Resource based ASP.NET Authorization FormsAuthentication and WebApi

烂漫一生 提交于 2021-02-19 08:01:28

问题


Using webapi with formsauthentication (i know may sound weird, but it exactly what I need).

I have a route like :

[Route("{application}/orders}"]
public IHttpActionResult Get(string application) {
   var orders = OrderService.GetOrders(application); // return list of orders of applicaiton.
   return Ok(orders);
}

Example scenario : User John has permission to see orders for application "CoolApp" User Leia has permission to see orders for application "Robin" user Tristan doesn't have permission to see orders.

On the DB is like a Role - Resource relationship. UserRole:

User    -      Role     - Application
=====================================
John    - OrdersManager - CoolApp
Leia    - OrdersManager - Robin
Tristan - OtherRole     - Robin

I want that route to check if the user has permission to get orders of that specific application.

I read this: Resource based authorization in .net and looks promising.

First thing is I'm not sure if I should extend using AuthorizeAttribute, AuthorizationFilterAttribute or IAuthorizationFilter as briefly explained here http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api unfortunately, is not of much information.

Second I read that binding happens AFTER the authorization so I don't know how to get the values from the RouteData since I have the {application} defined on the route data I guess I should be able to access it. There are few examples for MVC, but was not able to get one for web api and with object like request and context all over the actionContext object I'm not sure where to get it and how in a proper way.

And last but not least, what method of the chosen extension point(s) should I override. If it have both async and sync, should I override both ?

BONUS: Since the authorize will have a dependency on my repository, would be great to know how to inject that into the filter if that's even possible. (I'm not using any IoC container).


回答1:


Overriding AuthorizationFilterAttribute would probably be the better route. What you'd want to do is pass the attributes you want to check for:

 public class MyAuthorizeAttribute : AuthorizeAttribute
 {
     string role;
     string application

     public MyAuthorizeAttribute (string role, string application){ 
        this. role = roles;
        this.application = application;
     }

     protected override bool IsAuthorized(HttpActionContext actionContext)  {
           var routeData = actionContext.ControllerContext.RouteData;
           //do your checks
     }
 }

you can get access to routedata from the HttpActionContext in the IsAuthorized method. Now you can attach the attribute to your ApiController or Action Method.

I'd suggest using an IoC container is you want to do DI with an Web API ActionFilter



来源:https://stackoverflow.com/questions/24876727/resource-based-asp-net-authorization-formsauthentication-and-webapi

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!