文章詳情頁
asp.net core項目授權流程詳解
瀏覽:724日期:2022-06-08 17:42:42
在上一篇 聊聊 asp.net core 認證和授權 中我們提到了認證和授權的基本概念,以及認證和授權的關系及他們之間的協同工作流程,在這篇文章中,我將通過分析asp.net core 3.1 授權流程的源碼給大家介紹asp.net core 框架里面授權流程的具體實現邏輯,本文并非講解具體的實戰應用,建議在使用過asp.net core 授權框架后在來閱讀本文收貨會更多。
一、授權流程用到的主要的幾個接口及類
- IAuthorizationService,默認實現類: DefaultAuthorizationService,該類主要職責就是遍歷所有注入到容器的實現了IAuthorizationHandler接口的服務,并調用其HandleAsync方法來進行授權檢查,也就是說該類的主要職責就是檢查授權策略(AuthorizationPolicy)是否校驗通過,校驗通過則授權成功,否則授權失敗。
- IAuthorizationPolicyProvider,默認實現類:DefaultAuthorizationPolicyProvider,負責根據策略名稱提供授權策略,以及提供默認授權策略等,內部就是從AuthorizationOptions內部的策略字典(Dictionary)中直接獲取。
- IAuthorizationHandlerProvider,默認實現類:DefaultAuthorizationHandlerProvider,用于獲取已經注冊到容器中的所有實現了IAuthorizationHandler的授權服務,所有授權服務是通過構造函數依賴注入實現的(IEnumerable<IAuthorizationHandler>作為構造函數入參)
- IAuthorizationHandler,默認實現類:PassThroughAuthorizationHandler,該類是AddAuthorization的時候默認注冊的授權處理程序(實現IAuthorizationHandler接口),用于遍歷授權策略中包含的所有的實現了IAuthorizationHandler的Requirement類,并調用其HandleAsync方法進行檢查Requirement授權是否成功,這里的Requirement類是指實現了AuthorizationHandler<TRequirement>抽象基類的Requirement類。
- IAuthorizationEvaluator,默認實現類:DefaultAuthorizationEvaluator,執行授權流程,并對授權檢查結果進行檢查,如果是授權失敗,并且未認證則返回401,如果是授權失敗,但認證通過,則返回403
- IAuthorizationHandlerContextFactory,默認實現類:DefaultAuthorizationHandlerContextFactory,用于創建AuthorizationHandlerContext對象的工廠類,AuthorizationHandlerContext 上下文中包含每次授權流程中要被校驗的所有的Requirement類。
- AuthorizationMiddleware,負責對請求進行授權檢查的中間件.
- AuthorizationOptions類,內部維護了一個策略字典(Dictionary)用于存儲所有注冊的策略,key為策略名稱,value為具體的策略(AuthorizationPolicy)
- AuthorizationPolicy類,策略的具體表示,主要包含 AuthenticationSchemes 和 Requirements屬性,AuthenticationSchemes 表示執行該策略時采用什么認證方案進行身分認證, Requirements 表示該策略要驗證的Requirement列表
- AuthorizationPolicyBuilder類,該類主要是用于構建AuthorizationPolicy類,也就是用于構建具體策略的類,通過該類,可以指定該授權策略需要采用什么認證方案進行認證,以及授權檢查時需要滿足那些Requirement。
二、授權服務注冊流程
首先找到 PolicyServiceCollectionExtensions 類,這個擴展方法類,對IServiceCollection接口進行了擴展,因此我們可以在Startup.cs 的ConfigureService方法中直接
services.AddAuthorization來注冊 授權相關服務。
// Microsoft.Extensions.DependencyInjection.PolicyServiceCollectionExtensions
using System;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Policy;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
public static class PolicyServiceCollectionExtensions
{
public static IServiceCollection AddAuthorizationPolicyEvaluator(this IServiceCollection services)
{
if (services == null)
{
throw new ArgumentNullException("services");
}
services.TryAddSingleton<AuthorizationPolicyMarkerService>();
services.TryAdd(ServiceDescriptor.Transient<IPolicyEvaluator, PolicyEvaluator>());
return services;
}
//當不想在應用程序中注冊授權策略時,直接調用此方法即可。
public static IServiceCollection AddAuthorization(this IServiceCollection services)
{
return services.AddAuthorization(null);
}
//當需要在應用程序中注冊特定的授權策略時,調用這個方法,configure為Action類型的委托方法,入參為AuthorizationOptions 授權配置類,
//可通過該類的AddPolicy方法來進行授權策略的注冊。
public static IServiceCollection AddAuthorization(this IServiceCollection services, Action<AuthorizationOptions> configure)
{
if (services == null)
{
throw new ArgumentNullException("services");
}
services.AddAuthorizationCore(configure);
services.AddAuthorizationPolicyEvaluator();
return services;
}
}
可以看到,內部調用了AddAuthorizationCore方法,這個擴展方法定義在:AuthorizationServiceCollectionExtensions 類
// Microsoft.Extensions.DependencyInjection.AuthorizationServiceCollectionExtensions
using System;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Infrastructure;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
public static class AuthorizationServiceCollectionExtensions
{
public static IServiceCollection AddAuthorizationCore(this IServiceCollection services)
{
if (services == null)
{
throw new ArgumentNullException("services");
}
//以下這些服務便是上文中介紹的授權流程用到的主要服務類,及具體的默認實現類。
services.TryAdd(ServiceDescriptor.Transient<IAuthorizationService, DefaultAuthorizationService>());
services.TryAdd(ServiceDescriptor.Transient<IAuthorizationPolicyProvider, DefaultAuthorizationPolicyProvider>());
services.TryAdd(ServiceDescriptor.Transient<IAuthorizationHandlerProvider, DefaultAuthorizationHandlerProvider>());
services.TryAdd(ServiceDescriptor.Transient<IAuthorizationEvaluator, DefaultAuthorizationEvaluator>());
services.TryAdd(ServiceDescriptor.Transient<IAuthorizationHandlerContextFactory, DefaultAuthorizationHandlerContextFactory>());
services.TryAddEnumerable(ServiceDescriptor.Transient<IAuthorizationHandler, PassThroughAuthorizationHandler>());
return services;
}
public static IServiceCollection AddAuthorizationCore(this IServiceCollection services, Action<AuthorizationOptions> configure)
{
if (services == null)
{
throw new ArgumentNullException("services");
}
//這里的configure便是我們應用程序傳入的委托回調方法,用于向AuthorizationOptions類添加授權策略。
if (configure != null)
{
services.Configure(configure);
}
return services.AddAuthorizationCore();
}
}
下面這個是應用注冊授權策略的常規流程的一個例子:
public void ConfigureServices(IServiceCollection services)
{
//添加授權相關服務。
services.AddAuthorization(options =>
{
//往AuthorizationOptions類中添加名為:adminPolicy的授權策略。
//參數:authorizationPolicyBuilder 為AuthorizationPolicyBuilder類。
options.AddPolicy("adminPolicy", authorizationPolicyBuilder =>
{
authorizationPolicyBuilder.AddAuthenticationSchemes("Cookie");
//表示用戶必須屬于admin角色才能訪問。
authorizationPolicyBuilder.AddRequirements(new RolesAuthorizationRequirement(new string[] { "admin" }));
//表示用戶聲明中包含名為cardNo的 Claim,并且值為23902390才允許訪問,也就是 HttpContext.User.Claims 中包含cardNo,并且值為相應值才能訪問。
authorizationPolicyBuilder.Requirements.Add(new ClaimsAuthorizationRequirement("cardNo", new string[] { "23902390" }));
//表示用用戶名必須是admin才允許訪問,AuthorizationBuilder中海油RequireClaim、RequireRole等方法。
authorizationPolicyBuilder.RequireUserName("admin");
//只有以上3個Requirement同時滿足,該策略才算授權成功
});
});
}
三、啟用授權流程
第二個步驟僅僅是將授權流程中用到的相關服務注冊到依賴注入容器中,以及應用配置授權策略,真正的啟用授權流程則需要通過 Startup.cs 類中的Configure方法中調用 app.UseAuthorization(); 進行開啟,本質上就是將 AuthorizationMiddleware 授權中間件,注冊到中間件管道中。
// Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions
using System;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Policy;
using Microsoft.AspNetCore.Builder;
public static class AuthorizationAppBuilderExtensions
{
public static IApplicationBuilder UseAuthorization(this IApplicationBuilder app)
{
if (app == null)
{
throw new ArgumentNullException("app");
}
VerifyServicesRegistered(app);
//注冊授權中間件。AuthorizationMiddleware
return app.UseMiddleware<AuthorizationMiddleware>(Array.Empty<object>());
}
private static void VerifyServicesRegistered(IApplicationBuilder app)
{
if (app.ApplicationServices.GetService(typeof(AuthorizationPolicyMarkerService)) == null)
{
throw new InvalidOperationException(Resources.FormatException_UnableToFindServices("IServiceCollection", "AddAuthorization", "ConfigureServices(...)"));
}
}
}
要看授權流程的具體執行邏輯,我們還是要看AuthorizationMiddleware類。
// Microsoft.AspNetCore.Authorization.AuthorizationMiddleware
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Policy;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.DependencyInjection;
public class AuthorizationMiddleware
{
private const string AuthorizationMiddlewareInvokedWithEndpointKey = "__AuthorizationMiddlewareWithEndpointInvoked";
private static readonly object AuthorizationMiddlewareWithEndpointInvokedValue = new object();
private readonly RequestDelegate _next;
private readonly IAuthorizationPolicyProvider _policyProvider;
public AuthorizationMiddleware(RequestDelegate next, IAuthorizationPolicyProvider policyProvider)
{
_next = next ?? throw new ArgumentNullException("next");
_policyProvider = policyProvider ?? throw new ArgumentNullException("policyProvider");
}
public async Task Invoke(HttpContext context)
{
if (context == null)
{
throw new ArgumentNullException("context");
}
Endpoint endpoint = context.GetEndpoint();
if (endpoint != null)
{
context.Items["__AuthorizationMiddlewareWithEndpointInvoked"] = AuthorizationMiddlewareWithEndpointInvokedValue;
}
//這里獲取Controller或者Action上標注的一個或者多個[Authorize]特性,
//每個Authorize特性都有一個Policy屬性,用于指定一個或者多個授權策略,表示這些策略必須同時滿足才算授權通過,
//Roles屬性則用于指定用戶角色列表,表示用戶必須屬于這些角色才允許訪問,這里的角色控制最終其實也是轉換為策略的形式去控制。
//AuthenticationSchemes則用于指定認證方案列表,表示用戶訪問該資源時采用這些認證方案進行身份認證
//如:[Authorize(AuthenticationSchemes = "cookie", Policy = "adminPolicy", Roles = "admin")]
IReadOnlyList<IAuthorizeData> authorizeData = endpoint?.Metadata.GetOrderedMetadata<IAuthorizeData>() ?? Array.Empty<IAuthorizeData>();
//以下將Controller或者Action上的一個或者多個[Authorize]特性上指定的訪問該資源所需要的滿足的Policy授權策略列表,
//及訪問該資源時用戶所需具備的角色列表,以及訪問該資源時將采用的認證方案合并到一個策略對象中去,
//也就是說最終返回的這個授權策略包含了訪問該資源所需要滿足的所有授權策略列表,用戶所必須具備的所有用戶角色列表,以及采用的所有認證方案列表。
AuthorizationPolicy policy = await AuthorizationPolicy.CombineAsync(_policyProvider, authorizeData);
if (policy == null)
{
await _next(context);
return;
}
IPolicyEvaluator policyEvaluator = context.RequestServices.GetRequiredService<IPolicyEvaluator>();
//這里首先對當前訪問者進行用戶身份的認證,認證方案采用的是上面合并過后的一個或者多個認證方案進行認證。
AuthenticateResult authenticationResult = await policyEvaluator.AuthenticateAsync(policy, context);
//如果允許匿名訪問,則不再進行授權檢查。
if (endpoint?.Metadata.GetMetadata<IAllowAnonymous>() != null)
{
await _next(context);
return;
}
//這里對policy中包含的所有授權策略進行一一檢查,如果全部驗證通過,則表示授權成功,允許用戶訪問,
//否則根據用戶是否已經登錄來判定是讓用戶登錄(401-Challenged)還是提示用戶沒權限訪問(403-Forbiden)
PolicyAuthorizationResult policyAuthorizationResult = await policyEvaluator.AuthorizeAsync(policy, authenticationResult, context, endpoint);
if (policyAuthorizationResult.Challenged)
{
//如果授權失敗,且用戶身份未認證,且指定了認證方案,則調用特定的認證方案的Chanllege方法。
if (policy.AuthenticationSchemes.Any())
{
foreach (string authenticationScheme in policy.AuthenticationSchemes)
{
await context.ChallengeAsync(authenticationScheme);
}
}
//如果該資源沒有指定任何認證方案,則采用默認的認證方案。
else
{
await context.ChallengeAsync();
}
}
else if (policyAuthorizationResult.Forbidden)
{
//如果授權失敗,且用戶身份已認證,且指定了認證方案,則調用特定的認證方案的Forbid方法來處理禁止訪問的處理邏輯。
if (policy.AuthenticationSchemes.Any())
{
foreach (string authenticationScheme2 in policy.AuthenticationSchemes)
{
await context.ForbidAsync(authenticationScheme2);
}
}
//如果該資源沒有指定任何認證方案,則采用默認的認證方案來處理禁止訪問的邏輯
else
{
await context.ForbidAsync();
}
}
else
{
await _next(context);
}
}
}
以下是AuthorizationPolicy.CombineAsync方法的詳細說明,該方法主要是用于將一個或者多個Authorize特性指定的授權策略,用戶角色列表,認證方案進行合并,最終返回一個授權策略對象,這個授權策略包含了 訪問該資源所需用到的所有認證方案,所有必須滿足的Requirement.
// Microsoft.AspNetCore.Authorization.AuthorizationPolicy
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
public static async Task<AuthorizationPolicy> CombineAsync(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData)
{
if (policyProvider == null)
{
throw new ArgumentNullException("policyProvider");
}
if (authorizeData == null)
{
throw new ArgumentNullException("authorizeData");
}
bool flag = false;
IList<IAuthorizeData> list = authorizeData as IList<IAuthorizeData>;
if (list != null)
{
flag = list.Count == 0;
}
AuthorizationPolicyBuilder policyBuilder = null;
if (!flag)
{
//這里遍歷Controller或者Action上的一個或者多個[Authorize]特性
foreach (IAuthorizeData authorizeDatum in authorizeData)
{
if (policyBuilder == null)
{
policyBuilder = new AuthorizationPolicyBuilder();
}
bool flag2 = true;
//如果某個[Authorize]特性有指定授權策略,則將該授權策略添加到合并列表中。
if (!string.IsNullOrWhiteSpace(authorizeDatum.Policy))
{
//IAuthorizationPolicyPovider 內部其實就是讀取 AuthorizationOptions的字典屬性中保存的策略,key為策略名稱,value為相應的授權策略。
AuthorizationPolicy authorizationPolicy = await policyProvider.GetPolicyAsync(authorizeDatum.Policy);
if (authorizationPolicy == null)
{
throw new InvalidOperationException(Resources.FormatException_AuthorizationPolicyNotFound(authorizeDatum.Policy));
}
//其實就是將 Requirements 和 AuthenticationSchemes(認證方案列表) 添加到合并后的Requirements及授權方案列表中去。
policyBuilder.Combine(authorizationPolicy);
flag2 = false;
}
string[] array = authorizeDatum.Roles?.Split(",");
if (array != null && array.Any())
{
IEnumerable<string> roles = from r in array
where !string.IsNullOrWhiteSpace(r)
select r.Trim();
//如果一個[Authorize]特性指定了Roles屬性,那么將屬性中指定的一個或者多個角色列表添加到合并后的角色列表中去。
//看RequireRole,其實就是往合并后的Requirements中添加了一個名為:RolesAuthorizationRequirement的Requirement
policyBuilder.RequireRole(roles);
flag2 = false;
}
string[] array2 = authorizeDatum.AuthenticationSchemes?.Split(",");
if (array2 != null && array2.Any())
{
string[] array3 = array2;
//將Authorize特性中指定的一個或者多個認證方案添加到合并后的認證方案列表中。
foreach (string text in array3)
{
if (!string.IsNullOrWhiteSpace(text))
{
policyBuilder.AuthenticationSchemes.Add(text.Trim());
}
}
}
//如果當前Authorize特性既沒有指定授權策略,也沒有指定角色列表,那么采用默認授權策略(默認授權策略其實就是要求用戶身份必須被認證通過)
if (flag2)
{
AuthorizationPolicyBuilder authorizationPolicyBuilder = policyBuilder;
authorizationPolicyBuilder.Combine(await policyProvider.GetDefaultPolicyAsync());
}
}
}
//如果一個Controller或者Action沒有指定任何[Authorize]特性,那么如果啟用了授權流程,則采用Fallback策略進行授權檢查。
if (policyBuilder == null)
{
AuthorizationPolicy authorizationPolicy2 = await policyProvider.GetFallbackPolicyAsync();
if (authorizationPolicy2 != null)
{
return authorizationPolicy2;
}
}
return policyBuilder?.Build();
}
以下是對 IPolicyEvaluator.AuthenticateAsync方法的說明,該方法主要是對訪問該資源所指定的認證方案列表進行一一認證,并將認證結果產生的用戶信息進行合并,默認實現類是:PolicyEvaluator,該接口主要定義了兩個方法,一個是:AuthenticateAsync,負責對當前訪問者進行身份認證,一個是AuthorizeAsync,負責對當前訪問者進行授權檢查,通常要授權成功,必須要求用戶先進行身份認證,認證通過并且授前檢查通過才允許訪問,但認證不是必須的,如果你要自定義授權邏輯的話,你甚至可以不認證用戶身份也授權其進行訪問,但實際開發中通常不會這么做,這里僅僅只是闡述兩者之間的一些聯系,之所以默認標記了Authorize特性并且啟用授權流程后,要求用戶必須登錄(身份認證)是因為用[Authorize]特性標記控制器后,執行的是默認策略,而默認策略就是必須要求用戶進行身份認證。
// Microsoft.AspNetCore.Authorization.Policy.PolicyEvaluator
using System;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Policy;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Internal;
public class PolicyEvaluator : IPolicyEvaluator
{
private readonly IAuthorizationService _authorization;
public PolicyEvaluator(IAuthorizationService authorization)
{
_authorization = authorization;
}
//參數policy是一個合并后的策略,里面包含了訪問該資源所采用的所有認證方案列表。
public virtual async Task<AuthenticateResult> AuthenticateAsync(AuthorizationPolicy policy, HttpContext context)
{
if (policy.AuthenticationSchemes != null && policy.AuthenticationSchemes.Count > 0)
{
ClaimsPrincipal newPrincipal = null;
//如果被訪問的資源指定了身份認證方案,則采用指定的身份認證方案一一進行認證,并把所有身份認證結果進行合并。
//認證流程中添加的一個或者多個認證方案,可以在授權流程中被調用進行用戶身份的認證,雖然一個應用可以添加多個認證方案,
//但默認情況下,認證流程只會調用默認的認證方案進行身份認證。
foreach (string authenticationScheme in policy.AuthenticationSchemes)
{
AuthenticateResult authenticateResult = await context.AuthenticateAsync(authenticationScheme);
if (authenticateResult != null && authenticateResult.Succeeded)
{
newPrincipal = SecurityHelper.MergeUserPrincipal(newPrincipal, authenticateResult.Principal);
}
}
if (newPrincipal != null)
{
context.User = newPrincipal;
return AuthenticateResult.Success(new AuthenticationTicket(newPrincipal, string.Join(";", policy.AuthenticationSchemes)));
}
context.User = new ClaimsPrincipal(new ClaimsIdentity());
return AuthenticateResult.NoResult();
}
//如果當前被訪問的資源沒有指定采用何種認證方案進行身份認證,則默認采用認證流程產生的身份認證信息。
return (context.User?.Identity?.IsAuthenticated).GetValueOrDefault() ? AuthenticateResult.Success(new AuthenticationTicket(context.User, "context.User")) : AuthenticateResult.NoResult();
}
//這個是對合并后的授權策略進行授權檢查的方法,內部還是去調用了IAuthorizationService.AuthorizeAsync方法。
public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource)
{
if (policy == null)
{
throw new ArgumentNullException("policy");
}
if ((await _authorization.AuthorizeAsync(context.User, resource, policy)).Succeeded)
{
return PolicyAuthorizationResult.Success();
}
return authenticationResult.Succeeded ? PolicyAuthorizationResult.Forbid() : PolicyAuthorizationResult.Challenge();
}
}
以下是IAuthorizationService.AuthorizeAsync的說明,主要負責對合并后的授權策略(AuthorizationPolicy)中的Requirements進行一一檢查,全部檢查通過,則授權成功,默認實現類是:DefaultAuthorizationService
// Microsoft.AspNetCore.Authorization.DefaultAuthorizationService
using System;
using System.Collections.Generic;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
public class DefaultAuthorizationService : IAuthorizationService
{
private readonly AuthorizationOptions _options;
private readonly IAuthorizationHandlerContextFactory _contextFactory;
private readonly IAuthorizationHandlerProvider _handlers;
private readonly IAuthorizationEvaluator _evaluator;
private readonly IAuthorizationPolicyProvider _policyProvider;
private readonly ILogger _logger;
public DefaultAuthorizationService(IAuthorizationPolicyProvider policyProvider, IAuthorizationHandlerProvider handlers, ILogger<DefaultAuthorizationService> logger, IAuthorizationHandlerContextFactory contextFactory, IAuthorizationEvaluator evaluator, IOptions<AuthorizationOptions> options)
{
if (options == null)
{
throw new ArgumentNullException("options");
}
if (policyProvider == null)
{
throw new ArgumentNullException("policyProvider");
}
if (handlers == null)
{
throw new ArgumentNullException("handlers");
}
if (logger == null)
{
throw new ArgumentNullException("logger");
}
if (contextFactory == null)
{
throw new ArgumentNullException("contextFactory");
}
if (evaluator == null)
{
throw new ArgumentNullException("evaluator");
}
_options = options.Value;
_handlers = handlers;
_policyProvider = policyProvider;
_logger = logger;
_evaluator = evaluator;
_contextFactory = contextFactory;
}
//這個就是檢查授權策略的核心邏輯了,流程就是讀取 依賴注入容器中所有注冊的實現了IAuthorizationHandler接口的服務,并對其遍歷并分別調用服務的HandleAsync方法。
//微軟默認注入的IAuthorizationHandler的實現類是: PassThroughAuthorizationHandler,該類主要是找出Requirements中實現了IAuthorizationHandler的Requirement類,并對其調用HandleAsync方法來檢查這類Requirement是否授權通過。
public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements)
{
if (requirements == null)
{
throw new ArgumentNullException("requirements");
}
//AuthorizationHandlerContext 上下文中,包含了所有需要進行授權檢查的Requirement。
AuthorizationHandlerContext authContext = _contextFactory.CreateContext(requirements, user, resource);
foreach (IAuthorizationHandler item in await _handlers.GetHandlersAsync(authContext))
{
await item.HandleAsync(authContext);
//如果授權檢查失敗,并且InvokeHandlersAfterFailure為false時,即某一個Requirement檢查失敗時,是否繼續執行剩余的Requirement檢查。
if (!_options.InvokeHandlersAfterFailure && authContext.HasFailed)
{
break;
}
}
//這里主要是檢查是否所有的Requirement都驗證通過,如果都驗證通過,那么返回授權成功,否則返回授權失敗。
AuthorizationResult authorizationResult = _evaluator.Evaluate(authContext);
if (authorizationResult.Succeeded)
{
_logger.UserAuthorizationSucceeded();
}
else
{
_logger.UserAuthorizationFailed();
}
return authorizationResult;
}
public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName)
{
if (policyName == null)
{
throw new ArgumentNullException("policyName");
}
AuthorizationPolicy authorizationPolicy = await _policyProvider.GetPolicyAsync(policyName);
if (authorizationPolicy == null)
{
throw new InvalidOperationException("No policy found: " + policyName + ".");
}
return await this.AuthorizeAsync(user, resource, authorizationPolicy);
}
}
以下是IAuthorizationEvaluator的默認實現類:DefaultAuthorizationEvaluator的源碼,負責檢查是否所有Requirement類都驗證通過,如果存在部分未驗證通過,則返回授權失敗。
// Microsoft.AspNetCore.Authorization.DefaultAuthorizationEvaluator
using Microsoft.AspNetCore.Authorization;
public class DefaultAuthorizationEvaluator : IAuthorizationEvaluator
{
public AuthorizationResult Evaluate(AuthorizationHandlerContext context)
{
//看HasSucceded源碼,其實要授權成功,必須沒有顯式調用授權失敗的方法。
if (!context.HasSucceeded)
{
return AuthorizationResult.Failed(context.HasFailed ? AuthorizationFailure.ExplicitFail() : AuthorizationFailure.Failed(context.PendingRequirements));
}
return AuthorizationResult.Success();
}
}
以下是:AuthorizationHandlerContext的源碼
// Microsoft.AspNetCore.Authorization.AuthorizationHandlerContext
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using Microsoft.AspNetCore.Authorization;
public class AuthorizationHandlerContext
{
private HashSet<IAuthorizationRequirement> _pendingRequirements;
private bool _failCalled;
private bool _succeedCalled;
public virtual IEnumerable<IAuthorizationRequirement> Requirements
{
get;
}
public virtual ClaimsPrincipal User
{
get;
}
public virtual object Resource
{
get;
}
public virtual IEnumerable<IAuthorizationRequirement> PendingRequirements => _pendingRequirements;
public virtual bool HasFailed => _failCalled;
public virtual bool HasSucceeded
{
get
{
if (!_failCalled && _succeedCalled)
{
return !PendingRequirements.Any();
}
return false;
}
}
public AuthorizationHandlerContext(IEnumerable<IAuthorizationRequirement> requirements, ClaimsPrincipal user, object resource)
{
if (requirements == null)
{
throw new ArgumentNullException("requirements");
}
Requirements = requirements;
User = user;
Resource = resource;
_pendingRequirements = new HashSet<IAuthorizationRequirement>(requirements);
}
//如果調用了此方法,那么直接進入授權失敗流程了,也就是顯式告訴應用授權失敗了。
public virtual void Fail()
{
_failCalled = true;
}
//某個Requirement驗證成功,那么將會調用該方法,并從未驗證的Requirements列表中移除。
public virtual void Succeed(IAuthorizationRequirement requirement)
{
_succeedCalled = true;
_pendingRequirements.Remove(requirement);
}
}
以下是:PassThroughAuthorizationHandler的源碼,邏輯比較簡單,就是讀取Requirements中所有實現了IAuthorizationHandler接口的Requirement類,并調用HandleAsync方法,這就是為什么我們在[Authrize(Roles="admin")]特性中指定角色列表的時候,并在 AuthorizationPolicy.CombineAsync 中被動態合并到策略對象中后,能被執行的原因,Roles屬性指定的角色列表最終會被動態轉換成:RolesAuthorizationRequirement,并將這個Requirement合并到最終的策略中去,微軟 Microsoft.AspNetCore.Authorization.Infrastructure 命名空間下提供了 ClaimsAuthorizationRequirement 、DenyAnonymousAuthorizationRequirement 等Requirement類,其中 DenyAnonymousAuthorizationRequirement 就是默認策略所包含的Requirement,也就是要求用戶必須登錄進行身份認證后才能進行訪問,如果被訪問的資源未指定授權策略的情況下。
// Microsoft.AspNetCore.Authorization.Infrastructure.PassThroughAuthorizationHandler
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
public class PassThroughAuthorizationHandler : IAuthorizationHandler
{
public async Task HandleAsync(AuthorizationHandlerContext context)
{
foreach (IAuthorizationHandler item in context.Requirements.OfType<IAuthorizationHandler>())
{
await item.HandleAsync(context);
}
}
}
以下是RolesRequirement類的源碼,表示用戶必須屬于指定角色才能進行訪問特定資源,HandleRequirementAsync被AuthorizationHandler抽象基類中的HandleAsync方法調用,基類中的HandleAsync則是找出訪問授權策略中所有屬于該類型的Requirement,然后分別調用其 HandleRequirementAsync方法。
// Microsoft.AspNetCore.Authorization.Infrastructure.RolesAuthorizationRequirement
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Authorization.Infrastructure;
public class RolesAuthorizationRequirement : AuthorizationHandler<RolesAuthorizationRequirement>, IAuthorizationRequirement
{
public IEnumerable<string> AllowedRoles
{
get;
}
public RolesAuthorizationRequirement(IEnumerable<string> allowedRoles)
{
if (allowedRoles == null)
{
throw new ArgumentNullException("allowedRoles");
}
if (allowedRoles.Count() == 0)
{
throw new InvalidOperationException(Resources.Exception_RoleRequirementEmpty);
}
AllowedRoles = allowedRoles;
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, RolesAuthorizationRequirement requirement)
{
if (context.User != null)
{
bool flag = false;
if (requirement.AllowedRoles != null && requirement.AllowedRoles.Any())
{
flag = requirement.AllowedRoles.Any((string r) => context.User.IsInRole(r));
}
if (flag)
{
context.Succeed(requirement);
}
}
return Task.CompletedTask;
}
}
以下是應用開啟授權流程的一個示例:
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
//啟用認證流程。
app.UseAuthentication();
//啟用授權流程
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
//RequireAuthorization表示所有Controller都需要登錄后才能訪問。
endpoints.MapDefaultControllerRoute().RequireAuthorization();
});
}
總結來說,授權流程首先就是 讀取 Controller 或者 Action 上指定的一個或者多個 [Authorize] 特性,并把這些特性指定的授權策略中所包含的Requirement類(實現了IAuthorizationRequirement接口的類)統一合并到一個策略對象中去,對于未指定具體策略的[Authorize]特性,則采用默認的授權策略(要求用戶必須登錄認證),同時也把這些特性中指定的認證方案進行統一合并到一個策略對象中去,然后對當前用戶對合并后的策略中所包含的認證方案一一進行身份認證,并將身份認證結果進行一一合并,然后就是對合并后的授權策略中的Requirement一一進行檢查,如果全部授權通過,并且沒有顯式調用授權失敗的方法,則授權成功。
到此這篇關于asp.net core授權流程的文章就介紹到這了。希望對大家的學習有所幫助,也希望大家多多支持。
標簽:
ASP.NET
相關文章:
排行榜
網公網安備