AspNet5 - Windows 身份验证从声明中获取组名
AspNet5 - Windows Authentication Get Group Name From Claims
我有一个 asp.net5 项目设置来使用 windows 身份验证。当我设置断点并查看用户时,我看到有一个包含组 SID 的声明数组。如何从声明中获取实际组名?
我正在尝试限制 windows 登录用户使用他们所属的活动目录组,并且正在努力设置它。
问题:
如何查看登录用户所属的活动目录组?
如何将 GroupSID 转换为组名?
我是否需要在 startup.cs 中包含任何内容以限制某些组只能调用 REST 服务?
我看到了根据登录用户手动设置声明的示例。我有兴趣使用 Windows 经过身份验证的用户及其组来限制访问。
谢谢
你不知道。不幸的是,这不是 Windows 身份验证的工作方式。您只能检查用户是否处于角色中(并且有相应的策略要求),而不能枚举他们所处的角色 - 这需要目录服务并且尚未移植到核心。
(需要注意的一件事是,错误,User.IsInRole() 现在对于 Windows 身份已损坏。这将在 RC2 中修复)
实际上您仍然可以使用以下方法获取群组名称:
var test = new System.Security.Principal.SecurityIdentifier("S-1-5-21-3290390516-4063083420-3538132138-1146").Translate(typeof(System.Security.Principal.NTAccount)).ToString();
例如:
var roles = ((ClaimsIdentity)_context.User.Identity).Claims.Where(q => q.Type == ClaimTypes.GroupSid).Select(q => q.Value);
_logger.LogInformation($"Got {roles.Count()} roles");
foreach (var role in roles)
{
var name = new System.Security.Principal.SecurityIdentifier(role).Translate(typeof(System.Security.Principal.NTAccount)).ToString();
_logger.LogInformation($"Got role {name}");
}
输出:
(namespace).Authorization.Handlers.SiteHandler: Information: Got 18 roles
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\Domain Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role Everyone
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted) Backend
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted) Dashboards
(namespace).Authorization.Handlers.SiteHandler: Information: Got role BUILTIN\Performance Log Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role BUILTIN\Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\INTERACTIVE
(namespace).Authorization.Handlers.SiteHandler: Information: Got role CONSOLE LOGON
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\Authenticated Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\This Organization
(namespace).Authorization.Handlers.SiteHandler: Information: Got role LOCAL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\jira-users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\jira-developers
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_DE_ALL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_BE_ALL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)Developers
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_TEST
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_DB_ALL
请注意,填充域角色可能需要一两秒钟。
另一种选择(类似于@JosephGarrone 的解决方案):
private string[] GetGroups1()
{
var groups = new List<string>();
var wi = (WindowsIdentity)User.Identity;
if (wi.Groups != null)
foreach (var group in wi.Groups)
{
try
{
groups.Add(group.Translate(typeof(NTAccount)).ToString());
} catch (Exception) {
// ignored
}
}
groups.Sort(); // optional
return groups.ToArray();
}
只添加一个答案来帮助澄清投票最多的答案中的某些内容,因为我没有足够的代表来添加评论。
该答案没有打印出实际的 AD 组名称。在 foreach 循环中将 role 替换为 name 将打印出 AD 组的名称。
var roles = ((ClaimsIdentity)_context.User.Identity).Claims.Where(q => q.Type == ClaimTypes.GroupSid).Select(q => q.Value);
_logger.LogInformation($"Got {roles.Count()} roles");
foreach (var role in roles)
{
var name = new System.Security.Principal.SecurityIdentifier(role).Translate(typeof(System.Security.Principal.NTAccount)).ToString();
_logger.LogInformation($"Got role {name}");
}
我有一个 asp.net5 项目设置来使用 windows 身份验证。当我设置断点并查看用户时,我看到有一个包含组 SID 的声明数组。如何从声明中获取实际组名?
我正在尝试限制 windows 登录用户使用他们所属的活动目录组,并且正在努力设置它。
问题: 如何查看登录用户所属的活动目录组? 如何将 GroupSID 转换为组名? 我是否需要在 startup.cs 中包含任何内容以限制某些组只能调用 REST 服务?
我看到了根据登录用户手动设置声明的示例。我有兴趣使用 Windows 经过身份验证的用户及其组来限制访问。
谢谢
你不知道。不幸的是,这不是 Windows 身份验证的工作方式。您只能检查用户是否处于角色中(并且有相应的策略要求),而不能枚举他们所处的角色 - 这需要目录服务并且尚未移植到核心。
(需要注意的一件事是,错误,User.IsInRole() 现在对于 Windows 身份已损坏。这将在 RC2 中修复)
实际上您仍然可以使用以下方法获取群组名称:
var test = new System.Security.Principal.SecurityIdentifier("S-1-5-21-3290390516-4063083420-3538132138-1146").Translate(typeof(System.Security.Principal.NTAccount)).ToString();
例如:
var roles = ((ClaimsIdentity)_context.User.Identity).Claims.Where(q => q.Type == ClaimTypes.GroupSid).Select(q => q.Value);
_logger.LogInformation($"Got {roles.Count()} roles");
foreach (var role in roles)
{
var name = new System.Security.Principal.SecurityIdentifier(role).Translate(typeof(System.Security.Principal.NTAccount)).ToString();
_logger.LogInformation($"Got role {name}");
}
输出:
(namespace).Authorization.Handlers.SiteHandler: Information: Got 18 roles
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\Domain Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role Everyone
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted) Backend
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted) Dashboards
(namespace).Authorization.Handlers.SiteHandler: Information: Got role BUILTIN\Performance Log Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role BUILTIN\Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\INTERACTIVE
(namespace).Authorization.Handlers.SiteHandler: Information: Got role CONSOLE LOGON
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\Authenticated Users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role NT AUTHORITY\This Organization
(namespace).Authorization.Handlers.SiteHandler: Information: Got role LOCAL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\jira-users
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\jira-developers
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_DE_ALL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_BE_ALL
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)Developers
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_TEST
(namespace).Authorization.Handlers.SiteHandler: Information: Got role (redacted)\(redacted)_PDMS_DB_ALL
请注意,填充域角色可能需要一两秒钟。
另一种选择(类似于@JosephGarrone 的解决方案):
private string[] GetGroups1()
{
var groups = new List<string>();
var wi = (WindowsIdentity)User.Identity;
if (wi.Groups != null)
foreach (var group in wi.Groups)
{
try
{
groups.Add(group.Translate(typeof(NTAccount)).ToString());
} catch (Exception) {
// ignored
}
}
groups.Sort(); // optional
return groups.ToArray();
}
只添加一个答案来帮助澄清投票最多的答案中的某些内容,因为我没有足够的代表来添加评论。
该答案没有打印出实际的 AD 组名称。在 foreach 循环中将 role 替换为 name 将打印出 AD 组的名称。
var roles = ((ClaimsIdentity)_context.User.Identity).Claims.Where(q => q.Type == ClaimTypes.GroupSid).Select(q => q.Value);
_logger.LogInformation($"Got {roles.Count()} roles");
foreach (var role in roles)
{
var name = new System.Security.Principal.SecurityIdentifier(role).Translate(typeof(System.Security.Principal.NTAccount)).ToString();
_logger.LogInformation($"Got role {name}");
}