【ASP.NET Core】运行原理(4):受权
本系列将分析ASP.NET Core运行原理html
- 【ASP.NET Core】运行原理(1):建立WebHost
- 【ASP.NET Core】运行原理(2):启动WebHost
- 【ASP.NET Core】运行原理(3):认证
- 【ASP.NET Core】运行原理(4):受权
在认证阶段经过用户令牌获取到用户的Claims,而受权就是对这些Claims的验证。c#
目录
- 受权核心
- AuthorizationOptions
- AuthorizationPolicy
- AuthorizationPolicyBuilder
- 执行受权
- AuthorizeFilter
- IPolicyEvaluator
- IAuthorizationService
- 总结
受权核心
services.AddAuthorization(opt => opt.AddPolicy("isAdmin", builder => builder.RequireUserName("admin")));
经过上面的代码,能够添加一个isAdmin的受权。async
对于第一个参数opt:ide
public class AuthorizationOptions
{
private IDictionary<string, AuthorizationPolicy> PolicyMap { get; } = new Dictionary<string, AuthorizationPolicy>();
public void AddPolicy(string name, AuthorizationPolicy policy)
{
PolicyMap[name] = policy;
}
public void AddPolicy(string name, Action<AuthorizationPolicyBuilder> configurePolicy)
{
var policyBuilder = new AuthorizationPolicyBuilder();
configurePolicy(policyBuilder);
AddPolicy(name,policyBuilder.Build());
}
public AuthorizationPolicy GetPolicy(string name)
{
return PolicyMap.ContainsKey(name) ? PolicyMap[name] : null;
}
}
实际上,AuthorizationOptions至关于AuthorizationPolicy的集合
而AuthorizationPolicy则是一个具体的受权策略对象优化
public class AuthorizationPolicy
{
public IReadOnlyList<IAuthorizationRequirement> Requirements { get; }
public IReadOnlyList<string> AuthenticationSchemes { get; }
}
而AuthorizationPolicyBuilder经过Build方法能够构建一个AuthorizationPolicy,其内部有不少经常使用的添加IAuthorizationRequirement的方法:ui
public AuthorizationPolicy Build()
{
return new AuthorizationPolicy(this.Requirements, this.AuthenticationSchemes);
}
public AuthorizationPolicyBuilder RequireUserName(string userName)
{
this.Requirements.Add(new NameAuthorizationRequirement(userName));
}
... Require() ...
IAuthorizationRequirement是受权策略AuthorizationPolicy的一个受权条件,策略下的全部受权条件知足,则受权成功。this
public interface IAuthorizationRequirement
{
}
public class NameAuthorizationRequirement : IAuthorizationRequirement
{
public string RequiredName { get; }
}
IAuthorizationHandler是受权条件IAuthorizationRequirement的具体处理器,受权条件下的任意1个处理器受权成功,则受权成功。(默认状况下:AuthorizationOptions的InvokeHandlersAfterFailure = true)lua
public interface IAuthorizationHandler
{
Task HandleAsync(AuthorizationHandlerContext context);
}
public abstract class AuthorizationHandler<TRequirement> : IAuthorizationHandler where TRequirement : IAuthorizationRequirement
{
public virtual async Task HandleAsync(AuthorizationHandlerContext context)
{
foreach (TRequirement requirement in context.Requirements)
await HandleRequirementAsync(context, requirement);
}
protected abstract Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement);
}
public class NameAuthorizationRequirement : AuthorizationHandler<NameAuthorizationRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, NameAuthorizationRequirement requirement)
{
if (context.User?.Identities.Any(identity => identity.Name == requirement.RequiredName))
context.Succeed((IAuthorizationRequirement) requirement);
return Task.CompletedTask;
}
}
受权的最终实现代码在IAuthorizationHandlercode
执行受权
解释了受权策略的原理,再谈谈受权策略的触发。一般咱们在MVC中使用受权功能,而触发受权也是在注册MVC代码中,一并注册了。htm
public static IMvcBuilder AddMvc(this IServiceCollection services)
{
IMvcCoreBuilder builder = services.AddMvcCore();
builder.AddAuthorization();
}
internal static void AddAuthorizationServices(IServiceCollection services)
{
services.AddAuthenticationCore();
services.AddAuthorization();
services.AddAuthorizationPolicyEvaluator();
services.TryAddEnumerable(ServiceDescriptor.Transient<IApplicationModelProvider, AuthorizationApplicationModelProvider>());
}
在MVC中,ApplicationModel用来描述MVC中的模型,而IApplicationModelProvider则是初始化MVC的模型:
public class ApplicationModel
{
public IList<ControllerModel> Controllers { get; }
public IList<IFilterMetadata> Filters { get; }
}
public interface IApplicationModelProvider
{
int Order { get; }
void OnProvidersExecuting(ApplicationModelProviderContext context);
void OnProvidersExecuted(ApplicationModelProviderContext context);
}
其中AuthorizationApplicationModelProvider会初始化ApplicationModel的受权部分,注册到Filters属性上(AuthorizeFilter 和 AllowAnonymousFilter)。
public interface IAsyncAuthorizationFilter : IFilterMetadata
{
Task OnAuthorizationAsync(AuthorizationFilterContext context);
}
public class AuthorizeFilter : IAsyncAuthorizationFilter
{
public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
var policyEvaluator = GetRequiredService<IPolicyEvaluator>();
var authenticationResult = await policyEvaluator.AuthenticateAsync(effectivePolicy, context.HttpContext);
var authorizationResult = await policyEvaluator.AuthorizeAsync(effectivePolicy, authenticationResult, context.HttpContext, context);
if (authorizationResult.Challenged)
{
context.Result = (IActionResult) new ChallengeResult((IList<string>) effectivePolicy.AuthenticationSchemes.ToArray<string>());
}
else if (authorizationResult.Forbidden)
{
context.Result = (IActionResult) new ForbidResult((IList<string>) effectivePolicy.AuthenticationSchemes.ToArray<string>());
}
}
}
AuthorizeFilter的OnAuthorizationAsync方法会在Action执行前触发,内部调用IPolicyEvaluator执行
public interface IPolicyEvaluator
{
Task<AuthenticateResult> AuthenticateAsync(AuthorizationPolicy policy, HttpContext context);
Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource);
}
public class PolicyEvaluator : IPolicyEvaluator
{
private readonly IAuthorizationService _authorization;
public virtual async Task<AuthenticateResult> AuthenticateAsync(AuthorizationPolicy policy, HttpContext context)
{
}
public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource)
{
var result = await _authorization.AuthorizeAsync(context.User, resource, policy);
if (result.Succeeded) return PolicyAuthorizationResult.Success();
return (authenticationResult.Succeeded) ? PolicyAuthorizationResult.Forbid() : PolicyAuthorizationResult.Challenge();
}
}
在AuthenticateAsync方法中,将合并policy的全部scheme认证结果。
在AuthorizeAsync方法中,将调用IAuthorizationService来实现受权。
public interface IAuthorizationService
{
Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements);
Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName);
}
public class DefaultAuthorizationService : IAuthorizationService
{
public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName)
{
var policy = await _policyProvider.GetPolicyAsync(policyName);
return await this.AuthorizeAsync(user, resource, policy);
}
public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements)
{
var authContext = _contextFactory.CreateContext(requirements, user, resource);
var handlers = await _handlers.GetHandlersAsync(authContext);
foreach (var handler in handlers)
{
await handler.HandleAsync(authContext);
if (!_options.InvokeHandlersAfterFailure && authContext.HasFailed)
break;
}
return _evaluator.Evaluate(authContext);
}
}
在IAuthorizationService类中,将调用policy的全部Requirement的Handle处理
总结
受权核心:AuthorizationOptions、AuthorizationPolicy、AuthorizationPolicyBuilder
AuthorizationOptions 用于保存 AuthorizationPolicy
AuthorizationPolicyBuilder 用于建立 AuthorizationPolicy
AuthorizationPolicy 包含 IAuthorizationRequirement 和 AuthenticationSchemes
IAuthorizationRequirement 包含受权逻辑 IAuthorizationHandler
执行受权:AuthorizeFilter、IPolicyEvaluator、IAuthorizationService
AuthorizeFilter的OnAuthorizationAsync方法会在Action执行前触发,内部调用IPolicyEvaluator执行
IPolicyEvaluator 先根据 Schemes 获取Claims,而后调用 IAuthorizationService 的受权方法
IAuthorizationService 调用 Requirement 对应的Handle受权逻辑
我的以为源码的一个待优化的地方:在DefaultAuthorizationHandlerProvider的GetHandlersAsync方法按需返回IAuthorizationHandler更合适。
- 1. ASP.NET Core Identity 实战(4)受权过程
- 2. ASP.NET Core策略受权和 ABP 受权
- 3. ASP.NET Core 运行原理剖析
- 4. 【ASP.NET Core】运行原理(2):启动WebHost
- 5. 【ASP.NET Core】运行原理(3):认证
- 6. 【ASP.NET Core】运行原理(1):建立WebHost
- 7. asp.net core策略受权
- 8. Asp.Net Core 中IdentityServer4 受权原理及刷新Token的应用
- 9. asp.net 运行原理
- 10. 【原创】 Docker 中 运行 ASP.NET Core 站点
- 更多相关文章...
- • Eclipse 运行程序 - Eclipse 教程
- • MyBatis的工作原理 - MyBatis教程
- • ☆技术问答集锦(13)Java Instrument原理
- • Java Agent入门实战(三)-JVM Attach原理与使用
-
每一个你不满意的现在,都有一个你没有努力的曾经。
- 1. ASP.NET Core Identity 实战(4)受权过程
- 2. ASP.NET Core策略受权和 ABP 受权
- 3. ASP.NET Core 运行原理剖析
- 4. 【ASP.NET Core】运行原理(2):启动WebHost
- 5. 【ASP.NET Core】运行原理(3):认证
- 6. 【ASP.NET Core】运行原理(1):建立WebHost
- 7. asp.net core策略受权
- 8. Asp.Net Core 中IdentityServer4 受权原理及刷新Token的应用
- 9. asp.net 运行原理
- 10. 【原创】 Docker 中 运行 ASP.NET Core 站点