handler wants to determine the failure of a requirement regardless of the fact that other handlers on the same requirement may suc- ceed, it calls the method Fail on the authorization context object.
Here’s how you add a custom requirement to the policy (keep in mind, as this is a custom requirement, you have no extension method; rather, you must proceed through the Requirements collection of the policy object):
services.AddAuthorization(options => {
options.AddPolicy("AtLeast3Years", policy => policy
.Requirements
.Add(new ExperienceRequirement(3))); });
In addition, you have to register the new handler with the DI system under the scope of the IAuthorizationHandler type:
services.AddSingleton<IAuthorizationHandler, ExperienceHandler>();
As mentioned, a requirement can have multiple handlers. When multiple handlers are registered with the DI system for the same requirement for the authorization layer, it suffices that at least one succeeds.
Accessing the Current HTTP Context
In the implementation of the authorization handler, you might need to inspect request properties or route data, like this:
if (context.Resource is AuthorizationFilterContext mvc) {
var url = mvc.HttpContext.Request.GetDisplayUrl();
... }
In ASP.NET Core, the AuthorizationHandlerContext object exposes a Resource property set to the filter context object. The context object is different depending on the framework involved. For example, MVC and SignalR send their own specific object. Whether you cast depends on what you need to access. For example, the User information is always there, so you don’t need to cast for that, but if you want MVC-specific details such as routing information, then you have to cast.
Wrapping Up
In ASP.NET Core authorization comes in two flavors. One is traditional role-based authorization, which works the same way it does in classic ASP.NET MVC, and still has the structural limita- tion of being rather flat and not ideal for expressing sophisticated authorization logic. Policy-based authentication is a new approach that provides a richer and more expressive model. This is because a policy is a collection of requirements based on claims and custom logic based on any other information that can be injected from the HTTP context or external sources. These requirements are each associated with one or more handlers, which are responsible for the actual evaluation of the requirement. n
Dino Esposito is the author of “Microsoft .NET: Architecting Applications for the Enterprise” (Microsoft Press, 2014) and “Modern Web Applications with ASP.NET” (Microsoft Press, 2016). A technical evangelist for the .NET and Android platforms at JetBrains, and frequent speaker at industry events worldwide, Esposito shares his vision of software at software2cents@wordpress.com and on Twitter: @despos.
thanks to the following technical experts for reviewing this article: Barry Dorrans (Microsoft) and Steve Smith
msdnmagazine.com
Get news from MSDN in your inbox!
Sign up to receive MSDN FLASH, which delivers the latest resources, SDKs, downloads, partner offers, security news, and updates
on national and local developer events.
magazine