仅授权控制器允许在 .net 核心中进行匿名访问
Authorize only controller allows anonymous access in .net core
我在 .net 核心网络应用程序中设置了身份,并像这样将某个控制器标记为授权..
[Authorize(Roles = "Partner")]
public class ClaimsController : Controller
{
[Authorize(Roles = "Partner")]
public IActionResult Index()
{
var authenticated = User.Identity.IsAuthenticated;
//authenticated is false - but this view still loads?!
return View();
}
}
因此只有合作伙伴角色的用户才能访问。但是根本没有登录的人可以加载和查看声明控制器上的索引视图。我可以检查是否有人登录并检查角色用户明确地与用户管理器一起使用,但这些属性肯定应该做些什么?
核心 3 中的 startup.cs 是否需要额外的东西?这是我的 startup.cs 文件..
public class Startup
{
private readonly IConfiguration _config;
public Startup(IConfiguration config)
{
_config = config;
}
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
var connstring = _config.GetConnectionString("HP_RBS_Database");
//we can create our own role and derive from IdentityRole
services.AddIdentity<UserLogin, IdentityRole>(x =>
{
x.User.RequireUniqueEmail = true;
//set password rules in here..
}) //specify where we store identity data
.AddEntityFrameworkStores<HP_RBS_Context>();
services.AddMvc();
services.AddRazorPages();
services.AddControllersWithViews().AddRazorRuntimeCompilation();
services.AddDbContext<HP_RBS_Context>(x =>
{
x.UseSqlServer(connstring);
});
services.AddTransient<HPPartnerPortalSeeder>();
services.AddScoped<IHP_RBS_Repository, HP_RBS_Repository>();
services.AddAuthentication();
services.AddAuthorization();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseStaticFiles();
app.UseAuthentication();
app.UseAuthorization();
app.UseRouting();
app.UseEndpoints(x =>
{
x.MapControllerRoute("Default",
"{controller}/{action}/{id?}",
new { controller = "Home", action = "Index" });
});
}
}
对UseAuthentication和UseAuthorization的调用必须放在UseRouting和UseEndpoints之间:
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(x =>
{
x.MapControllerRoute("Default",
"{controller}/{action}/{id?}",
new { controller = "Home", action = "Index" });
});
当这些调用被放置在 之前 UseRouting 时,UseAuthorization 调用有点像空操作。它检查是否已选择端点,但这尚未发生。选择过程由接下来运行的 UseRouting 调用礼貌地执行,但为时已晚。
不幸的是,这意味着 MVC 端点就像授权成功一样运行,即使它根本没有执行。这是 ASP.NET Core 3.0.0 版本中的一个已知问题,已在 3.0.1 版本中修复。
我在 .net 核心网络应用程序中设置了身份,并像这样将某个控制器标记为授权..
[Authorize(Roles = "Partner")]
public class ClaimsController : Controller
{
[Authorize(Roles = "Partner")]
public IActionResult Index()
{
var authenticated = User.Identity.IsAuthenticated;
//authenticated is false - but this view still loads?!
return View();
}
}
因此只有合作伙伴角色的用户才能访问。但是根本没有登录的人可以加载和查看声明控制器上的索引视图。我可以检查是否有人登录并检查角色用户明确地与用户管理器一起使用,但这些属性肯定应该做些什么?
核心 3 中的 startup.cs 是否需要额外的东西?这是我的 startup.cs 文件..
public class Startup
{
private readonly IConfiguration _config;
public Startup(IConfiguration config)
{
_config = config;
}
// This method gets called by the runtime. Use this method to add services to the container.
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
public void ConfigureServices(IServiceCollection services)
{
var connstring = _config.GetConnectionString("HP_RBS_Database");
//we can create our own role and derive from IdentityRole
services.AddIdentity<UserLogin, IdentityRole>(x =>
{
x.User.RequireUniqueEmail = true;
//set password rules in here..
}) //specify where we store identity data
.AddEntityFrameworkStores<HP_RBS_Context>();
services.AddMvc();
services.AddRazorPages();
services.AddControllersWithViews().AddRazorRuntimeCompilation();
services.AddDbContext<HP_RBS_Context>(x =>
{
x.UseSqlServer(connstring);
});
services.AddTransient<HPPartnerPortalSeeder>();
services.AddScoped<IHP_RBS_Repository, HP_RBS_Repository>();
services.AddAuthentication();
services.AddAuthorization();
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseStaticFiles();
app.UseAuthentication();
app.UseAuthorization();
app.UseRouting();
app.UseEndpoints(x =>
{
x.MapControllerRoute("Default",
"{controller}/{action}/{id?}",
new { controller = "Home", action = "Index" });
});
}
}
对UseAuthentication和UseAuthorization的调用必须放在UseRouting和UseEndpoints之间:
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(x =>
{
x.MapControllerRoute("Default",
"{controller}/{action}/{id?}",
new { controller = "Home", action = "Index" });
});
当这些调用被放置在 之前 UseRouting 时,UseAuthorization 调用有点像空操作。它检查是否已选择端点,但这尚未发生。选择过程由接下来运行的 UseRouting 调用礼貌地执行,但为时已晚。
不幸的是,这意味着 MVC 端点就像授权成功一样运行,即使它根本没有执行。这是 ASP.NET Core 3.0.0 版本中的一个已知问题,已在 3.0.1 版本中修复。