如何:创建自定义授权属性
本主题演示如何添加自定义属性以进行授权。WCF RIA Services 框架提供了 RequiresAuthenticationAttribute 和 RequiresRoleAttribute 属性。使用这些属性,您能够轻松指定哪些域操作仅对已通过身份验证的用户或具有特定角色的用户可用。除了这两个属性外,您可以创建表示自定义授权逻辑的属性,然后将该属性应用到域操作。
公开域服务时,域服务对网络上的所有用户都可用。不能假定您的客户端应用程序是将访问域服务的唯一应用程序。可以使用自定义身份验证属性来限制对域操作的访问,甚至在您的客户端应用程序之外访问域操作时也是如此。
在本主题中,您通过创建从 AuthorizationAttribute 派生的类并重写 IsAuthorized 方法以提供自定义逻辑,创建了一个自定义授权属性。您可以使用 IPrincipal 参数和 AuthorizationContext 参数来访问您的自定义身份验证代码中可能需要的信息。AuthorizationContext 对象对于查询操作为 null。
创建自定义授权属性
在服务器项目中,创建从 AuthorizationAttribute 派生的类。
重写 IsAuthorized 方法并添加用于确定授权的逻辑。
下面的示例显示一个名为
RestrictAccessToAssignedManagers
的自定义属性,该属性检查已通过身份验证的用户是否是正在更改其EmployeePayHistory
记录的员工的经理:Public Class RestrictAccessToAssignedManagers Inherits AuthorizationAttribute Protected Overrides Function IsAuthorized(ByVal principal As System.Security.Principal.IPrincipal, ByVal authorizationContext As System.ComponentModel.DataAnnotations.AuthorizationContext) As System.ComponentModel.DataAnnotations.AuthorizationResult Dim eph As EmployeePayHistory Dim selectedEmployee As Employee Dim authenticatedUser As Employee eph = CType(authorizationContext.Instance, EmployeePayHistory) Using context As New AdventureWorksEntities() selectedEmployee = context.Employees.SingleOrDefault(Function(e) e.EmployeeID = eph.EmployeeID) authenticatedUser = context.Employees.SingleOrDefault(Function(e) e.LoginID = principal.Identity.Name) End Using If (selectedEmployee.ManagerID = authenticatedUser.EmployeeID) Then Return AuthorizationResult.Allowed Else Return New AuthorizationResult("Only the authenticated manager for the employee can add a new record.") End If End Function End Class
public class RestrictAccessToAssignedManagers : AuthorizationAttribute { protected override AuthorizationResult IsAuthorized(System.Security.Principal.IPrincipal principal, AuthorizationContext authorizationContext) { EmployeePayHistory eph = (EmployeePayHistory)authorizationContext.Instance; Employee selectedEmployee; Employee authenticatedUser; using (AdventureWorksEntities context = new AdventureWorksEntities()) { selectedEmployee = context.Employees.SingleOrDefault(e => e.EmployeeID == eph.EmployeeID); authenticatedUser = context.Employees.SingleOrDefault(e => e.LoginID == principal.Identity.Name); } if (selectedEmployee.ManagerID == authenticatedUser.EmployeeID) { return AuthorizationResult.Allowed; } else { return new AuthorizationResult("Only the authenticated manager for the employee can add a new record."); } } }
若要执行自定义授权逻辑,请将自定义授权属性应用到域操作。
下面的示例显示已应用到域操作的
RestrictAccessToAssignedManagers
属性:<RestrictAccessToAssignedManagers()> _ Public Sub InsertEmployeePayHistory(ByVal employeePayHistory As EmployeePayHistory) If ((employeePayHistory.EntityState = EntityState.Detached) _ = False) Then Me.ObjectContext.ObjectStateManager.ChangeObjectState(employeePayHistory, EntityState.Added) Else Me.ObjectContext.EmployeePayHistories.AddObject(employeePayHistory) End If End Sub
[RestrictAccessToAssignedManagers] public void InsertEmployeePayHistory(EmployeePayHistory employeePayHistory) { if ((employeePayHistory.EntityState != EntityState.Detached)) { this.ObjectContext.ObjectStateManager.ChangeObjectState(employeePayHistory, EntityState.Added); } else { this.ObjectContext.EmployeePayHistories.AddObject(employeePayHistory); } }