BỜM TẬP CODE

Basic programming, .NET technology.

Home » , » 12 - [Updated] - Security - Authentication/ Authorization

12 - [Updated] - Security - Authentication/ Authorization

Không có nhận xét nào

This series is a collection of knowledge about ASP .NET Core. It just is my notes.

Part 1: Startup file.

Part 2: DI.

Part 3: Middleware.

Part 4: Host and Servers.

Part 5: Configurations.

Part 6: Environment.

Part 7: Logs.

Part 8: Error Handling.

Part 9: Routing.

Part 10: Make an HTTP Request.

Part 11: Static files.

Part 13: CORS.


1. Knowledge and basic usages:

  • Authentication is the way you enter space (server/ database/resource..)
    • Authentication with google (example )
    • Authentication with Azure Active Directory
    • Authentication with Twitter
    • Authentication with Linked...

  • Authorization is actions that you can do in those space
    • Role-based:
      • Adding role check: We can apply role check on controller level or action level as we want.
[Authorize(Roles = "Administrator")]
public class AdministrationController : Controller
{
}

a. Multiple roles: OR condition. It means the current user is HRManager or Finance
[Authorize(Roles = "HRManager,Finance")]
public class SalaryController : Controller
{
}

b. Multiple roles: AND condition. It mean current user are both PowerUser and ControlPanelUser
[Authorize(Roles = "PowerUser")]
[Authorize(Roles = "ControlPanelUser")]
public class ControlPanelController : Controller
{
}

    • Policy-based role check
      • Add Policy in a startup file
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddRazorPages();
services.AddAuthorization(options =>
{
options.AddPolicy("RequireAdministratorRole",
policy => policy.RequireRole("Administrator"));
});
}
    • Use the policy to check authorization at controller level or action level by using Policy property on Authorize attribute
[Authorize(Policy = "RequireAdministratorRole")]
public IActionResult Shutdown()
{
return View();
}

    • Claim based
      • A claim is a name value pair that represents what the subject is, not what the subject can do.
      • Add claim check
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddRazorPages();
services.AddAuthorization(options =>
{
options.AddPolicy("EmployeeOnly", policy =>
policy.RequireClaim("EmployeeNumber", "1", "2", "3", "4", "5"));
});
}


Using:

[Authorize(Policy = "EmployeeOnly")]
public class VacationController : Controller
{
public ActionResult VacationBalance()
{
}
}



2. [Updated][ASP .NET Core 8 +] - Using IAuthorizationRequirementData

Scenarios may be useful:
- Using an external service to provide policy evaluation.
- Using a large range of policies, so it doesn't make sense to add each individual authorization policy with an AuthorizationOptions.AddPolicy call.
- Creating policies at runtime based on information in an external data source (like a database) or determining authorization requirements dynamically through another mechanism.

My code sample

References:


Share:

0 nhận xét:

Đăng nhận xét

Featured Posts

Data type 3 - string type