Asp.Net Core Authorize你不知道的那些事(源码解读)
Asp.Net Core Authorize你不知道的那些事(源码解读)
一、前言
IdentityServer4已经分享了一些应用实战的文章,从架构到授权中心的落地应用,也伴随着对IdentityServer4掌握了一些使用规则,但是很多原理性东西还是一知半解,故我这里持续性来带大家一起来解读它的相关源代码,本文先来看看为什么Controller或者Action中添加Authorize或者全局中添加AuthorizeFilter过滤器就可以实现该资源受到保护,需要通过access_token才能通过相关的授权呢?今天我带大家来了解AuthorizeAttribute和AuthorizeFilter的关系及代码解读。
二、代码解读
解读之前我们先来看看下面两种标注授权方式的代码:
标注方式
[Authorize]
[HttpGet]
public async Task
var userId = User.UserId(); return new { name = User.Name(), userId = userId, displayName = User.DisplayName(), merchantId = User.MerchantId(), };}
代码中通过[Authorize]标注来限制该api资源的访问
全局方式
public void ConfigureServices(IServiceCollection services)
{
//全局添加AuthorizeFilter 过滤器方式 services.AddControllers(options=>options.Filters.Add(new AuthorizeFilter())); services.AddAuthorization(); services.AddAuthentication("Bearer") .AddIdentityServerAuthentication(options => { options.Authority = "http://localhost:5000"; //配置Identityserver的授权地址 options.RequireHttpsMetadata = false; //不需要https options.ApiName = OAuthConfig.UserApi.ApiName; //api的name,需要和config的名称相同 });}
全局通过添加AuthorizeFilter过滤器方式进行全局api资源的限制
AuthorizeAttribute
先来看看AuthorizeAttribute源代码:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = true)]
public class AuthorizeAttribute : Attribute, IAuthorizeData
{
/// <summary> /// Initializes a new instance of the <see cref="AuthorizeAttribute"/> class. /// </summary> public AuthorizeAttribute() { } /// <summary> /// Initializes a new instance of the <see cref="AuthorizeAttribute"/> class with the specified policy. /// </summary> /// <param name="policy">The name of the policy to require for authorization.</param> public AuthorizeAttribute(string policy) { Policy = policy; } /// <summary> /// 收取策略 /// </summary> public string Policy { get; set; } /// <summary> /// 授权角色 /// </summary> public string Roles { get; set; } /// <summary> /// 授权Schemes /// </summary> public string AuthenticationSchemes { get; set; }}
代码中可以看到AuthorizeAttribute继承了IAuthorizeData抽象接口,该接口主要是授权数据的约束定义,定义了三个数据属性
Prolicy :授权策略
Roles : 授权角色
AuthenticationSchemes :授权Schemes 的支持
Asp.Net Core 中的http中间件会根据IAuthorizeData这个来获取有哪些授权过滤器,来实现过滤器的拦截并执行相关代码。
我们看看AuthorizeAttribute代码如下:
public interface IAuthorizeData
{
/// <summary> /// Gets or sets the policy name that determines access to the resource. /// </summary> string Policy { get; set; } /// <summary> /// Gets or sets a comma delimited list of roles that are allowed to access the resource. /// </summary> string Roles { get; set; } /// <summary> /// Gets or sets a comma delimited list of schemes from which user information is constructed. /// </summary> string AuthenticationSchemes { get; set; }}
我们再来看看授权中间件(UseAuthorization)的核心代码:
public static IApplicationBuilder UseAuthorization(this IApplicationBuilder app)
{
if (app == null) { throw new ArgumentNullException(nameof(app)); } VerifyServicesRegistered(app); return app.UseMiddleware<AuthorizationMiddleware>();}
代码中注册了AuthorizationMiddleware这个中间件,AuthorizationMiddleware中间件源代码如下:
public class AuthorizationMiddleware
{
// Property key is used by Endpoint routing to determine if Authorization has run private const string AuthorizationMiddlewareInvokedWithEndpointKey = "__AuthorizationMiddlewareWithEndpointInvoked"; private static readonly object AuthorizationMiddlewareWithEndpointInvokedValue = new object(); private readonly RequestDelegate _next; private readonly IAuthorizationPolicyProvider _policyProvider; public AuthorizationMiddleware(RequestDelegate next, IAuthorizationPolicyProvider policyProvider) { _next = next ?? throw new ArgumentNullException(nameof(next)); _policyProvider = policyProvider ?? throw new ArgumentNullException(nameof(policyProvider)); } public async Task Invoke(HttpContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var endpoint = context.GetEndpoint(); if (endpoint != null) { // EndpointRoutingMiddleware uses this flag to check if the Authorization middleware processed auth metadata on the endpoint. // The Authorization middleware can only make this claim if it observes an actual endpoint. context.Items[AuthorizationMiddlewareInvokedWithEndpointKey] = AuthorizationMiddlewareWithEndpointInvokedValue; } // 通过终结点路由元素IAuthorizeData来获得对于的AuthorizeAttribute并关联到AuthorizeFilter中 var authorizeData = endpoint?.Metadata.GetOrderedMetadata<IAuthorizeData>() ?? Array.Empty<IAuthorizeData>(); var policy = await AuthorizationPolicy.CombineAsync(_policyProvider, authorizeData); if (policy == null) { await _next(context); return; } // Policy evaluator has transient lifetime so it fetched from request services instead of injecting in constructor var policyEvaluator = context.RequestServices.GetRequiredService<IPolicyEvaluator>(); var authenticateResult = await policyEvaluator.AuthenticateAsync(policy, context); // Allow Anonymous skips all authorization if (endpoint?.Metadata.GetMetadata<IAllowAnonymous>() != null) { await _next(context); return; } // Note that the resource will be null if there is no matched endpoint var authorizeResult = await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, resource: endpoint); if (authorizeResult.Challenged) { if (policy.AuthenticationSchemes.Any()) { foreach (var scheme in policy.AuthenticationSchemes) { await context.ChallengeAsync(scheme); } } else { await context.ChallengeAsync(); } return; } else if (authorizeResult.Forbidden) { if (policy.AuthenticationSchemes.Any()) { foreach (var scheme in policy.AuthenticationSchemes) { await context.ForbidAsync(scheme); } } else { await context.ForbidAsync(); } return; } await _next(context); } }代码中核心拦截并获得AuthorizeFilter过滤器的代码
var authorizeData = endpoint?.Metadata.GetOrderedMetadata() ?? Array.Empty();
前面我分享过一篇关于 Asp.Net Core EndPoint 终结点路由工作原理解读 的文章里面讲解到通过EndPoint终结点路由来获取Controller和Action中的Attribute特性标注,这里也是通过该方法来拦截获取对于的AuthorizeAttribute的.
而获取到相关authorizeData授权数据后,下面的一系列代码都是通过判断来进行AuthorizeAsync授权执行的方法,这里就不详细分享它的授权认证的过程了。
细心的同学应该已经发现上面的代码有一个比较特殊的代码:
if (endpoint?.Metadata.GetMetadata() != null)
{
await _next(context); return;}
代码中通过endpoint终结点路由来获取是否标注有AllowAnonymous的特性,如果有则直接执行下一个中间件,不进行下面的AuthorizeAsync授权认证方法,
这也是为什么Controller和Action上标注AllowAnonymous可以跳过授权认证的原因了。
AuthorizeFilter 源码
有的人会问AuthorizeAttirbute和AuthorizeFilter有什么关系呢?它们是一个东西吗?
我们再来看看AuthorizeFilter源代码,代码如下:
public class AuthorizeFilter : IAsyncAuthorizationFilter, IFilterFactory
{
/// <summary> /// Initializes a new <see cref="AuthorizeFilter"/> instance. /// </summary> public AuthorizeFilter() : this(authorizeData: new[] { new AuthorizeAttribute() }) { } /// <summary> /// Initialize a new <see cref="AuthorizeFilter"/> instance. /// </summary> /// <param name="policy">Authorization policy to be used.</param> public AuthorizeFilter(AuthorizationPolicy policy) { if (policy == null) { throw new ArgumentNullException(nameof(policy)); } Policy = policy; } /// <summary> /// Initialize a new <see cref="AuthorizeFilter"/> instance. /// </summary> /// <param name="policyProvider">The <see cref="IAuthorizationPolicyProvider"/> to use to resolve policy names.</param> /// <param name="authorizeData">The <see cref="IAuthorizeData"/> to combine into an <see cref="IAuthorizeData"/>.</param> public AuthorizeFilter(IAuthorizationPolicyProvider policyProvider, IEnumerable<IAuthorizeData> authorizeData) : this(authorizeData) { if (policyProvider == null) { throw new ArgumentNullException(nameof(policyProvider)); } PolicyProvider = policyProvider; } /// <summary> /// Initializes a new instance of <see cref="AuthorizeFilter"/>. /// </summary> /// <param name="authorizeData">The <see cref="IAuthorizeData"/> to combine into an <see cref="IAuthorizeData"/>.</param> public AuthorizeFilter(IEnumerable<IAuthorizeData> authorizeData) { if (authorizeData == null) { throw new ArgumentNullException(nameof(authorizeData)); } AuthorizeData = authorizeData; } /// <summary> /// Initializes a new instance of <see cref="AuthorizeFilter"/>. /// </summary> /// <param name="policy">The name of the policy to require for authorization.</param> public AuthorizeFilter(string policy) : this(new[] { new AuthorizeAttribute(policy) }) { } /// <summary> /// The <see cref="IAuthorizationPolicyProvider"/> to use to resolve policy names. /// </summary> public IAuthorizationPolicyProvider PolicyProvider { get; } /// <summary> /// The <see cref="IAuthorizeData"/> to combine into an <see cref="IAuthorizeData"/>. /// </summary> public IEnumerable<IAuthorizeData> AuthorizeData { get; } /// <summary> /// Gets the authorization policy to be used. /// </summary> /// <remarks> /// If<c>null</c>, the policy will be constructed using /// <see cref="AuthorizationPolicy.CombineAsync(IAuthorizationPolicyProvider, IEnumerable{IAuthorizeData})"/>. /// </remarks> public AuthorizationPolicy Policy { get; } bool IFilterFactory.IsReusable => true; // Computes the actual policy for this filter using either Policy or PolicyProvider + AuthorizeData private Task<AuthorizationPolicy> ComputePolicyAsync() { if (Policy != null) { return Task.FromResult(Policy); } if (PolicyProvider == null) { throw new InvalidOperationException( Resources.FormatAuthorizeFilter_AuthorizationPolicyCannotBeCreated( nameof(AuthorizationPolicy), nameof(IAuthorizationPolicyProvider))); } return AuthorizationPolicy.CombineAsync(PolicyProvider, AuthorizeData); } internal async Task<AuthorizationPolicy> GetEffectivePolicyAsync(AuthorizationFilterContext context) { // Combine all authorize filters into single effective policy that's only run on the closest filter var builder = new AuthorizationPolicyBuilder(await ComputePolicyAsync()); for (var i = 0; i < context.Filters.Count; i++) { if (ReferenceEquals(this, context.Filters[i])) { continue; } if (context.Filters[i] is AuthorizeFilter authorizeFilter) { // Combine using the explicit policy, or the dynamic policy provider builder.Combine(await authorizeFilter.ComputePolicyAsync()); } } var endpoint = context.HttpContext.GetEndpoint(); if (endpoint != null) { // When doing endpoint routing, MVC does not create filters for any authorization specific metadata i.e [Authorize] does not // get translated into AuthorizeFilter. Consequently, there are some rough edges when an application uses a mix of AuthorizeFilter // explicilty configured by the user (e.g. global auth filter), and uses endpoint metadata. // To keep the behavior of AuthFilter identical to pre-endpoint routing, we will gather auth data from endpoint metadata // and produce a policy using this. This would mean we would have effectively run some auth twice, but it maintains compat. var policyProvider = PolicyProvider ?? context.HttpContext.RequestServices.GetRequiredService<IAuthorizationPolicyProvider>(); var endpointAuthorizeData = endpoint.Metadata.GetOrderedMetadata<IAuthorizeData>() ?? Array.Empty<IAuthorizeData>(); var endpointPolicy = await AuthorizationPolicy.CombineAsync(policyProvider, endpointAuthorizeData); if (endpointPolicy != null) { builder.Combine(endpointPolicy); } } return builder.Build(); } /// <inheritdoc /> public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } if (!context.IsEffectivePolicy(this)) { return; } // IMPORTANT: Changes to authorization logic should be mirrored in security's AuthorizationMiddleware var effectivePolicy = await GetEffectivePolicyAsync(context); if (effectivePolicy == null) { return; } var policyEvaluator = context.HttpContext.RequestServices.GetRequiredService<IPolicyEvaluator>(); var authenticateResult = await policyEvaluator.AuthenticateAsync(effectivePolicy, context.HttpContext); // Allow Anonymous skips all authorization if (HasAllowAnonymous(context)) { return; } var authorizeResult = await policyEvaluator.AuthorizeAsync(effectivePolicy, authenticateResult, context.HttpContext, context); if (authorizeResult.Challenged) { context.Result = new ChallengeResult(effectivePolicy.AuthenticationSchemes.ToArray()); } else if (authorizeResult.Forbidden) { context.Result = new ForbidResult(effectivePolicy.AuthenticationSchemes.ToArray()); } } IFilterMetadata IFilterFactory.CreateInstance(IServiceProvider serviceProvider) { if (Policy != null || PolicyProvider != null) { // The filter is fully constructed. Use the current instance to authorize. return this; } Debug.Assert(AuthorizeData != null); var policyProvider = serviceProvider.GetRequiredService<IAuthorizationPolicyProvider>(); return AuthorizationApplicationModelProvider.GetFilter(policyProvider, AuthorizeData); } private static bool HasAllowAnonymous(AuthorizationFilterContext context) { var filters = context.Filters; for (var i = 0; i < filters.Count; i++) { if (filters[i] is IAllowAnonymousFilter) { return true; } } // When doing endpoint routing, MVC does not add AllowAnonymousFilters for AllowAnonymousAttributes that // were discovered on controllers and actions. To maintain compat with 2.x, // we'll check for the presence of IAllowAnonymous in endpoint metadata. var endpoint = context.HttpContext.GetEndpoint(); if (endpoint?.Metadata?.GetMetadata<IAllowAnonymous>() != null) { return true; } return false; } }代码中继承了 IAsyncAuthorizationFilter, IFilterFactory两个抽象接口,分别来看看这两个抽象接口的源代码
IAsyncAuthorizationFilter源代码如下:
///
/// A filter that asynchronously confirms request authorization.
///
public interface IAsyncAuthorizationFilter : IFilterMetadata
{
///定义了授权的方法 Task OnAuthorizationAsync(AuthorizationFilterContext context);}
IAsyncAuthorizationFilter代码中继承了IFilterMetadata接口,同时定义了OnAuthorizationAsync抽象方法,子类需要实现该方法,然而AuthorizeFilter中也已经实现了该方法,稍后再来详细讲解该方法,我们再继续看看IFilterFactory抽象接口,代码如下:
public interface IFilterFactory : IFilterMetadata
{
bool IsReusable { get; } //创建IFilterMetadata 对象方法 IFilterMetadata CreateInstance(IServiceProvider serviceProvider);}
我们回到AuthorizeFilter 源代码中,该源代码中提供了四个构造初始化方法同时包含了AuthorizeData、Policy属性,我们看看它的默认构造方法代码
public class AuthorizeFilter : IAsyncAuthorizationFilter, IFilterFactory
{
public IEnumerable<IAuthorizeData> AuthorizeData { get; } //默认构造函数中默认创建了AuthorizeAttribute 对象 public AuthorizeFilter() : this(authorizeData: new[] { new AuthorizeAttribute() }) { } //赋值AuthorizeData public AuthorizeFilter(IEnumerable<IAuthorizeData> authorizeData) { if (authorizeData == null) { throw new ArgumentNullException(nameof(authorizeData)); } AuthorizeData = authorizeData; }}
上面的代码中默认的构造函数默认给构建了一个AuthorizeAttribute对象,并且赋值给了IEnumerable的集合属性;
好了,看到这里AuthorizeFilter过滤器也是默认构造了一个AuthorizeAttribute的对象,也就是构造了授权所需要的IAuthorizeData信息.
同时AuthorizeFilter实现的OnAuthorizationAsync方法中通过GetEffectivePolicyAsync这个方法获得有效的授权策略,并且进行下面的授权AuthenticateAsync的执行
AuthorizeFilter代码中提供了HasAllowAnonymous方法来实现是否Controller或者Action上标注了AllowAnonymous特性,用于跳过授权
HasAllowAnonymous代码如下:
private static bool HasAllowAnonymous(AuthorizationFilterContext context)
{
var filters = context.Filters; for (var i = 0; i < filters.Count; i++) { if (filters[i] is IAllowAnonymousFilter) { return true; } } //同样通过上下文的endpoint 来获取是否标注了AllowAnonymous特性 var endpoint = context.HttpContext.GetEndpoint(); if (endpoint?.Metadata?.GetMetadata<IAllowAnonymous>() != null) { return true; } return false;}
到这里我们再回到全局添加过滤器的方式代码:
services.AddControllers(options=>options.Filters.Add(new AuthorizeFilter()));
分析到这里 ,我很是好奇,它是怎么全局添加进去的呢?我打开源代码看了下,源代码如下:
public class MvcOptions : IEnumerable
{
public MvcOptions() { CacheProfiles = new Dictionary<string, CacheProfile>(StringComparer.OrdinalIgnoreCase); Conventions = new List<IApplicationModelConvention>(); Filters = new FilterCollection(); FormatterMappings = new FormatterMappings(); InputFormatters = new FormatterCollection<IInputFormatter>(); OutputFormatters = new FormatterCollection<IOutputFormatter>(); ModelBinderProviders = new List<IModelBinderProvider>(); ModelBindingMessageProvider = new DefaultModelBindingMessageProvider(); ModelMetadataDetailsProviders = new List<IMetadataDetailsProvider>(); ModelValidatorProviders = new List<IModelValidatorProvider>(); ValueProviderFactories = new List<IValueProviderFactory>(); } //过滤器集合 public FilterCollection Filters { get; }}
FilterCollection相关核心代码如下:
public class FilterCollection : Collection
{
public IFilterMetadata Add<TFilterType>() where TFilterType : IFilterMetadata { return Add(typeof(TFilterType)); } //其他核心代码为贴出来}
代码中提供了Add方法,约束了IFilterMetadata类型的对象,这也是上面的过滤器中为什么都继承了IFilterMetadata的原因。
到这里代码解读和实现原理已经分析完了,如果有分析不到位之处还请多多指教!!!
结论:授权中间件通过获取IAuthorizeData来获取AuthorizeAttribute对象相关的授权信息,并构造授权策略对象进行授权认证的,而AuthorizeFilter过滤器也会默认添加AuthorizeAttribute的授权相关数据IAuthorizeData并实现OnAuthorizationAsync方法,同时中间件中通过授权策略提供者IAuthorizationPolicyProvider来获得对于的授权策略进行授权认证.
作者:Jlion
关注公众号 低调大师中文资讯倾力打造互联网数据资讯、行业资源、电子商务、移动互联网、网络营销平台。
持续更新报道IT业界、互联网、市场资讯、驱动更新,是最及时权威的产业资讯及硬件资讯报道平台。
转载内容版权归作者及来源网站所有,本站原创内容转载请注明来源。
- 上一篇
用最简单的方式在ASP.NET Core应用中实现认证、登录和注销
用最简单的方式在ASP.NET Core应用中实现认证、登录和注销在安全领域,认证和授权是两个重要的主题。认证是安全体系的第一道屏障,是守护整个应用或者服务的第一道大门。当访问者请求进入的时候,认证体系通过验证对方的提供凭证确定其真实身份。认证体系只有在证实了访问者的真实身份的情况下才会允许其进入。ASP.NET Core提供了多种认证方式,它们的实现都基于相同的认证模型。本篇文章提供了一个极简的实例让读者体验如何在ASP.NET Core应用中实现认证、登录和注销。 本篇文章节选自《ASP.NET Core 3框架揭秘》(下册),针对本书的限时5折优惠截至到今天24时,有兴趣的朋友可以通过加入读者群进行购买。入群方式:扫描右方二维码添加“博文小丸子(broadview002)”,并将本书书号“38462”作为验证信息。源代码从这里下载。 一、认证票据认证是一个旨在确定请求访问者真实身份的过程,与认证相关的还有其他两个基本操作——登录与注销。要真正理解认证、登录与注销这3个核心操作的本质,就需要对ASP.NET Core采用的基于“票据”的认证机制有基本的了解。ASP.NET Core...
- 下一篇
Nacos作为微服务注册中心,爱不释手的感觉
Nacos作为微服务注册中心,爱不释手的感觉我觉得Nacos用起来还不错在使用SpringCloud做分布式微服务架构时,注册中心是必不可少的一个组件。目前可以用的主要有:Eureka、Consul、Zookeeper。今天,我们就来说一下Alibaba的Nacos怎么样? 下载与安装下载地址https://github.com/alibaba/nacos/releases安装:Windows 下载解压后(.zip),直接点击bin/start.bat就可以了。Linux下载解压后(.tar.gz),同样,也是运行 bin/start.sh 脚本。打开控制台:Nacos提供了一个可视化的操作平台,安装好之后,在浏览器中输入http://localhost:8848就可以访问了,默认的用户名和密码都是nacos(我使用的1.2.0版本。默认将密码验证给关了,这个选项后边会说) Nacos简介Nacos是由阿里巴巴开源的一个好东西,直接贴上它的官网,就不再这么累赘了,毕竟是国人开发的,是有中文文档的,上边写的很全面。https://nacos.io/zh-cn/docs/quick-sta...
相关文章
文章评论
共有0条评论来说两句吧...
文章二维码
点击排行
推荐阅读
最新文章
- Linux系统CentOS6、CentOS7手动修改IP地址
- CentOS8安装Docker,最新的服务器搭配容器使用
- CentOS7安装Docker,走上虚拟化容器引擎之路
- Docker快速安装Oracle11G,搭建oracle11g学习环境
- Docker安装Oracle12C,快速搭建Oracle学习环境
- Docker使用Oracle官方镜像安装(12C,18C,19C)
- CentOS7,8上快速安装Gitea,搭建Git服务器
- MySQL8.0.19开启GTID主从同步CentOS8
- SpringBoot2配置默认Tomcat设置,开启更多高级功能
- CentOS8编译安装MySQL8.0.19
微信收款码
支付宝收款码