0

我有一个Asp.Net Core 1 RC1应用程序,它使用自定义路由约束来控制对应用程序的访问。应用程序(托管在运行的服务器上IIS 7.5)出现间歇性 404 错误,我怀疑这是由此路由约束引起的。在这里,您可以看到显示间歇性 404 错误的屏幕截图:

在此处输入图像描述

我怀疑这个问题与定义路由约束的代码不是线程安全的有关。自定义路由约束需要一个DbContext,因为它需要检查数据库是否为路由中指定的品牌启用了应用程序,我怀疑这个DbContext实例可能会导致问题。以下是在应用程序中定义路由的方式:

// Add MVC to the request pipeline.
var appDbContext = app.ApplicationServices.GetRequiredService<AppDbContext>();
app.UseMvc(routes =>
{
    routes.MapRoute(
        name: "branding",
        template: "branding/{brand}/{controller}/{action}/{id?}",
        defaults: new { controller="Home", action="Index" },
        constraints: new { brand = new BrandingRouteConstraint(appDbContext) });
});

这是自定义路由约束:

// Custom route constraint
public class BrandingRouteConstraint : IRouteConstraint
{
    AppDbContext _appDbContext;
    public BrandingRouteConstraint(AppDbContext appDbContext) : base() {
        _appDbContext = appDbContext;
    }
    public bool Match(HttpContext httpContext, IRouter route, string routeKey, IDictionary<string, object> values, RouteDirection routeDirection)
    {
        if (values.Keys.Contains(routeKey))
        {
            var whiteLabel = _appDbContext.WhiteLabels.Where(w => w.Url == values[routeKey].ToString()).FirstOrDefault();
            if (whiteLabel != null && whiteLabel.EnableApplication != null && (bool)whiteLabel.EnableApplication)
            {
                return true;
            }
        }
        return false;
    }
}

任何人都可以确认此问题是由代码不是线程安全引起的,并推荐一种更改实现以使其线程安全的方法吗?

4

1 回答 1

1

我无法评论 RouteContraint,没有太多使用它们,但是您是否尝试过基于资源的授权?看起来它可能更适合您想要实现的目标?

这里这里

在控制器内请求身份验证服务

public class DocumentController : Controller
{
    IAuthorizationService authorizationService;

    public DocumentController(IAuthorizationService authorizationService)
    {
        this.authorizationService = authorizationService;
    }
}

在您的操作中应用授权检查:

public async Task<IActionResult> Edit(Guid documentId)
{
    Document document = documentRepository.Find(documentId);

    if (document == null)
    {
        return new HttpNotFoundResult();
    }

    if (await authorizationService.AuthorizeAsync(User, document, Operations.Edit))
    {
        return View(document);
    }
    else
    {
        return new HttpUnauthorizedResult();
    }
}

我在示例中使用了 OperationAuthorizationRequirement 类,所以在你的项目中定义这个类:

public static class Operations
{
    public static OperationAuthorizationRequirement Create =
        new OperationAuthorizationRequirement { Name = "Create" };
    public static OperationAuthorizationRequirement Read =
        new OperationAuthorizationRequirement { Name = "Read" };
    public static OperationAuthorizationRequirement Update =
        new OperationAuthorizationRequirement { Name = "Update" };
    public static OperationAuthorizationRequirement Delete =
        new OperationAuthorizationRequirement { Name = "Delete" };
}

实现授权处理程序(使用内置的 OperationAuthorizationRequirement 要求):

public class DocumentAuthorizationHandler : AuthorizationHandler<OperationAuthorizationRequirement, Document>
{
    protected override void Handle(AuthorizationContext context,
                                   OperationAuthorizationRequirement requirement,
                                   Document resource)
    {
        // Validate the requirement against the resource and identity.
        // Sample just checks "Name"field, put your real logic here :)
        if (resource.Name == "Doc1")
            context.Succeed(requirement);
        else
            context.Fail();
    }
}

不要忘记配置服务:

services.AddInstance<IAuthorizationHandler>(
    new DocumentAuthorizationHandler());

这是一个多一点的工作,但增加了相当多的灵活性。

于 2016-02-29T06:41:05.960 回答