daohualiuxiang
/
AspNetCore.Docs
mirror of https://github.com/dotnet/AspNetCore.Docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Link sample at top of auth policy povider topic (#8119)

pull/8120/head
Luke Latham 2018-08-16 09:06:10 -05:00 committed by GitHub
parent 34858c3af3
commit 1144b57b11
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
aspnetcore/security/authorization/iauthorizationpolicyprovider.md
View File

@ -19,16 +19,19 @@ Examples of scenarios where a custom [IAuthorizationPolicyProvider](/dotnet/api/
* Using a large range of policies (for different room numbers or ages, for example), so it doesnt make sense to add each individual authorization policy with an `AuthorizationOptions.AddPolicy` call. * Using a large range of policies (for different room numbers or ages, for example), so it doesnt make sense to add each individual authorization policy with an `AuthorizationOptions.AddPolicy` call.
* Creating policies at runtime based on information in an external data source (like a database) or determining authorization requirements dynamically through another mechanism. * Creating policies at runtime based on information in an external data source (like a database) or determining authorization requirements dynamically through another mechanism.
## Customizing policy retrieval [View or download sample code](https://github.com/aspnet/AuthSamples/tree/master/samples/CustomPolicyProvider) from the [aspnet/AuthSamples GitHub repository](https://github.com/aspnet/AuthSamples). Download the aspnet/AuthSamples repository ZIP file.
Unzip the *AuthSamples-master.zip* file. Navigate to the *samples/CustomPolicyProvider* project folder.
ASP.NET Core apps use an implementation of the `IAuthorizationPolicyProvider` interface to retrieve authorization policies. By default, [DefaultAuthorizationPolicyProvider](https://docs.microsoft.com/dotnet/api/microsoft.aspnetcore.authorization.defaultauthorizationpolicyprovider) is registered and used. `DefaultAuthorizationPolicyProvider` returns policies from the `AuthorizationOptions` provided in an `IServiceCollection.AddAuthorization` call. ## Customize policy retrieval
ASP.NET Core apps use an implementation of the `IAuthorizationPolicyProvider` interface to retrieve authorization policies. By default, [DefaultAuthorizationPolicyProvider](/dotnet/api/microsoft.aspnetcore.authorization.defaultauthorizationpolicyprovider) is registered and used. `DefaultAuthorizationPolicyProvider` returns policies from the `AuthorizationOptions` provided in an `IServiceCollection.AddAuthorization` call.
You can customize this behavior by registering a different `IAuthorizationPolicyProvider` implementation in the apps [dependency injection](xref:fundamentals/dependency-injection) container. You can customize this behavior by registering a different `IAuthorizationPolicyProvider` implementation in the apps [dependency injection](xref:fundamentals/dependency-injection) container.
The `IAuthorizationPolicyProvider` interface contains two APIs: The `IAuthorizationPolicyProvider` interface contains two APIs:
* [GetPolicyAsync](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authorization.iauthorizationpolicyprovider.getpolicyasync?view=aspnetcore-2.0#Microsoft_AspNetCore_Authorization_IAuthorizationPolicyProvider_GetPolicyAsync_System_String_) returns an authorization policy for a given name. * [GetPolicyAsync](/dotnet/api/microsoft.aspnetcore.authorization.iauthorizationpolicyprovider.getpolicyasync#Microsoft_AspNetCore_Authorization_IAuthorizationPolicyProvider_GetPolicyAsync_System_String_) returns an authorization policy for a given name.
* [GetDefaultPolicyAsync](https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authorization.iauthorizationpolicyprovider.getdefaultpolicyasync?view=aspnetcore-2.0) returns the default authorization policy (the policy used for `[Authorize]` attributes without a policy specified). * [GetDefaultPolicyAsync](/dotnet/api/microsoft.aspnetcore.authorization.iauthorizationpolicyprovider.getdefaultpolicyasync) returns the default authorization policy (the policy used for `[Authorize]` attributes without a policy specified).
By implementing these two APIs, you can customize how authorization policies are provided. By implementing these two APIs, you can customize how authorization policies are provided.
@ -41,7 +44,7 @@ One scenario where `IAuthorizationPolicyProvider` is useful is enabling custom `
Authorization policies are identified by their names. The custom `MinimumAgeAuthorizeAttribute` described previously needs to map arguments into a string that can be used to retrieve the corresponding authorization policy. You can do this by deriving from `AuthorizeAttribute` and making the `Age` property wrap the Authorization policies are identified by their names. The custom `MinimumAgeAuthorizeAttribute` described previously needs to map arguments into a string that can be used to retrieve the corresponding authorization policy. You can do this by deriving from `AuthorizeAttribute` and making the `Age` property wrap the
`AuthorizeAttribute.Policy` property. `AuthorizeAttribute.Policy` property.
```CSharp ```csharp
internal class MinimumAgeAuthorizeAttribute : AuthorizeAttribute internal class MinimumAgeAuthorizeAttribute : AuthorizeAttribute
{ {
const string POLICY_PREFIX = "MinimumAge"; const string POLICY_PREFIX = "MinimumAge";
@ -71,7 +74,7 @@ This attribute type has a `Policy` string based on the hard-coded prefix (`"Mini
You can apply it to actions in the same way as other `Authorize` attributes except that it takes an integer as a parameter. You can apply it to actions in the same way as other `Authorize` attributes except that it takes an integer as a parameter.
```CSharp ```csharp
[MinimumAgeAuthorize(10)] [MinimumAgeAuthorize(10)]
public IActionResult RequiresMinimumAge10() public IActionResult RequiresMinimumAge10()
``` ```
@ -86,7 +89,7 @@ When using `MinimumAgeAuthorizationAttribute`, the authorization policy names wi
* Using `AuthorizationPolicyBuilder` to create a new `AuthorizationPolicy` * Using `AuthorizationPolicyBuilder` to create a new `AuthorizationPolicy`
* Adding requirements to the policy based on the age with `AuthorizationPolicyBuilder.AddRequirements`. In other scenarios, you might use `RequireClaim`, `RequireRole`, or `RequireUserName` instead. * Adding requirements to the policy based on the age with `AuthorizationPolicyBuilder.AddRequirements`. In other scenarios, you might use `RequireClaim`, `RequireRole`, or `RequireUserName` instead.
```CSharp ```csharp
internal class MinimumAgePolicyProvider : IAuthorizationPolicyProvider internal class MinimumAgePolicyProvider : IAuthorizationPolicyProvider
{ {
const string POLICY_PREFIX = "MinimumAge"; const string POLICY_PREFIX = "MinimumAge";
@ -125,7 +128,7 @@ In addition to providing named authorization policies, a custom `IAuthorizationP
In many cases, this authorization attribute only requires an authenticated user, so you can make the necessary policy with a call to `RequireAuthenticatedUser`: In many cases, this authorization attribute only requires an authenticated user, so you can make the necessary policy with a call to `RequireAuthenticatedUser`:
```CSharp ```csharp
public Task<AuthorizationPolicy> GetDefaultPolicyAsync() => public Task<AuthorizationPolicy> GetDefaultPolicyAsync() =>
Task.FromResult(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build()); Task.FromResult(new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build());
``` ```
@ -135,14 +138,14 @@ As with all aspects of a custom `IAuthorizationPolicyProvider`, you can customiz
* Default authorization policies might not be used. * Default authorization policies might not be used.
* Retrieving the default policy can be delegated to a fallback `IAuthorizationPolicyProvider`. * Retrieving the default policy can be delegated to a fallback `IAuthorizationPolicyProvider`.
## Using a Custom IAuthorizationPolicyProvider ## Use a custom IAuthorizationPolicyProvider
To use custom policies from an `IAuthorizationPolicyProvider`, you must: To use custom policies from an `IAuthorizationPolicyProvider`, you must:
* Register the appropriate `AuthorizationHandler` types with dependency injection (described in [policy-based authorization](xref:security/authorization/policies#authorization-handlers)), as with all policy-based authorization scenarios. * Register the appropriate `AuthorizationHandler` types with dependency injection (described in [policy-based authorization](xref:security/authorization/policies#authorization-handlers)), as with all policy-based authorization scenarios.
* Register the custom `IAuthorizationPolicyProvider` type in the app's dependency injection service collection (in `Startup.ConfigureServices`) to replace the default policy provider. * Register the custom `IAuthorizationPolicyProvider` type in the app's dependency injection service collection (in `Startup.ConfigureServices`) to replace the default policy provider.
```CSharp ```csharp
services.AddTransient<IAuthorizationPolicyProvider, MinimumAgePolicyProvider>(); services.AddTransient<IAuthorizationPolicyProvider, MinimumAgePolicyProvider>();
``` ```