使用 ADFS 声明的 ASP.NET Web 应用程序授权

【问题标题】:ASP.NET Web Application Authorization using ADFS Claims使用 ADFS 声明的 ASP.NET Web 应用程序授权
【发布时间】:2013-12-07 15:11:11
【问题描述】:

我已经使用 ASP.NET 构建了一个动态数据 Web 应用程序。我还为 AuthorizationManager 整理了一些类。我不确定的一件事是如何将其插入 Web 应用程序以使其只有基于 ADFS 声明的特定角色的用户才能访问该应用程序。为了安全起见,我抽象了一小段代码。以下是我目前拥有的文件:

授权助手:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security;
using System.Web;

namespace ApplicationManager.Authorization
{
public class AuthorizationHelper
{
    /// <summary>
    /// Checks the access.
    /// </summary>
    /// <param name="resource">The resource.</param>
    /// <param name="action">The action.</param>
    /// <returns></returns>
    public static bool CheckAccess(string resource, string action)
    {
        AuthorizationContext context = new AuthorizationContext(HttpContext.Current.User as IClaimsPrincipal, resource, action);
        return FederatedAuthentication.ServiceConfiguration.ClaimsAuthorizationManager.CheckAccess(context);
    }

    /// <summary>
    /// Checks the access for an action based on user context.
    /// </summary>
    /// <param name="resource">The resource.</param>
    /// <param name="action">The action.</param>
    /// <param name="user">The user.</param>
    /// <returns></returns>
    public static bool CheckAccess(string resource, string action, UserInfo user)
    {
        AuthorizationContext context = new AuthorizationContext(HttpContext.Current.User as IClaimsPrincipal, resource, action);
        AuthorizationManager authManager = (AuthorizationManager)FederatedAuthentication.ServiceConfiguration.ClaimsAuthorizationManager;

        return authManager.CheckAccess(context, user);
    }

    /// <summary>
    /// Confirmes the logged in user has access to perform the specified action on the user.
    /// </summary>
    /// <param name="resource">The resource.</param>
    /// <param name="action">The action.</param>
    /// <param name="user">The user.</param>
    /// <exception cref="System.Security.SecurityException"></exception>
    public static void ConfirmAccess(string resource, string action, UserInfo user)
    {
        if (!CheckAccess(resource, action, user))
        {
            throw new SecurityException(string.Format("{0} does not have rights to manage {1}.  Please contact the idm security administrator.", HttpContext.Current.User.Identity.Name, user.UserId));
        }
    }
}
}

授权管理器:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using Microsoft.IdentityModel.Claims;
using ApplicationManager.Models;

namespace ApplicationManager.Authorization
{
public class AuthorizationManager : ClaimsAuthorizationManager
{

    private const string HelpDeskRole = @"****_Helpdesk";
    private const string UsersRole = @"****_ADMIN_USERS";
    private const string SupportRole = @"****_Admin_Support";
    private const string SuperUsersRole = @"****_ADMIN_SUPERUSERS";
    private const string ReportingRole = @"****_ADMIN__Reporting";
    private const string AdminRole = @"****_Admin_Administrator";
    private const string PersonalUserManagmentRole = @"****_PERSONAL_USER_MANAGEMENT";
    private const string ProfessionalUserManagmentRole = @"****_PROF_USER_MANAGEMENT";

    private static readonly string[] AllRoles = new string[] { HelpDeskRole, UsersRole, SupportRole, SuperUsersRole, ReportingRole, AdminRole };
    private static readonly string[] CustomRoles = new string[] { SuperUsersRole, AdminRole };

    public bool CheckAccess(AuthorizationContext context, UserInfo user)
    {
        if (!context.Principal.Identity.IsAuthenticated)
        {
            return false;
        }
        string resource = context.Resource.First().Value;
        string action = null;
        if (context.Action.Count > 0)
        {
            action = context.Action.First().Value;
        }
        switch (resource)
        { 
            case Resources.ApplicationManager:
                return IsAuthorizedForApplications(context.Principal, action);
        }
        return false;
    }

    private bool IsAuthorizedForApplications(IClaimsPrincipal claimsPrincipal, string action)
    {
        switch (action)
        { 
            case Operations.ApplicationManager:
                return IsInAnyRole(claimsPrincipal, CustomRoles);
        }
        return false;
    }

    public bool IsInAnyRole(IClaimsPrincipal principal, string[] roles)
    {
        foreach (string role in roles)
        {
            if (principal.IsInRole(role))
            {
                return true;
            }
        }
        return false;
    }
}
}

操作:

namespace ApplicationManager.Authorization
{
public class Operations
{
    public const string ApplicationManager = "Applications";
}
}

资源:

namespace ApplicationManager.Authorization
{
public class Resources
{
    public const string ApplicationManager = "Applications";
}
}

我想将这一切都插入并根据用户所在的角色拒绝使用应用程序。我确实有获取用户 ID 和用户角色的模型。我需要知道在哪里以及如何编写代码以根据用户角色阻止对完整应用程序的访问。

【问题讨论】:

标签: asp.net authorization roles asp.net-dynamic-data


【解决方案1】:

您需要在管道中注册您的声明身份验证管理器。它会根据每个请求触发:

http://www.brainthud.com/cards/5218/5016/explain-the-usage-of-the-claimsauthorizationmanager-class/

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2011-09-16
    • 2019-08-18
    • 2014-03-15
    • 2012-12-07
    • 1970-01-01
    • 2020-11-16
    • 1970-01-01
    • 2014-07-05
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode