1.增加鉴权授权
app.UseRouting();
app.UseAuthentication();//鉴权 检测用户是否登录
app.UseAuthorization();//授权 检测用户是否有权限访问页面
app.UseEndpoints()
2.增加服务
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options=> {
options.LoginPath = new PathString("/Account/Login");
});
3 指定需要做鉴权授权的Action,Controller 或者全局
标记特性
using Microsoft.AspNetCore.Authorization;
[Authorize]
public IActionResult Index()
{
return View(user);
}
4. 用户登录验证和保存信息
ClaimTypes.Role就是做权限认证的标识;
//rolelist 是登录成功后用户的角色---是来自于数据库的查询;不同的用户会查询出不同的角色;
var rolelist = new List<string>() {
"Admin",
"Teacher",
"Student"
};
//ClaimTypes.Role就是做权限认证的标识;
var claims = new List<Claim>()//鉴别你是谁,相关信息
{
new Claim(ClaimTypes.Role,"Admin"),
new Claim(ClaimTypes.Name,name),
new Claim("password",password),//可以写入任意数据
new Claim("Account","Administrator"),
new Claim("role","admin"),
new Claim("zhaoxi","zhaoxi"),
new Claim("User","zhaoxi")
};
foreach (var role in rolelist)
{
claims.Add(new Claim(ClaimTypes.Role, role));
}
ClaimsPrincipal userPrincipal = new ClaimsPrincipal(new ClaimsIdentity(claims, "Customer"));
HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, userPrincipal, new AuthenticationProperties
{
ExpiresUtc = DateTime.UtcNow.AddMinutes(30),//过期时间:30分钟
}).Wait();
[Authorize(Roles = "Admin,Teacher,Student")] //标记的试试,通过逗号分隔不同的角色---只要是有一个角色符合就能够访问,角色之间是或者的关系
/// <summary>
/// 多个特性标记--多个角色之前是且的关系,必须要包含所有的角色,才能够访问
/// </summary>
/// <returns></returns>
[Authorize(Roles = "Admin")]
[Authorize(Roles = "Teacher")]
[Authorize(Roles = "Student")]
策略授权
上面的角色授权是在特性上写死了
1.自定义角色管理授权类 CustomAuthorizationHandler 继承自 AuthorizationHandler<CustomAuthorizationRequirement>泛型父类
2.因为AuthorizationHandler是抽象类 需要实现接口 让自定义逻辑生效 在Startup 中注册
3.支持多种策略