asp.net core策略授权

在《asp.net core认证与授权》中讲解了固定和自定义角色授权系统权限，其实我们还可以通过其他方式来授权，比如可以通过角色组，用户名，生日等，但这些主要取决于ClaimTypes，其实我们也可以自定义键值来授权，这些统一叫策略授权，其中更强大的是，我们可以自定义授权Handler来达到灵活授权，下面一一展开。注意：下面的代码只是部分代码，完整代码参照：https://github.com/axzxs2001/Asp.NetCoreExperiment/tree/master/Asp.NetCoreExperiment/%E6%9D%83%E9%99%90%E7%AE%A1%E7%90%86/PolicyPrivilegeManagement首先看基于角色组，或用户名，或基于ClaimType或自定义键值等授权策略，这些都是通过Services.AddAuthorization添加，并且是AuthorizationOptions来AddPolicy，这里策略的名称统一用RequireClaim来命名，不同的请求的策略名称各不相同，如用户名时就用policy.RequireUserName()，同时，在登录时，验证成功后，要添加相应的Claim到ClaimsIdentity中：Startup.cs

[code=c#;toolbar:false">       public void ConfigureServices(IServiceCollection services)         {             services.AddMvc();             services.AddAuthorization(options =>             {                 //基于角色的策略                  options.AddPolicy("RequireClaim", policy => policy.RequireRole("admin", "system"));                 //基于用户名                 //options.AddPolicy("RequireClaim", policy => policy.RequireUserName("桂素伟"));                 //基于Claim                 //options.AddPolicy("RequireClaim", policy => policy.RequireClaim(ClaimTypes.Country,"中国"));                 //自定义值                 // options.AddPolicy("RequireClaim", policy => policy.RequireClaim("date","2017-09-02"));             }).AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme).AddCookie(options =>{                 options.LoginPath = new PathString("/login");                 options.AccessDeniedPath = new PathString("/denied");             });                   }[p]    /// <summary>     /// 用户权限     /// </summary>     public class UserPermission     {         /// <summary>         /// 用户名         /// </summary>         public string UserName         { get; set; }         /// <summary>         /// 请求Url         /// </summary>         public string Url         { get; set; }     }[p]using Microsoft.AspNetCore.Authorization; using System.Collections.Generic; using System.Linq; using System.Security.Claims; using System.Threading.Tasks; namespace PolicyPrivilegeManagement.Models {     /// <summary>     /// 权限授权Handler     /// </summary>     public class PermissionHandler : AuthorizationHandler<PermissionRequirement>     {         /// <summary>         /// 用户权限         /// </summary>         public List<UserPermission> UserPermissions { get; set; }         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)         {             //赋值用户权限             UserPermissions = requirement.UserPermissions;             //从AuthorizationHandlerContext转成HttpContext，以便取出表求信息             var httpContext = (context.Resource as Microsoft.AspNetCore.Mvc.Filters.AuthorizationFilterContext).HttpContext;             //请求Url             var questUrl = httpContext.Request.Path.Value.ToLower();             //是否经过验证             var isAuthenticated = httpContext.User.Identity.IsAuthenticated;             if (isAuthenticated)             {                 if (UserPermissions.GroupBy(g => g.Url).Where(w => w.Key.ToLower() == questUrl).Count() > 0)                 {                     //用户名                     var userName = httpContext.User.Claims.SingleOrDefault(s => s.Type == ClaimTypes.Sid).Value;                     if (UserPermissions.Where(w => w.UserName == userName && w.Url.ToLower() == questUrl).Count() > 0)                     {                         context.Succeed(requirement);                     }                     else                     {                         //无权限跳转到拒绝页面                         httpContext.Response.Redirect(requirement.DeniedAction);                     }                 }                 else                 {                     context.Succeed(requirement);                 }             }             return Task.CompletedTask;         }     } }