ASP.NET Core 3中的自定义授权

您有一个Web API，并且想要实现自己的授权逻辑，该怎么做？您需要做四件事。

1. 创建您的自定义授权属性

2. 在控制器上使用自定义授权属性

3. 在自定义请求管道中间件中创建授权逻辑

4. 启动时注册中间件

创建您的自定义授权属性

 1 [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false)]
 2 public class CustomAuthorizeAttribute : Attribute
 3 {
 4     public string[] AllowedUserRoles { get; private set; }
 5  
 6     public CustomAuthorizeAttribute(params string[] allowedUserRoles)
 7     {
 8         this.AllowedUserRoles = allowedUserRoles;
 9     }
10 }

在控制器上使用自定义授权属性

 1 [ApiController]
 2 [Route("[controller]")]
 3 public class WeatherForecastController : ControllerBase
 4 {
 5  
 6     [HttpGet]
 7     [CustomAuthorize("Admin", "Supervisor", "Worker")]
 8     public string Get()
 9     {
10         return "Sunny";
11     }
12 }

在自定义请求管道中间件中创建授权逻辑

 1 public static class CustomAuthorizationMiddleware
 2 {
 3     public static async Task Authorize(HttpContext httpContext, Func next)
 4     {
 5         var endpointMetaData = httpContext.GetEndpoint().Metadata;
 6  
 7         bool hasCustomAuthorizeAttribute = endpointMetaData.Any(x => x is CustomAuthorizeAttribute);
 8  
 9         if (!hasCustomAuthorizeAttribute)
10         {
11             await next.Invoke();
12             return;
13         }
14  
15         CustomAuthorizeAttribute customAuthorizeAttribute = endpointMetaData
16                 .FirstOrDefault(x => x is CustomAuthorizeAttribute) as CustomAuthorizeAttribute;
17  
18         // TODO: change authorization logic
19         bool isAuthorized = customAuthorizeAttribute.AllowedUserRoles
20             .Any(allowedRole => httpContext.User.IsInRole(allowedRole));
21  
22         if (isAuthorized)
23         {
24             await next.Invoke();
25             return;
26         }
27  
28         httpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
29         await httpContext.Response.WriteAsync("unauthorized");
30     }
31 }

启动时注册中间件

 1 public class Startup
 2 {
 3     public Startup(IConfiguration configuration)
 4     {
 5         Configuration = configuration;
 6     }
 7  
 8     public IConfiguration Configuration { get; }
 9  
10     // This method gets called by the runtime. Use this method to add services to the container.
11     public void ConfigureServices(IServiceCollection services)
12     {
13         services.AddControllers();
14     }
15  
16     // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
17     public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
18     {
19         if (env.IsDevelopment())
20         {
21             app.UseDeveloperExceptionPage();
22         }
23  
24         app.UseHttpsRedirection();
25  
26         app.UseRouting();
27  
28         app.Use(CustomAuthorizationMiddleware.Authorize);
29  
30         app.UseEndpoints(endpoints =>
31         {
32             endpoints.MapControllers();
33         });
34     }
35 }

确保在调用app.UseRouting（）之后添加中间件。这样可以确保在将路由 信息添加到HttpContext 后执行您的中间件。