【ASP.NET Core】运行原理(4):授权
2018-01-05 14:32
1166 查看
本系列将分析ASP.NET Core运行原理
【ASP.NET Core】运行原理(1):创建WebHost
【ASP.NET Core】运行原理(2):启动WebHost
【ASP.NET Core】运行原理(3):认证
【ASP.NET Core】运行原理(4):授权
在认证阶段通过用户令牌获取到用户的Claims,而授权就是对这些Claims的验证。
AuthorizationOptions
AuthorizationPolicy
AuthorizationPolicyBuilder
执行授权
AuthorizeFilter
IPolicyEvaluator
IAuthorizationService
总结
通过上面的代码,可以添加一个isAdmin的授权。
对于第一个参数opt:
实际上,
而
而
授权的最终实现代码在IAuthorizationHandler
在MVC中,ApplicationModel用来描述MVC中的模型,而IApplicationModelProvider则是初始化MVC的模型:
其中AuthorizationApplicationModelProvider会初始化ApplicationModel的授权部分,注册到Filters属性上(AuthorizeFilter 和 AllowAnonymousFilter)。
AuthorizeFilter的OnAuthorizationAsync方法会在Action执行前触发,内部调用IPolicyEvaluator执行
在AuthenticateAsync方法中,将合并policy的所有scheme认证结果。
在AuthorizeAsync方法中,将调用
在IAuthorizationService类中,将调用policy的所有Requirement的Handle处理
AuthorizationOptions 用于保存 AuthorizationPolicy
AuthorizationPolicyBuilder 用于创建 AuthorizationPolicy
AuthorizationPolicy 包含 IAuthorizationRequirement 和 AuthenticationSchemes
IAuthorizationRequirement 包含授权逻辑 IAuthorizationHandler
执行授权:
AuthorizeFilter的OnAuthorizationAsync方法会在Action执行前触发,内部调用IPolicyEvaluator执行
IPolicyEvaluator 先根据 Schemes 获取Claims,然后调用 IAuthorizationService 的授权方法
IAuthorizationService 调用 Requirement 对应的Handle授权逻辑
个人觉得源码的一个待优化的地方:在
本文链接:http://www.cnblogs.com/neverc/p/8204339.html
【ASP.NET Core】运行原理(1):创建WebHost
【ASP.NET Core】运行原理(2):启动WebHost
【ASP.NET Core】运行原理(3):认证
【ASP.NET Core】运行原理(4):授权
在认证阶段通过用户令牌获取到用户的Claims,而授权就是对这些Claims的验证。
目录
授权核心AuthorizationOptions
AuthorizationPolicy
AuthorizationPolicyBuilder
执行授权
AuthorizeFilter
IPolicyEvaluator
IAuthorizationService
总结
授权核心
services.AddAuthorization(opt => opt.AddPolicy("isAdmin", builder => builder.RequireUserName("admin")));
通过上面的代码,可以添加一个isAdmin的授权。
对于第一个参数opt:
public class AuthorizationOptions { private IDictionary<string, AuthorizationPolicy> PolicyMap { get; } = new Dictionary<string, AuthorizationPolicy>(); public void AddPolicy(string name, AuthorizationPolicy policy) { PolicyMap[name] = policy; } public void AddPolicy(string name, Action<AuthorizationPolicyBuilder> configurePolicy) { var policyBuilder = new AuthorizationPolicyBuilder(); configurePolicy(policyBuilder); AddPolicy(name,policyBuilder.Build()); } public AuthorizationPolicy GetPolicy(string name) { return PolicyMap.ContainsKey(name) ? PolicyMap[name] : null; } }
实际上,
AuthorizationOptions相当于AuthorizationPolicy的集合
而
AuthorizationPolicy则是一个具体的授权策略对象
public class AuthorizationPolicy { public IReadOnlyList<IAuthorizationRequirement> Requirements { get; } public IReadOnlyList<string> AuthenticationSchemes { get; } }
而
AuthorizationPolicyBuilder通过Build方法可以构建一个AuthorizationPolicy,其内部有很多常用的添加
IAuthorizationRequirement的方法:
public AuthorizationPolicy Build() { return new AuthorizationPolicy(this.Requirements, this.AuthenticationSchemes); } public AuthorizationPolicyBuilder RequireUserName(string userName) { this.Requirements.Add(new NameAuthorizationRequirement(userName)); } ... Require() ...
IAuthorizationRequirement是授权策略
AuthorizationPolicy的一个授权条件,策略下的所有授权条件满足,则授权成功。
public interface IAuthorizationRequirement { } public class NameAuthorizationRequirement : IAuthorizationRequirement { public string RequiredName { get; } }
IAuthorizationHandler是授权条件
IAuthorizationRequirement的具体处理器,授权条件下的任意1个处理器授权成功,则授权成功。(默认情况下:AuthorizationOptions的InvokeHandlersAfterFailure = true)
public interface IAuthorizationHandler { Task HandleAsync(AuthorizationHandlerContext context); } public abstract class AuthorizationHandler<TRequirement> : IAuthorizationHandler where TRequirement : IAuthorizationRequirement { public virtual async Task HandleAsync(AuthorizationHandlerContext context) { foreach (TRequirement requirement in context.Requirements) await HandleRequirementAsync(context, requirement); } protected abstract Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement); } public class NameAuthorizationRequirement : AuthorizationHandler<NameAuthorizationRequirement> { protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, NameAuthorizationRequirement requirement) { if (context.User?.Identities.Any(identity => identity.Name == requirement.RequiredName)) context.Succeed((IAuthorizationRequirement) requirement); return Task.CompletedTask; } }
授权的最终实现代码在IAuthorizationHandler
执行授权
解释了授权策略的原理,再谈谈授权策略的触发。通常我们在MVC中使用授权功能,而触发授权也是在注册MVC代码中,一并注册了。public static IMvcBuilder AddMvc(this IServiceCollection services) { IMvcCoreBuilder builder = services.AddMvcCore(); builder.AddAuthorization(); } internal static void AddAuthorizationServices(IServiceCollection services) { services.AddAuthenticationCore(); services.AddAuthorization(); services.AddAuthorizationPolicyEvaluator(); services.TryAddEnumerable(ServiceDescriptor.Transient<IApplicationModelProvider, AuthorizationApplicationModelProvider>()); }
在MVC中,ApplicationModel用来描述MVC中的模型,而IApplicationModelProvider则是初始化MVC的模型:
public class ApplicationModel { public IList<ControllerModel> Controllers { get; } public IList<IFilterMetadata> Filters { get; } } public interface IApplicationModelProvider { int Order { get; } void OnProvidersExecuting(ApplicationModelProviderContext context); void OnProvidersExecuted(ApplicationModelProviderContext context); }
其中AuthorizationApplicationModelProvider会初始化ApplicationModel的授权部分,注册到Filters属性上(AuthorizeFilter 和 AllowAnonymousFilter)。
public interface IAsyncAuthorizationFilter : IFilterMetadata { Task OnAuthorizationAsync(AuthorizationFilterContext context); } public class AuthorizeFilter : IAsyncAuthorizationFilter { public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext context) { var policyEvaluator = GetRequiredService<IPolicyEvaluator>(); var authenticationResult = await policyEvaluator.AuthenticateAsync(effectivePolicy, context.HttpContext); var authorizationResult = await policyEvaluator.AuthorizeAsync(effectivePolicy, authenticationResult, context.HttpContext, context); if (authorizationResult.Challenged) { context.Result = (IActionResult) new ChallengeResult((IList<string>) effectivePolicy.AuthenticationSchemes.ToArray<string>()); } else if (authorizationResult.Forbidden) { context.Result = (IActionResult) new ForbidResult((IList<string>) effectivePolicy.AuthenticationSchemes.ToArray<string>()); } } }
AuthorizeFilter的OnAuthorizationAsync方法会在Action执行前触发,内部调用IPolicyEvaluator执行
public interface IPolicyEvaluator { Task<AuthenticateResult> AuthenticateAsync(AuthorizationPolicy policy, HttpContext context); Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource); } public class PolicyEvaluator : IPolicyEvaluator { private readonly IAuthorizationService _authorization; public virtual async Task<AuthenticateResult> AuthenticateAsync(AuthorizationPolicy policy, HttpContext context) { } public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource) { var result = await _authorization.AuthorizeAsync(context.User, resource, policy); if (result.Succeeded) return PolicyAuthorizationResult.Success(); return (authenticationResult.Succeeded) ? PolicyAuthorizationResult.Forbid() : PolicyAuthorizationResult.Challenge(); } }
在AuthenticateAsync方法中,将合并policy的所有scheme认证结果。
在AuthorizeAsync方法中,将调用
IAuthorizationService来实现授权。
public interface IAuthorizationService { Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements); Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName); } public class DefaultAuthorizationService : IAuthorizationService { public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName) { var policy = await _policyProvider.GetPolicyAsync(policyName); return await this.AuthorizeAsync(user, resource, policy); } public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements) { var authContext = _contextFactory.CreateContext(requirements, user, resource); var handlers = await _handlers.GetHandlersAsync(authContext); foreach (var handler in handlers) { await handler.HandleAsync(authContext); if (!_options.InvokeHandlersAfterFailure && authContext.HasFailed) break; } return _evaluator.Evaluate(authContext); } }
在IAuthorizationService类中,将调用policy的所有Requirement的Handle处理
总结
授权核心:AuthorizationOptions、
AuthorizationPolicy、
AuthorizationPolicyBuilder
AuthorizationOptions 用于保存 AuthorizationPolicy
AuthorizationPolicyBuilder 用于创建 AuthorizationPolicy
AuthorizationPolicy 包含 IAuthorizationRequirement 和 AuthenticationSchemes
IAuthorizationRequirement 包含授权逻辑 IAuthorizationHandler
执行授权:
AuthorizeFilter、
IPolicyEvaluator、
IAuthorizationService
AuthorizeFilter的OnAuthorizationAsync方法会在Action执行前触发,内部调用IPolicyEvaluator执行
IPolicyEvaluator 先根据 Schemes 获取Claims,然后调用 IAuthorizationService 的授权方法
IAuthorizationService 调用 Requirement 对应的Handle授权逻辑
个人觉得源码的一个待优化的地方:在
DefaultAuthorizationHandlerProvider的
GetHandlersAsync方法按需返回
IAuthorizationHandler更合适。
本文链接:http://www.cnblogs.com/neverc/p/8204339.html
相关文章推荐
- ASP.NET Core 运行原理剖析1:初始化WebApp模版并运行
- ASP.NET Core 运行原理解剖[1]:Hosting
- ASP.NET Core 运行原理剖析2:Startup 和 Middleware(中间件)
- ASP.NET Core 运行原理解剖[1]:Hosting
- ASP.NET Core 运行原理解剖[2]-Hosting补充之配置介绍
- ASP.NET Core 运行原理解剖[5]:Authentication
- ASP.NET Core 运行原理剖析
- ASP.NET Core 运行原理解剖[1]-Hosting
- 【ASP.NET Core】运行原理(3):认证
- ASP.NET Core 运行原理解剖[3]:Middleware-请求管道的构成
- 【ASP.NET Core】运行原理(1):创建WebHost
- ASP.NET Core 运行原理解剖[3]:Middleware-请求管道的构成
- ASP.NET Core 运行原理解剖[2]:Hosting补充之配置介绍
- ASP.NET Core 运行原理剖析1:初始化WebApp模版并运行
- ASP.NET Core 运行原理解剖[3]:Middleware-请求管道的构成
- ASP.NET Core 运行原理剖析2:Startup 和 Middleware(中间件)
- ASP.NET Core 运行原理剖析1:初始化WebApp模版并运行
- ASP.NET Core 运行原理剖析
- 【ASP.NET Core】运行原理(2):启动WebHost
- ASP.NET Core 运行原理解剖[4]:进入HttpContext的世界