翻页 夜间
首页 > 线上去推广信用卡方案 > 金蛋计划抢矿机预计赚140元

“那我想亲你一下,怎么办?”王小民凑到云黛儿发间,呼吸着她身上的体香,带着一丝跳逗的语气说道。

中国电视报广告代理

“先生,一共是三千七百六十八元,按照酒店规定,在这个包厢吃饭可以打六折,也就是两千二百六十元,不过经理已经吩咐过,您只需付两千元便可。”
“各位,先天葫芦藤的葫芦已经成熟了,各位请挑一个吧。”刘皓说道,挫败了三清和帝俊太一,他们一共可以拿走四个葫芦。

“在将这些基因融入你的身体的过程里面是很痛苦的,我不敢保证你会不会承受不住直接精神崩溃,我这里没有任何药物能帮到你,毕竟我能将这些基因融入你的身体让你拥有写轮眼已经是我目前所能到达的极致,基因实在是太过奥妙神秘了。

【ASP.NET Core】运行原理(4):授权


本系列将分析ASP.NET Core运行原理

  • 【ASP.NET Core】运行原理(1):创建WebHost
  • 【ASP.NET Core】运行原理(2):启动WebHost
  • 【ASP.NET Core】运行原理(3):认证
  • 【ASP.NET Core】运行原理(4):授权

在认证阶段通过用户令牌获取到用户的Claims,而授权就是对这些Claims的验证。

目录

  1. 授权核心
    1. AuthorizationOptions
    2. AuthorizationPolicy
    3. AuthorizationPolicyBuilder
  2. 执行授权
    1. AuthorizeFilter
    2. IPolicyEvaluator
    3. IAuthorizationService
  3. 总结

授权核心

services.AddAuthorization(opt => opt.AddPolicy("isAdmin", builder => builder.RequireUserName("admin")));
通过上面的代码,可以添加一个isAdmin的授权。

对于第一个参数opt:

public class AuthorizationOptions
{
    private IDictionary<string, AuthorizationPolicy> PolicyMap { get; } = new Dictionary<string, AuthorizationPolicy>();

    public void AddPolicy(string name, AuthorizationPolicy policy)
    {
        PolicyMap[name] = policy;
    }

    public void AddPolicy(string name, Action<AuthorizationPolicyBuilder> configurePolicy)
    {
        var policyBuilder = new AuthorizationPolicyBuilder();
        configurePolicy(policyBuilder);
        AddPolicy(name,policyBuilder.Build());
    }

    public AuthorizationPolicy GetPolicy(string name)
    {
        return PolicyMap.ContainsKey(name) ? PolicyMap[name] : null;
    }
}

实际上,AuthorizationOptions相当于AuthorizationPolicy的集合
AuthorizationPolicy则是一个具体的授权策略对象

public class AuthorizationPolicy
{
    public IReadOnlyList<IAuthorizationRequirement> Requirements { get; }
    public IReadOnlyList<string> AuthenticationSchemes { get; }
}

AuthorizationPolicyBuilder通过Build方法可以构建一个AuthorizationPolicy,其内部有很多常用的添加IAuthorizationRequirement的方法:

public AuthorizationPolicy Build()
{
    return new AuthorizationPolicy(this.Requirements, this.AuthenticationSchemes);
}
public AuthorizationPolicyBuilder RequireUserName(string userName)
{
    this.Requirements.Add(new NameAuthorizationRequirement(userName));
}

... Require() ...

IAuthorizationRequirement是授权策略AuthorizationPolicy的一个授权条件,策略下的所有授权条件满足,则授权成功。

public interface IAuthorizationRequirement
{
}

public class NameAuthorizationRequirement : IAuthorizationRequirement
{
    public string RequiredName { get; }
}

IAuthorizationHandler是授权条件IAuthorizationRequirement的具体处理器,授权条件下的任意1个处理器授权成功,则授权成功。(默认情况下:AuthorizationOptions的InvokeHandlersAfterFailure = true)

public interface IAuthorizationHandler
{
    Task HandleAsync(AuthorizationHandlerContext context);
}

public abstract class AuthorizationHandler<TRequirement> : IAuthorizationHandler where TRequirement : IAuthorizationRequirement
{
    public virtual async Task HandleAsync(AuthorizationHandlerContext context)
    {
        foreach (TRequirement requirement in context.Requirements)
            await HandleRequirementAsync(context, requirement);
    }

    protected abstract Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement);
}

public class NameAuthorizationRequirement : AuthorizationHandler<NameAuthorizationRequirement>
{
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, NameAuthorizationRequirement requirement)
    {
        if (context.User?.Identities.Any(identity => identity.Name == requirement.RequiredName))
            context.Succeed((IAuthorizationRequirement) requirement);
        return Task.CompletedTask;
    }
}

授权的最终实现代码在IAuthorizationHandler

执行授权

解释了授权策略的原理,再谈谈授权策略的触发。通常我们在MVC中使用授权功能,而触发授权也是在注册MVC代码中,一并注册了。

public static IMvcBuilder AddMvc(this IServiceCollection services)
{
    IMvcCoreBuilder builder = services.AddMvcCore();
    builder.AddAuthorization();
}

internal static void AddAuthorizationServices(IServiceCollection services)
{
    services.AddAuthenticationCore();
    services.AddAuthorization();
    services.AddAuthorizationPolicyEvaluator();
    services.TryAddEnumerable(ServiceDescriptor.Transient<IApplicationModelProvider, AuthorizationApplicationModelProvider>());
}

在MVC中,ApplicationModel用来描述MVC中的模型,而IApplicationModelProvider则是初始化MVC的模型:

public class ApplicationModel
{
    public IList<ControllerModel> Controllers { get; }

    public IList<IFilterMetadata> Filters { get; }
}
public interface IApplicationModelProvider
{
    int Order { get; }
    void OnProvidersExecuting(ApplicationModelProviderContext context);
    void OnProvidersExecuted(ApplicationModelProviderContext context);
}

其中AuthorizationApplicationModelProvider会初始化ApplicationModel的授权部分,注册到Filters属性上(AuthorizeFilter 和 AllowAnonymousFilter)。

public interface IAsyncAuthorizationFilter : IFilterMetadata
{
    Task OnAuthorizationAsync(AuthorizationFilterContext context);
}

public class AuthorizeFilter : IAsyncAuthorizationFilter
{
    public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext context)
    {
        var policyEvaluator = GetRequiredService<IPolicyEvaluator>();
        var authenticationResult = await policyEvaluator.AuthenticateAsync(effectivePolicy, context.HttpContext);
        var authorizationResult = await policyEvaluator.AuthorizeAsync(effectivePolicy, authenticationResult, context.HttpContext, context);
        if (authorizationResult.Challenged)
        {
            context.Result = (IActionResult) new ChallengeResult((IList<string>) effectivePolicy.AuthenticationSchemes.ToArray<string>());
        }
        else if (authorizationResult.Forbidden)
        {
            context.Result = (IActionResult) new ForbidResult((IList<string>) effectivePolicy.AuthenticationSchemes.ToArray<string>());
        }
    }
}

AuthorizeFilter的OnAuthorizationAsync方法会在Action执行前触发,内部调用IPolicyEvaluator执行

public interface IPolicyEvaluator
{
    Task<AuthenticateResult> AuthenticateAsync(AuthorizationPolicy policy, HttpContext context);
    Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource);
}

public class PolicyEvaluator : IPolicyEvaluator
{
    private readonly IAuthorizationService _authorization;
    public virtual async Task<AuthenticateResult> AuthenticateAsync(AuthorizationPolicy policy, HttpContext context)
    {
    }
    public virtual async Task<PolicyAuthorizationResult> AuthorizeAsync(AuthorizationPolicy policy, AuthenticateResult authenticationResult, HttpContext context, object resource)
    {
        var result = await _authorization.AuthorizeAsync(context.User, resource, policy);
        if (result.Succeeded) return PolicyAuthorizationResult.Success();
        return (authenticationResult.Succeeded) ? PolicyAuthorizationResult.Forbid() : PolicyAuthorizationResult.Challenge();
    }
}

在AuthenticateAsync方法中,将合并policy的所有scheme认证结果。
在AuthorizeAsync方法中,将调用IAuthorizationService来实现授权。

public interface IAuthorizationService
{
    Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements);
    Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName);
}

public class DefaultAuthorizationService : IAuthorizationService
{
    public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, string policyName)
    {
        var policy = await _policyProvider.GetPolicyAsync(policyName);
        return await this.AuthorizeAsync(user, resource, policy);
    }

    public async Task<AuthorizationResult> AuthorizeAsync(ClaimsPrincipal user, object resource, IEnumerable<IAuthorizationRequirement> requirements)
    {
        var authContext = _contextFactory.CreateContext(requirements, user, resource);
        var handlers = await _handlers.GetHandlersAsync(authContext);
        foreach (var handler in handlers)
        {
            await handler.HandleAsync(authContext);
            if (!_options.InvokeHandlersAfterFailure && authContext.HasFailed)
                break;
        }
        return _evaluator.Evaluate(authContext);
    }
}

在IAuthorizationService类中,将调用policy的所有Requirement的Handle处理

总结

授权核心:AuthorizationOptionsAuthorizationPolicyAuthorizationPolicyBuilder

AuthorizationOptions 用于保存 AuthorizationPolicy
AuthorizationPolicyBuilder 用于创建 AuthorizationPolicy
AuthorizationPolicy 包含 IAuthorizationRequirement 和 AuthenticationSchemes
IAuthorizationRequirement 包含授权逻辑 IAuthorizationHandler

执行授权:AuthorizeFilterIPolicyEvaluatorIAuthorizationService

AuthorizeFilter的OnAuthorizationAsync方法会在Action执行前触发,内部调用IPolicyEvaluator执行
IPolicyEvaluator 先根据 Schemes 获取Claims,然后调用 IAuthorizationService 的授权方法
IAuthorizationService 调用 Requirement 对应的Handle授权逻辑

个人觉得源码的一个待优化的地方:在DefaultAuthorizationHandlerProviderGetHandlersAsync方法按需返回IAuthorizationHandler更合适。

本文链接:http://www.cnblogs.com/neverc/p/8204339.html

当前文章:http://jjg789.com/02-18/iwkqp.html

发布时间:2019-03-20 06:50:49

跨越网赚兼职平台 哪里网上兼职 拼多多老店赚钱吗 如何在电脑上打字赚钱 手机免费兼职赚钱学生 晚上适合什么兼职工作 微信号投票赚钱1-3 微信零钱150能赚多少

听歌赚钱(每小时150) 抄歌词赚钱APP www.ayzwzx.cn 秒赚大钱是真的吗 捕鱼游戏赚钱换人民币 网上如何免费赚钱 微鲤头条赚钱是真的吗 三级分销设置佣金 互联网项目代理加盟 推广注册app拿佣金 APP自动赚取佣金 推广投诉中心 秒赚王道兼职可靠吗 可以打码 淘宝优惠券群 淘宝怎么买东西有佣金 qq托管挂机赚钱平台 从网上怎么挣点外快 分享赚3版下载安装 分享赚钱软件

编辑:石辛