Role based Authorization¶ 基于角色的授权
When an identity is created it may belong to one or more roles, for example Tracy may belong to the Administrator and User roles whilst Scott may only belong to the user role. How these roles are created and managed depends on the backing store of the authorization process. Roles are exposed to the developer through the IsInRole property on the ClaimsPrincipal class.
新建的身份可以属于一个或多个角色,例如,Tracy可属于Administrator和User角色,Whilst Scott可仅属于User角色。如何新建和管理这些角色依靠授权过程是如何存储的。通过ClaimsPrincipal类的IsInRole方法向开发者提供了角色的使用方法。
Adding role checks¶ 添加角色验证
Role based authorization checks are declarative - the developer embeds them within their code, against a controller or an action within a controller, specifying roles which the current user must be a member of to access the requested resource.
基于角色的验证是基于声明的,开发者将其嵌入到代码中,对一个控制器或其中的方法指定角色,指定一个请求中的用户必须满足相应的成员要求。
For example the following code would limit access to any actions on the AdministrationController
to users who are a member of the Administrator
group.
例如下列代码将限制AdministrationController 中的任何一个方法,必须是Administrator 组的成员才可以使用。
[Authorize(Roles = "Administrator")] public class AdministrationController : Controller { }
You can specify multiple roles as a comma separated list;
你可将多个指定的角色到一个逗号分割的列表中:
[Authorize(Roles = "HRManager,Finance")] public class SalaryController : Controller { }
This controller would be only accessible by users who are members of the HRManager
role or the Finance
role.
该控制器将仅能被HRManager 角色或 Finance
角色的成员访问。
If you apply multiple attributes then an accessing user must be a member of all the roles specified; the following sample requires that a user must be a member of both the PowerUser
and ControlPanelUser
role.
如果你使用了多个属性,则访问用户必须属于所有角色的成员;下面的例子需要一个用户必须同时是PowerUser和ControlPanelUser角色的成员。
[Authorize(Roles = "PowerUser")] [Authorize(Roles = "ControlPanelUser")] public class ControlPanelController : Controller { }
You can further limit access by applying additional role authorization attributes at the action level;
你可在方法层级上使用附加的角色授权属性来应用更多的使用限制;
[Authorize(Roles = "Administrator, PowerUser")] public class ControlPanelController : Controller { public ActionResult SetTime() { } [Authorize(Roles = "Administrator")] public ActionResult ShutDown() { } }
In the previous code snippet members of the Administrator
role or the PowerUser
role can access the controller and the SetTime
action, but only members of the Administrator
role can access the ShutDown
action.
在前面的代码片段中,Administrator角色或者PowerUser角色的成员可使用该控制器和SetTime方法,但是仅有Administrator角色的成员可以使用ShutDown方法。
You can also lock down a controller but allow anonymous, unauthenticated access to individual actions.
你也可封锁一个控制器,但允许匿名用户非授权地使用单独的方法。
[Authorize] public class ControlPanelController : Controller { public ActionResult SetTime() { } [AllowAnonymous] public ActionResult Login() { } }
Policy based role checks¶ 基于策略的角色检查
Role requirements can also be expressed using the new Policy syntax, where a developer registers a policy at startup as part of the Authorization service configuration. This normally takes part in ConfigureServices()
in your Startup.cs file.
对角色的要求也可通过使用新的策略语法来实现,开发者在startup中将一个策略注册为授权服务配置的一个部分。这通常加入到Sartup.cs文件的ConfigureServices()中。
public void ConfigureServices(IServiceCollection services) { services.AddMvc(); services.AddAuthorization(options => { options.AddPolicy("RequireAdministratorRole", policy => policy.RequireRole("Administrator")); }); }
Policies are applied using the Policy
property on the AuthorizeAttribute
attribute;
通过在AuthorizeAttribute属性上使用Policy属性实现策略。
[Authorize(Policy = "RequireAdministratorRole")] public IActionResult Shutdown() { return View(); }
If you want to specify multiple allowed roles in a requirement then you can specify them as parameters to the RequireRole
method;
如果你想在一个请求中指定多个角色,你可将其指定为RequireRole方法的多个参数:
options.AddPolicy("ElevatedRights", policy => policy.RequireRole("Administrator", "PowerUser", "BackupAdministrator"));
This example authorizes users who belong to the Administrator
, PowerUser
or BackupAdministrator
roles.
这个例子中的授权用户将属于Administrator,
PowerUser或者
BackupAdministrator
角色。