I have read and tried a lot to establish resource based access policies. Basically the classic: Only ever the creation user may access a resource (for simplicity) In order to judge whether the current user can access a resouce, we have to get the Entity, first - hence enter the handler. So [Authoirize]-Attributse are not useful.
Keeping an eye on https://docs.microsoft.com/en-gb/aspnet/core/security/authorization/resourcebased?view=aspnetcore-5.0 I came up with this:
// create a policy based on claim audience
context.Services.AddAuthorization(options =>
{
options.AddPolicy("CallRecordingAccessPolicy", policy => policy.Requirements.Add(new CallRecordingPolicy()));
});
context.Services.AddSingleton<IAuthorizationHandler, CallRecordingAuthorizationHandler>();
If you're creating a bug/problem report, please include followings:
CallRecordingPolicy
being an empty class; "CallRecordingAccessPolicy" being never used anywhere else.
The implementation of the Handler is somewhat evident and the AppService is doing something like that:
public virtual async Task<CallRecordingDto> GetAsync(Guid id)
{
CallRecording recording = await _callRecordingRepository.GetAsync(id);
AuthorizationResult result = await AuthorizationService.AuthorizeAsync(resource: recording, requirement: new CallRecordingPolicy());
if (!result.Succeeded)
Essentially I use a lot of infrastructure with no real benefit. Also this is not right available in the DI container in the UnitTest. Testing is a bit cumbersome. And in fact I could just declare some other arbitrary class, hook it up to the DI-Container and use it as so:
public virtual async Task<CallRecordingDto> GetAsync(Guid id)
{
CallRecording recording = await _callRecordingRepository.GetAsync(id);
bool result = await _callRecordingChecker.CanAccess( recording _currentUser);
if (!result)
public class CallRecordingAuthorizationHandler : ITransientDependency
{
public Task<bool> CanAccess(CallRecording r, ICurrentUser cu)
So, why should I use the first approach over this second approach?
Advantage:
- Simple, thats waht needed
- easier to use in UnitTests
- more Straight forward
- automatically in the DI container
2 Answer(s)
-
0
Hi,
Resource-based authorization in ASP.NET Core is standard way and is part of ASPNET Core Identity.
It abstracts the
AuthorizationHandler
and allows you to customize the handler class.It’s actually easier to use the second way, they are both ok. you can choose the way you like
-
0
This question has been automatically marked as stale because it has not had recent activity.