网站建设活动策划方案,雅安市政建设公司网站,手机网站微信咨询,网络推广专员是干嘛的一、前言IdentityServer4已经分享了一些应用实战的文章#xff0c;从架构到授权中心的落地应用#xff0c;也伴随着对IdentityServer4掌握了一些使用规则#xff0c;但是很多原理性东西还是一知半解#xff0c;故我这里持续性来带大家一起来解读它的相关源代码#xff0c;… 一、前言IdentityServer4已经分享了一些应用实战的文章从架构到授权中心的落地应用也伴随着对IdentityServer4掌握了一些使用规则但是很多原理性东西还是一知半解故我这里持续性来带大家一起来解读它的相关源代码本文先来看看为什么Controller或者Action中添加Authorize或者全局中添加AuthorizeFilter过滤器就可以实现该资源受到保护需要通过access_token才能通过相关的授权呢今天我带大家来了解AuthorizeAttribute和AuthorizeFilter的关系及代码解读。二、代码解读解读之前我们先来看看下面两种标注授权方式的代码标注方式 [Authorize][HttpGet]public async Taskobject Get(){var userId User.UserId();return new{name User.Name(),userId userId,displayName User.DisplayName(),merchantId User.MerchantId(),};}
代码中通过[Authorize]标注来限制该api资源的访问全局方式public void ConfigureServices(IServiceCollection services)
{//全局添加AuthorizeFilter 过滤器方式services.AddControllers(optionsoptions.Filters.Add(new AuthorizeFilter()));services.AddAuthorization();services.AddAuthentication(Bearer).AddIdentityServerAuthentication(options {options.Authority http://localhost:5000; //配置Identityserver的授权地址options.RequireHttpsMetadata false; //不需要httpsoptions.ApiName OAuthConfig.UserApi.ApiName; //api的name需要和config的名称相同});
}
全局通过添加AuthorizeFilter过滤器方式进行全局api资源的限制AuthorizeAttribute先来看看AuthorizeAttribute源代码[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple true, Inherited true)]
public class AuthorizeAttribute : Attribute, IAuthorizeData
{/// summary/// Initializes a new instance of the see crefAuthorizeAttribute/ class./// /summarypublic AuthorizeAttribute() { }/// summary/// Initializes a new instance of the see crefAuthorizeAttribute/ class with the specified policy./// /summary/// param namepolicyThe name of the policy to require for authorization./parampublic AuthorizeAttribute(string policy){Policy policy;}/// summary/// 收取策略/// /summarypublic string Policy { get; set; }/// summary/// 授权角色/// /summarypublic string Roles { get; set; }/// summary/// 授权Schemes/// /summarypublic string AuthenticationSchemes { get; set; }
}
代码中可以看到AuthorizeAttribute继承了IAuthorizeData抽象接口该接口主要是授权数据的约束定义定义了三个数据属性Prolicy 授权策略Roles : 授权角色AuthenticationSchemes 授权Schemes 的支持 Asp.Net Core 中的http中间件会根据IAuthorizeData这个来获取有哪些授权过滤器来实现过滤器的拦截并执行相关代码。我们看看AuthorizeAttribute代码如下public interface IAuthorizeData
{/// summary/// Gets or sets the policy name that determines access to the resource./// /summarystring Policy { get; set; }/// summary/// Gets or sets a comma delimited list of roles that are allowed to access the resource./// /summarystring Roles { get; set; }/// summary/// Gets or sets a comma delimited list of schemes from which user information is constructed./// /summarystring AuthenticationSchemes { get; set; }
}
我们再来看看授权中间件UseAuthorization的核心代码public static IApplicationBuilder UseAuthorization(this IApplicationBuilder app)
{if (app null){throw new ArgumentNullException(nameof(app));}VerifyServicesRegistered(app);return app.UseMiddlewareAuthorizationMiddleware();
}
代码中注册了AuthorizationMiddleware这个中间件AuthorizationMiddleware中间件源代码如下 public class AuthorizationMiddleware{// Property key is used by Endpoint routing to determine if Authorization has runprivate const string AuthorizationMiddlewareInvokedWithEndpointKey __AuthorizationMiddlewareWithEndpointInvoked;private static readonly object AuthorizationMiddlewareWithEndpointInvokedValue new object();private readonly RequestDelegate _next;private readonly IAuthorizationPolicyProvider _policyProvider;public AuthorizationMiddleware(RequestDelegate next, IAuthorizationPolicyProvider policyProvider){_next next ?? throw new ArgumentNullException(nameof(next));_policyProvider policyProvider ?? throw new ArgumentNullException(nameof(policyProvider));}public async Task Invoke(HttpContext context){if (context null){throw new ArgumentNullException(nameof(context));}var endpoint context.GetEndpoint();if (endpoint ! null){// EndpointRoutingMiddleware uses this flag to check if the Authorization middleware processed auth metadata on the endpoint.// The Authorization middleware can only make this claim if it observes an actual endpoint.context.Items[AuthorizationMiddlewareInvokedWithEndpointKey] AuthorizationMiddlewareWithEndpointInvokedValue;}// 通过终结点路由元素IAuthorizeData来获得对于的AuthorizeAttribute并关联到AuthorizeFilter中var authorizeData endpoint?.Metadata.GetOrderedMetadataIAuthorizeData() ?? Array.EmptyIAuthorizeData();var policy await AuthorizationPolicy.CombineAsync(_policyProvider, authorizeData);if (policy null){await _next(context);return;}// Policy evaluator has transient lifetime so it fetched from request services instead of injecting in constructorvar policyEvaluator context.RequestServices.GetRequiredServiceIPolicyEvaluator();var authenticateResult await policyEvaluator.AuthenticateAsync(policy, context);// Allow Anonymous skips all authorizationif (endpoint?.Metadata.GetMetadataIAllowAnonymous() ! null){await _next(context);return;}// Note that the resource will be null if there is no matched endpointvar authorizeResult await policyEvaluator.AuthorizeAsync(policy, authenticateResult, context, resource: endpoint);if (authorizeResult.Challenged){if (policy.AuthenticationSchemes.Any()){foreach (var scheme in policy.AuthenticationSchemes){await context.ChallengeAsync(scheme);}}else{await context.ChallengeAsync();}return;}else if (authorizeResult.Forbidden){if (policy.AuthenticationSchemes.Any()){foreach (var scheme in policy.AuthenticationSchemes){await context.ForbidAsync(scheme);}}else{await context.ForbidAsync();}return;}await _next(context);}}
代码中核心拦截并获得AuthorizeFilter过滤器的代码var authorizeData endpoint?.Metadata.GetOrderedMetadataIAuthorizeData() ?? Array.EmptyIAuthorizeData();
前面我分享过一篇关于 Asp.Net Core EndPoint 终结点路由工作原理解读 的文章里面讲解到通过EndPoint终结点路由来获取Controller和Action中的Attribute特性标注这里也是通过该方法来拦截获取对于的AuthorizeAttribute的. 而获取到相关authorizeData授权数据后下面的一系列代码都是通过判断来进行AuthorizeAsync授权执行的方法,这里就不详细分享它的授权认证的过程了。细心的同学应该已经发现上面的代码有一个比较特殊的代码if (endpoint?.Metadata.GetMetadataIAllowAnonymous() ! null)
{await _next(context);return;
}
代码中通过endpoint终结点路由来获取是否标注有AllowAnonymous的特性如果有则直接执行下一个中间件不进行下面的AuthorizeAsync授权认证方法 这也是为什么Controller和Action上标注AllowAnonymous可以跳过授权认证的原因了。AuthorizeFilter 源码有的人会问AuthorizeAttirbute和AuthorizeFilter有什么关系呢它们是一个东西吗我们再来看看AuthorizeFilter源代码代码如下public class AuthorizeFilter : IAsyncAuthorizationFilter, IFilterFactory
{/// summary/// Initializes a new see crefAuthorizeFilter/ instance./// /summarypublic AuthorizeFilter(): this(authorizeData: new[] { new AuthorizeAttribute() }){}/// summary/// Initialize a new see crefAuthorizeFilter/ instance./// /summary/// param namepolicyAuthorization policy to be used./parampublic AuthorizeFilter(AuthorizationPolicy policy){if (policy null){throw new ArgumentNullException(nameof(policy));}Policy policy;}/// summary/// Initialize a new see crefAuthorizeFilter/ instance./// /summary/// param namepolicyProviderThe see crefIAuthorizationPolicyProvider/ to use to resolve policy names./param/// param nameauthorizeDataThe see crefIAuthorizeData/ to combine into an see crefIAuthorizeData/./parampublic AuthorizeFilter(IAuthorizationPolicyProvider policyProvider, IEnumerableIAuthorizeData authorizeData): this(authorizeData){if (policyProvider null){throw new ArgumentNullException(nameof(policyProvider));}PolicyProvider policyProvider;}/// summary/// Initializes a new instance of see crefAuthorizeFilter/./// /summary/// param nameauthorizeDataThe see crefIAuthorizeData/ to combine into an see crefIAuthorizeData/./parampublic AuthorizeFilter(IEnumerableIAuthorizeData authorizeData){if (authorizeData null){throw new ArgumentNullException(nameof(authorizeData));}AuthorizeData authorizeData;}/// summary/// Initializes a new instance of see crefAuthorizeFilter/./// /summary/// param namepolicyThe name of the policy to require for authorization./parampublic AuthorizeFilter(string policy): this(new[] { new AuthorizeAttribute(policy) }){}/// summary/// The see crefIAuthorizationPolicyProvider/ to use to resolve policy names./// /summarypublic IAuthorizationPolicyProvider PolicyProvider { get; }/// summary/// The see crefIAuthorizeData/ to combine into an see crefIAuthorizeData/./// /summarypublic IEnumerableIAuthorizeData AuthorizeData { get; }/// summary/// Gets the authorization policy to be used./// /summary/// remarks/// Ifcnull/c, the policy will be constructed using/// see crefAuthorizationPolicy.CombineAsync(IAuthorizationPolicyProvider, IEnumerable{IAuthorizeData})/./// /remarkspublic AuthorizationPolicy Policy { get; }bool IFilterFactory.IsReusable true;// Computes the actual policy for this filter using either Policy or PolicyProvider AuthorizeDataprivate TaskAuthorizationPolicy ComputePolicyAsync(){if (Policy ! null){return Task.FromResult(Policy);}if (PolicyProvider null){throw new InvalidOperationException(Resources.FormatAuthorizeFilter_AuthorizationPolicyCannotBeCreated(nameof(AuthorizationPolicy),nameof(IAuthorizationPolicyProvider)));}return AuthorizationPolicy.CombineAsync(PolicyProvider, AuthorizeData);}internal async TaskAuthorizationPolicy GetEffectivePolicyAsync(AuthorizationFilterContext context){// Combine all authorize filters into single effective policy thats only run on the closest filtervar builder new AuthorizationPolicyBuilder(await ComputePolicyAsync());for (var i 0; i context.Filters.Count; i){if (ReferenceEquals(this, context.Filters[i])){continue;}if (context.Filters[i] is AuthorizeFilter authorizeFilter){// Combine using the explicit policy, or the dynamic policy providerbuilder.Combine(await authorizeFilter.ComputePolicyAsync());}}var endpoint context.HttpContext.GetEndpoint();if (endpoint ! null){// When doing endpoint routing, MVC does not create filters for any authorization specific metadata i.e [Authorize] does not// get translated into AuthorizeFilter. Consequently, there are some rough edges when an application uses a mix of AuthorizeFilter// explicilty configured by the user (e.g. global auth filter), and uses endpoint metadata.// To keep the behavior of AuthFilter identical to pre-endpoint routing, we will gather auth data from endpoint metadata// and produce a policy using this. This would mean we would have effectively run some auth twice, but it maintains compat.var policyProvider PolicyProvider ?? context.HttpContext.RequestServices.GetRequiredServiceIAuthorizationPolicyProvider();var endpointAuthorizeData endpoint.Metadata.GetOrderedMetadataIAuthorizeData() ?? Array.EmptyIAuthorizeData();var endpointPolicy await AuthorizationPolicy.CombineAsync(policyProvider, endpointAuthorizeData);if (endpointPolicy ! null){builder.Combine(endpointPolicy);}}return builder.Build();}/// inheritdoc /public virtual async Task OnAuthorizationAsync(AuthorizationFilterContext context){if (context null){throw new ArgumentNullException(nameof(context));}if (!context.IsEffectivePolicy(this)){return;}// IMPORTANT: Changes to authorization logic should be mirrored in securitys AuthorizationMiddlewarevar effectivePolicy await GetEffectivePolicyAsync(context);if (effectivePolicy null){return;}var policyEvaluator context.HttpContext.RequestServices.GetRequiredServiceIPolicyEvaluator();var authenticateResult await policyEvaluator.AuthenticateAsync(effectivePolicy, context.HttpContext);// Allow Anonymous skips all authorizationif (HasAllowAnonymous(context)){return;}var authorizeResult await policyEvaluator.AuthorizeAsync(effectivePolicy, authenticateResult, context.HttpContext, context);if (authorizeResult.Challenged){context.Result new ChallengeResult(effectivePolicy.AuthenticationSchemes.ToArray());}else if (authorizeResult.Forbidden){context.Result new ForbidResult(effectivePolicy.AuthenticationSchemes.ToArray());}}IFilterMetadata IFilterFactory.CreateInstance(IServiceProvider serviceProvider){if (Policy ! null || PolicyProvider ! null){// The filter is fully constructed. Use the current instance to authorize.return this;}Debug.Assert(AuthorizeData ! null);var policyProvider serviceProvider.GetRequiredServiceIAuthorizationPolicyProvider();return AuthorizationApplicationModelProvider.GetFilter(policyProvider, AuthorizeData);}private static bool HasAllowAnonymous(AuthorizationFilterContext context){var filters context.Filters;for (var i 0; i filters.Count; i){if (filters[i] is IAllowAnonymousFilter){return true;}}// When doing endpoint routing, MVC does not add AllowAnonymousFilters for AllowAnonymousAttributes that// were discovered on controllers and actions. To maintain compat with 2.x,// well check for the presence of IAllowAnonymous in endpoint metadata.var endpoint context.HttpContext.GetEndpoint();if (endpoint?.Metadata?.GetMetadataIAllowAnonymous() ! null){return true;}return false;}}
代码中继承了 IAsyncAuthorizationFilter, IFilterFactory两个抽象接口分别来看看这两个抽象接口的源代码IAsyncAuthorizationFilter源代码如下/// summary
/// A filter that asynchronously confirms request authorization.
/// /summary
public interface IAsyncAuthorizationFilter : IFilterMetadata
{///定义了授权的方法Task OnAuthorizationAsync(AuthorizationFilterContext context);
}
IAsyncAuthorizationFilter代码中继承了IFilterMetadata接口同时定义了OnAuthorizationAsync抽象方法,子类需要实现该方法然而AuthorizeFilter中也已经实现了该方法稍后再来详细讲解该方法我们再继续看看IFilterFactory抽象接口,代码如下public interface IFilterFactory : IFilterMetadata{bool IsReusable { get; }//创建IFilterMetadata 对象方法IFilterMetadata CreateInstance(IServiceProvider serviceProvider);
}
我们回到AuthorizeFilter 源代码中该源代码中提供了四个构造初始化方法同时包含了AuthorizeData、Policy属性我们看看它的默认构造方法代码public class AuthorizeFilter : IAsyncAuthorizationFilter, IFilterFactory
{public IEnumerableIAuthorizeData AuthorizeData { get; }//默认构造函数中默认创建了AuthorizeAttribute 对象public AuthorizeFilter(): this(authorizeData: new[] { new AuthorizeAttribute() }){}//赋值AuthorizeDatapublic AuthorizeFilter(IEnumerableIAuthorizeData authorizeData){if (authorizeData null){throw new ArgumentNullException(nameof(authorizeData));}AuthorizeData authorizeData;}
}
上面的代码中默认的构造函数默认给构建了一个AuthorizeAttribute对象并且赋值给了IEnumerableIAuthorizeData的集合属性; 好了看到这里AuthorizeFilter过滤器也是默认构造了一个AuthorizeAttribute的对象也就是构造了授权所需要的IAuthorizeData信息. 同时AuthorizeFilter实现的OnAuthorizationAsync方法中通过GetEffectivePolicyAsync这个方法获得有效的授权策略并且进行下面的授权AuthenticateAsync的执行AuthorizeFilter代码中提供了HasAllowAnonymous方法来实现是否Controller或者Action上标注了AllowAnonymous特性用于跳过授权HasAllowAnonymous代码如下private static bool HasAllowAnonymous(AuthorizationFilterContext context)
{var filters context.Filters;for (var i 0; i filters.Count; i){if (filters[i] is IAllowAnonymousFilter){return true;}}//同样通过上下文的endpoint 来获取是否标注了AllowAnonymous特性var endpoint context.HttpContext.GetEndpoint();if (endpoint?.Metadata?.GetMetadataIAllowAnonymous() ! null){return true;}return false;
}
到这里我们再回到全局添加过滤器的方式代码 services.AddControllers(optionsoptions.Filters.Add(new AuthorizeFilter()));
分析到这里 我很是好奇它是怎么全局添加进去的呢我打开源代码看了下源代码如下public class MvcOptions : IEnumerableICompatibilitySwitch
{public MvcOptions(){CacheProfiles new Dictionarystring, CacheProfile(StringComparer.OrdinalIgnoreCase);Conventions new ListIApplicationModelConvention();Filters new FilterCollection();FormatterMappings new FormatterMappings();InputFormatters new FormatterCollectionIInputFormatter();OutputFormatters new FormatterCollectionIOutputFormatter();ModelBinderProviders new ListIModelBinderProvider();ModelBindingMessageProvider new DefaultModelBindingMessageProvider();ModelMetadataDetailsProviders new ListIMetadataDetailsProvider();ModelValidatorProviders new ListIModelValidatorProvider();ValueProviderFactories new ListIValueProviderFactory();}//过滤器集合public FilterCollection Filters { get; }
}FilterCollection相关核心代码如下public class FilterCollection : CollectionIFilterMetadata
{public IFilterMetadata AddTFilterType() where TFilterType : IFilterMetadata{return Add(typeof(TFilterType));}//其他核心代码为贴出来
}
代码中提供了Add方法约束了IFilterMetadata类型的对象这也是上面的过滤器中为什么都继承了IFilterMetadata的原因。到这里代码解读和实现原理已经分析完了如果有分析不到位之处还请多多指教结论授权中间件通过获取IAuthorizeData来获取AuthorizeAttribute对象相关的授权信息并构造授权策略对象进行授权认证的而AuthorizeFilter过滤器也会默认添加AuthorizeAttribute的授权相关数据IAuthorizeData并实现OnAuthorizationAsync方法同时中间件中通过授权策略提供者IAuthorizationPolicyProvider来获得对于的授权策略进行授权认证.
