我想在自定义属性中进行安全验证。一个很好的例子是,如果用户发出GET请求来检索具有给定ID的实体,我想拦截该属性中的该请求,将其交给操作筛选器,然后确定用户是否有权访问它。我唯一的问题是如何检索实体ID。我无法在属性声明中传递它,因为它会初始化一次而不是每次请求。相反,我想给我的自定义属性一个url模式,就像你会给HttpGet或HttpPost,并根据上下文的url参数来解析,得到一个实体id。解决asp网络核心mvc中的路由段
这里是我的属性:
public class RequireProjectAccessAttribute : TypeFilterAttribute
{
public string UrlPattern { get; set; }
public RequireProjectAccessAttribute(string urlPattern) : base(typeof(RequireProjectAccessFilter))
{
UrlPattern = urlPattern;
Arguments = new object[] { urlPattern };
}
private class RequireProjectAccessFilter : IAsyncActionFilter
{
private readonly ICurrentSession _currentSession;
private readonly string _urlPattern;
public RequireProjectAccessFilter(ICurrentSession currentSession, string urlPattern)
{
_currentSession = currentSession;
_urlPattern = urlPattern;
}
public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
{
var projectId = /* some magic to resolve _urlPattern against the current url parameter values */
if (/* user doesn't have access to project */)
{
context.Result = new UnauthorizedResult();
}
else
{
await next();
}
}
}
}
这里是我怎么想使用它:
[Route("api/[controller]")]
public class ProjectsController : BaseController
{
public ProjectsController()
{
}
[RequireProjectAccess("{projectId}")]
[HttpGet("{projectId}")]
public JsonResult GetById(int projectId)
{
/* retrieve project */
}
}
https://开头channel9.msdn。 com/Blogs/Seth-Juarez/Advanced-aspnet-Core-Authorization-with-Barry-Dorrans |转到此视频并跳过大约30分钟。 –