2023年6月20日发(作者：)

在ntity2.0中使⽤声明（Claims）实现⽤户组⽬录从下载源代码介绍 Identity是通过建⽴应⽤程序来对⽤户进⾏⾝份验证和授权的membershi系统。服务器使⽤⾝份验证来确定谁正在访问其信息或⽹站。在⾝份验证中，⽤户或客户必须通过使⽤电⼦邮件和⽂字或使⽤各种社交提供程序登录来在Web服务器上证明其⾝份。授权是⼀个过程，服务器通过该过程可以确定客户端在成功进⾏⾝份验证之后是否具有使⽤资源或访问⽂件的权限。有关更多详细信息，请阅读原始。⾝份仅使⽤⾓⾊和声明来实现授权，在某些应⽤程序中，如果您的业务逻辑需要额外的授权管理层（例如⽤户组），则您总是尝试从 Identity上实现这⼀点，因为它们本⾝并不提供表格或⽅法来实现这⼀层。背景 Identity本机提供了⼀个默认架构，您可以在其中添加任何扩展表作为以下架构：使⽤代码此实现包括以下步骤：步骤1：数据库修改当然，要引⼊⽤户组功能，您需要添加⼀些表来存储此信息。在此实现中，我们只需要添加以下表格：1. tblGroups {PK_Id, Name}2. tblGroupActions {PK_Id, FK_Group, ActionName}3. tblUserGroups {PK_Id, FK_Group, FK_User}但是tblActions呢在哪⾥？这就是技巧，将在下⼀节中说明。步骤2：动作(Actions)储存我的动作将存储在哪⾥？实际上，动作是在应⽤程序层中定义的，因此每次创建动作时，在某些表中添加动作条⽬都是多余的。因此，如果我们创建了⼀个函数来检索应⽤程序中的所有动作，那么我们的⼯作就完成了。这可以通过以下功能实现：using System;using c;using ;using tion;using ;using ;using ;namespace llers{ public class ImplementedMethods { public List ActiveMethods; public ImplementedMethods() { var asm = cutingAssembly(); ActiveMethods = es() .Where(type => typeof(Controller) .IsAssignableFrom(type)) .SelectMany(type => hods()) .Where(method => ic && !ned(typeof(NonActionAttribute)) && ( (s => uteType == typeof(HttpPostAttribute)) || (s => uteType == typeof(HttpGetAttribute)) ) && ( !(s => uteType ==

typeof(AllowAnonymousAttribute)) ) && (s => uteType == typeof(ClaimsAuthorizeAttribute)) && ( Type == typeof(ActionResult) || Type == typeof(Task) || Type == typeof(String)

) ) .Select(m => rDefault (s => uteType == typeof(HttpPostAttribute) ||

uteType == typeof(HttpGetAttribute)). e("Attribute", "") + " : " +

ng().Split('.')[2].Replace ("Controller", "") + "/" + ).ToList(); } }}先前功能的主要⽬标是检索所有控制器⽅法，这些⽅法是：是由GET或POST装饰，⽽不是AllowAnonymousAttribute，并有⼀个⾃定义装饰“ClaimsAuthorizeAttribute”，以确保⾏动将被添加到池中，并且确保操作将检查登录⽤户的声明步骤3：分组控制动作现在，它很容易创建组到控制器{ Add，Edit，Delete，Details，AddAction，RevokeAction}：using System;using System;using c;using ;using ;using ;using ;using ;using ;using ;using ;namespace llers{ [Authorize]

public class GroupsController : Controller { private AccountingdbEntities db = new AccountingdbEntities(); // GET: Groups public ActionResult Index() { return View(()); } // GET: Groups/Details/5 public ActionResult Details(int? id) { if (id == null) { return new HttpStatusCodeResult(uest); } tblGroups tblGroups = (id); if (tblGroups == null) { return HttpNotFound(); } GroupsViewModel groupsViewModel = new GroupsViewModel(); ImplementedMethods implementedMethods = new ImplementedMethods(); = ; _Id = _Id; s = (s => new ActionsViewModel { PK_Id = _Id, Name = Name }).ToList(); = (s => new UsersViewModel { Id = , Name = me, OrdersConut = (k => _User == && t &&

ult).Count()

}).ToList(); bleActions = (t => !(k => _Group == id &&

Name == t)).Select(s => new SelectListItem

{ Value = s, Text = s }).ToList(); return View(groupsViewModel); } [HttpPost] [HttpPost] [ValidateAntiForgeryToken] public ActionResult RevokeAction(int GroupId, string ActionName) { tblGroupActions tblGroupActions =

rDefault (s=> _Group == GroupId && Name == ActionName); if (tblGroupActions!= null) { (tblGroupActions); anges(); }

return RedirectToAction("Details", new { id = GroupId }); } [HttpPost] [ValidateAntiForgeryToken] public ActionResult AddAction(int GroupId, string ActionName) { tblGroupActions tblGroupActions = new tblGroupActions()

{ ActionName = ActionName, FK_Group = GroupId }; if (tblGroupActions != null) { (tblGroupActions); anges(); } return RedirectToAction("Details", new { id = GroupId }); } [HttpPost] [ValidateAntiForgeryToken] public ActionResult RevokeUser(int GroupId, string UserId) { tblUserGroups tblUserGroups = rDefault (s => _Group == GroupId && _User == UserId); if (tblUserGroups != null) { (tblUserGroups); anges(); } return RedirectToAction("Details", new { id = GroupId }); }

protected override void Dispose(bool disposing) { if (disposing) { e(); } e(disposing); } }}步骤4：授权验证“ClaimsAuthorizeAttribute”通过应⽤此⾃定义AuthorizeAttribute，我们可以确保应⽤程序将检查CurrentUser声明是否具有此操作的声明。关于⾝份声明和⾓⾊的妙处在于，在当前登录会话中，UserManager将⽤户声明和⾓⾊存储在内存中，因此⽆需每次都访问数据库来检查声明： using System;using c;using ;using ;using ;using ;namespace llers{ public class ClaimsAuthorizeAttribute : AuthorizeAttribute { private string claimType; public ClaimsAuthorizeAttribute(string type) { ype = type; } public override void OnAuthorization(AuthorizationContext filterContext) { var user = as ClaimsPrincipal; if (user != null && im(claimType, claimType)) { orization(filterContext); } else { UnauthorizedRequest(filterContext); } } }} using System;using c;using ;using ;using ;using ;using ;using ;namespace llers{ [Authorize]

public class CarriersController : Controller { [ClaimsAuthorize("HttpGet : Carriers/Index")] [HttpGet] public ActionResult Index() { // } [ClaimsAuthorize("HttpGet : Carriers/Details")] [HttpGet] public ActionResult Details(int? id) { // } [ClaimsAuthorize("HttpGet : Carriers/Create")] [HttpGet] public ActionResult Create() { // } [HttpPost] [ValidateAntiForgeryToken] [ClaimsAuthorize("HttpPost : Carriers/Create")] public ActionResult Create(Model) { // }

}}第5步：声明分配在此实现中，我们发现最好通过登录分配⽤户声明，因为tblGroupActions

表中的任何更改仅在登录后才会⽣效。[HttpPost][AllowAnonymous][ValidateAntiForgeryToken]public async Task Login(LoginViewModel model, string returnUrl){ if (!d) { return View(model); } var user = (, rd); if (user != null) { var UserClaim = erable().ToList(); foreach (IdentityUserClaim claim in UserClaim) { await ClaimAsync (, new Claim(ype, alue)); } var UserClaims = erable().Where (s => (l => _User == )) .Select(k => new Claim(Name, Name)).ToList(); foreach (Claim cliam in UserClaims) { await imAsync(, cliam); } } // This doesn't count login failures towards account lockout // To enable password failures to trigger account lockout, // change to shouldLockout: true var result = await rdSignInAsync (, rd, erMe, shouldLockout: true); switch (result) { case s: return RedirectToLocal(returnUrl); case Out: return View("Lockout"); case esVerification: return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = erMe }); case e: default: elError("", "Invalid login attempt."); return View(model); }}为特定组添加操作：