Reputation: 85
Authorize against a list of policies
I am working on different applications each of which has its own role members.
In Startup.cs
var c= _configuration.GetSection(nameof(Configuration)).Get<List<Configuration>>();
foreach (Configuration r in c)
{
services.AddAuthorization(options => {
options.AddPolicy(Configuration.Role, policy =>
policy.RequireRole(r.RoleMembers.Split(",")));
});
}
The below code doesn't work as I am referring to an array.
[Authorize(Policy = Configuration.Role)]
How can I authorize against the 0th element?
Upvotes: 2
Views: 2479
Answers (2)
Reputation: 20126
You could implement your custom AuthorizeAttribute for multiple policies.
1.AuthorizeMultiplePolicyAttribute
public class AuthorizeMultiplePolicyAttribute : TypeFilterAttribute
{
public AuthorizeMultiplePolicyAttribute(string[] policies) : base(typeof(AuthorizeMultiplePolicyFilter))
{
Arguments = new object[] { policies };
}
}
2.AuthorizeMultiplePolicyFilter
public class AuthorizeMultiplePolicyFilter : IAsyncAuthorizationFilter
{
private readonly IAuthorizationService _authorization;
public string[] _policies { get; private set; }
public AuthorizeMultiplePolicyFilter(string[] policies,IAuthorizationService authorization)
{
_policies = policies;
_authorization = authorization;
}
public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
{
foreach (var policy in _policies)
{
var authorized = await _authorization.AuthorizeAsync(context.HttpContext.User, policy);
if (!authorized.Succeeded)
{
context.Result = new ForbidResult();
return;
}
}
}
}
3.Add Policy you want on Startup one by one
services.AddAuthorization(options =>
{
//register all policies based on your own code,give them different policy name
options.AddPolicy("AdminPolicy", policy =>
policy.RequireRole("Admin"));
options.AddPolicy("SuperPolicy", policy =>
policy.RequireRole("Super"));
});
4.Use the custom attribute
[AuthorizeMultiplePolicy(new string[] { "AdminPolicy", "SuperPolicy" })]
Upvotes: 4
Reputation: 533
I admit I have never tried something like this before, but I am pretty certain the policies have to have a name and the authorize attribute would reference that.
Maybe something like this would work if each config entry you are looping through had an identifier field, in this case I name it title.
var c= _configuration.GetSection(nameof(Configuration)).Get<List<Configuration>>();
foreach (Configuration r in c)
{
services.AddAuthorization(options => {
options.AddPolicy("RolePolicy" + r.title, policy =>
policy.RequireRole(r.RoleMembers.Split(",")));
});
}
I think your split call on rolemembers would work, but I haven't tried it.
And assuming the title for one of the entries in the config section was "AdminOnly"
[Authorize(Policy = "RolePolicyAdminOnly")]
I think that will give you what you want.
Edit: Actually I take it back, I think the split to expand the rolemembers will fail since it has to be a comma delimited list of string and the comma not in the string. I am not sure this can be defined from the config. You may need to look into IAuthorizationService and moving your entries outside of the config.
Upvotes: 0
Related Questions
- ASP.NET 5 Authorize against two or more policies (OR-combined policy)
- Checking for one of multiple policies with Authorize attribute in ASP.NET Core Identity
- How to create a custom Authorize attribute for multiple policies in ASP.NET CORE
- How to define authorization policy?
- Check authorization policy inside the action controller
- Custom Policy-Based Authorization in ASP.NET Framework
- Policy based Authorization not working in asp.net core
- How to correctly setup Policy Authorization for WEB API in .NET Core
- .Net Core Web API, Authorize a Action if Either of Role OR Policy Matches
- Custom Policy for Authorization