!=null && authAttr.Policy == "premium membership"){
var authService = ctx.RequestServices.GetRequiredService<IAuthorizationService>();
var result = await authService.AuthorizeAsync(ctx.User, ctx.GetRouteData(),authAttr.Policy);
if(!result.Succeeded)
{
var path = $"/Subscription/Upgrade?ReturnUrl={ctx.Request.Path}";
ctx.Response.Redirect(path) ;
return;
}
}
await next();
});
app.UseAuthorization();
app.UseEndpoints(endpoints =>{ ... });
中间件和资源过滤器基本上做同样的事情:调用授权服务并在需要时重定向。