问题
I'm trying to stop requests on a route using the Authorize annotation, but I can't get it to work with Active Directory. Had anyone got this working yet?
[HttpGet]
[Authorize(Roles = "DOMAIN\\Group A")]
[Route("/")] // GET: /
public IActionResult Index()
{
return View();
}
Note: I've also tried Authorize(Roles = @"DOMAIN\\Group A")
Just to give some background, I'm running Windows, Visual Studio Pro 2015 (Update 3)
Heres a bit from my project.json file:
"dependencies": {
"Microsoft.AspNetCore.Authorization": "1.0.0",
"Microsoft.AspNetCore.Mvc": "1.0.0",
"Microsoft.AspNetCore.Server.IISIntegration": "1.0.0",
"Microsoft.AspNetCore.Server.Kestrel": "1.0.0",
"Microsoft.Extensions.Configuration.CommandLine": "1.0.0",
"Microsoft.Extensions.Configuration.EnvironmentVariables": "1.0.0",
"Microsoft.Extensions.Configuration.FileExtensions": "1.0.0",
"Microsoft.Extensions.Configuration.Json": "1.0.0",
"Microsoft.Extensions.Logging": "1.0.0",
"Microsoft.Extensions.Logging.Console": "1.0.0",
"Microsoft.Extensions.Logging.Debug": "1.0.0",
"Microsoft.Extensions.Options.ConfigurationExtensions": "1.0.0",
"Microsoft.NETCore.App": {
"version": "1.0.0",
"type": "platform"
},
"Swashbuckle.SwaggerGen": "6.0.0-beta901",
"Swashbuckle.SwaggerUi": "6.0.0-beta901"
}
回答1:
Have you configured both IIS and the app for integrated authentication?
In your web.config do you have the asp.net core module set to forward Windows Identities, by setting forwardWindowsAuthToken="true"
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*"
modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="%LAUNCHER_PATH%"
arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="false"
stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="true" />
</system.webServer>
</configuration>
In your program.cs have you plumbed in IIS integration with .UseIISIntegration()?
var host = new WebHostBuilder()
.UseKestrel()
.UseContentRoot(Directory.GetCurrentDirectory())
.UseIISIntegration()
.UseStartup<Startup>()
.Build();
Have you added authorization in your ConfigureServices() method in Startup.cs and put it before AddMvc()?
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthorization();
services.AddMvc();
}
When I have all those things in place I can happily authorize based on roles, for example I put [Authorize(Roles = "REDMOND\\scottgu_org_fte")] on my home controller and I get in just fine.
Using @"REDMOND\\scottgu_org_fte" won't work, because that makes the string literal verbatim, so it's trying to evaluate Domain\\group, and double slashes are wrong. @"REDMOND\scottgu_org_fte" would work though.
回答2:
If you just wish to allow / deny users as per standard MVC, and use IIS reverse proxy to Kestrel, then you can add a web.config and add
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="my AD User Group" />
<add accessType="Allow" roles="uk\myUsercode" />
</authorization>
</security>
</system.webServer>
来源:https://stackoverflow.com/questions/38895141/how-to-authorize-ad-users-with-net-core