0

如何指定AuthenticationSchemeisWindows并检查用户是否是 AD 组的成员?

当我指定时AuthenticationScheme,设置Roles不再有效,为什么不呢?我该如何解决?

public class SomeController : Controller
{
    //this works
    [Authorize(Roles = @"SOME.DOMAIN\SOME GROUP")]
    public IActionResult SomeAction(){ ... }

    //this works
    [Authorize(AuthenticationSchemes = "Windows")]
    //this doesn't work
    //[Authorize(Roles = @"SOME.DOMAIN\SOME GROUP", AuthenticationSchemes = "Windows")]
    public ActionResult SomeAction2(){ ... }
}

GitHub 上的完整示例

一些背景

我们有一个名为的 AD 组SOME GROUP,用户必须是其成员才能执行某些操作。在 Web 应用程序的其他部分,我们使用 cookie 身份验证,因此我需要在此特定控制器中指定身份验证方法。

参考:使用 ASP.NET Core 中的特定方案进行授权

4

2 回答 2

0

Windows 身份验证不同于其他所有身份验证处理程序。ASP.NET 不进行身份验证,Windows 组件进行身份验证,并将 ASP.NET Core 的句柄传递给它创建的身份。它不是为其他身份验证类型而设计的,也不是为了与其他身份验证类型混合使用的,它要么是 Windows 和匿名,要么只是 Windows。

不支持将它与其他任何东西混合,因此即使它确实有效,您也不应该需要通过方案进行限制。

于 2019-02-26T19:07:33.193 回答
0

事实证明,WindowsIdentity它保留在HttpContext.User对象中,允许我们检查组/角色成员资格。

内联示例

using System.Security.Principal;

[Authorize(AuthenticationSchemes = IISServerDefaults.AuthenticationScheme)]
public ActionResult SomeAction()
{
    var windowsIdentity = HttpContext.User.Identity as WindowsIdentity;
    var windowsUser = new WindowsPrincipal(windowsIdentity);
    var role = "[MY-COMPUTER-NAME || AD GROUP NAME]\\[GROUP NAME]";
    var inInRole = windowsUser.IsInRole(role);

    // todo: if not allowed write code to handle it

    return View();
}

完整来源

策略示例

//AuthorizationHandler<T>
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, RoleRequirement requirement)
{
    if (!(context.User.Identity is WindowsIdentity windowsIdentity))
        return Task.CompletedTask;

    var windowsUser = new WindowsPrincipal(windowsIdentity);
    try
    {
        var hasRole = windowsUser?.IsInRole(requirement.GroupName) ?? false;
        if (hasRole)
            context.Succeed(requirement);
    }
    catch (Exception ex)
    {
        logger.LogError(ex, "Unable to check groups the user belongs too");
    }

    return Task.CompletedTask;
}

//IAuthorizationRequirement
public class RoleRequirement : IAuthorizationRequirement
{
    public RoleRequirement(string groupName)
    { GroupName = groupName; }

    /// <summary>
    /// The Windows / AD Group Name that is allowed to call the OMS API
    /// </summary>
    public string GroupName { get; }
}

//action protected with the policy
[Authorize("Super User Role")]
public IActionResult Contact()
{ return View(); }

//startup.cs
public void ConfigureServices(IServiceCollection services)
{
    //pull group name from the config
    var securityOptions = Configuration.GetSection("Security").Get<SecurityOptions>();

    services.AddAuthentication(IISDefaults.AuthenticationScheme);
    services.AddAuthorization(options =>
    {
        options.AddPolicy("Super User Role", policy =>
        {
            policy.Requirements.Add(new RoleRequirement(securityOptions.AllowedGroup));
            policy.AddAuthenticationSchemes("Windows");
        });
    });
    services.AddSingleton<IAuthorizationHandler, RoleHandler>();
    // ...
}

完整来源

于 2019-02-27T18:17:05.527 回答