IAuthorizationPolicy 接口
定义
重要
一些信息与预发行产品相关,相应产品在发行之前可能会进行重大修改。 对于此处提供的信息,Microsoft 不作任何明示或暗示的担保。
根据一组声明,定义一组用于授权用户的规则。
public interface class IAuthorizationPolicypublic interface class IAuthorizationPolicy : System::IdentityModel::Policy::IAuthorizationComponentpublic interface IAuthorizationPolicypublic interface IAuthorizationPolicy : System.IdentityModel.Policy.IAuthorizationComponenttype IAuthorizationPolicy = interfacetype IAuthorizationPolicy = interface
interface IAuthorizationComponentPublic Interface IAuthorizationPolicyPublic Interface IAuthorizationPolicy
Implements IAuthorizationComponent- 实现
示例
public class MyAuthorizationPolicy : IAuthorizationPolicy
{
string id;
public MyAuthorizationPolicy()
{
id = Guid.NewGuid().ToString();
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
bool bRet = false;
CustomAuthState customstate = null;
// If state is null, then this method has not been called before, so
// set up a custom state.
if (state == null)
{
customstate = new CustomAuthState();
state = customstate;
}
else
{
customstate = (CustomAuthState)state;
}
Console.WriteLine("Inside MyAuthorizationPolicy::Evaluate");
// If claims have not been added yet...
if (!customstate.ClaimsAdded)
{
// Create an empty list of Claims.
IList<Claim> claims = new List<Claim>();
// Iterate through each of the claim sets in the evaluation context.
foreach (ClaimSet cs in evaluationContext.ClaimSets)
// Look for Name claims in the current claim set.
foreach (Claim c in cs.FindClaims(ClaimTypes.Name, Rights.PossessProperty))
// Get the list of operations the given username is allowed to call.
foreach (string s in GetAllowedOpList(c.Resource.ToString()))
{
// Add claims to the list.
claims.Add(new Claim("http://example.org/claims/allowedoperation", s, Rights.PossessProperty));
Console.WriteLine("Claim added {0}", s);
}
// Add claims to the evaluation context.
evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.Issuer, claims));
// Record that claims have been added.
customstate.ClaimsAdded = true;
// Return true, which indicates this need not be called again.
bRet = true;
}
else
{
// This point should not be reached, but just in case...
bRet = true;
}
return bRet;
}
public ClaimSet Issuer
{
get { return ClaimSet.System; }
}
public string Id
{
get { return id; }
}
// This method returns a collection of action strings that indicate the
// operations that the specified username is allowed to call.
private IEnumerable<string> GetAllowedOpList(string username)
{
IList<string> ret = new List<string>();
if (username == "test1")
{
ret.Add("http://Microsoft.ServiceModel.Samples/ICalculator/Add");
ret.Add("http://Microsoft.ServiceModel.Samples/ICalculator/Multiply");
ret.Add("http://Microsoft.ServiceModel.Samples/ICalculator/Subtract");
}
else if (username == "test2")
{
ret.Add("http://Microsoft.ServiceModel.Samples/ICalculator/Add");
ret.Add("http://Microsoft.ServiceModel.Samples/ICalculator/Subtract");
}
return ret;
}
// internal class for state
class CustomAuthState
{
bool bClaimsAdded;
public CustomAuthState()
{
bClaimsAdded = false;
}
public bool ClaimsAdded
{
get { return bClaimsAdded; }
set { bClaimsAdded = value; }
}
}
}
Public Class MyAuthorizationPolicy
Implements IAuthorizationPolicy
Private value_id As String
Public Sub New()
value_id = Guid.NewGuid().ToString()
End Sub
Public Function Evaluate(ByVal evaluationContext As EvaluationContext, _
ByRef state As Object) As Boolean Implements IAuthorizationPolicy.Evaluate
Dim bRet As Boolean = False
Dim customstate As CustomAuthState = Nothing
' If state is null, then this method has not been called before, so
' set up a custom state.
If state Is Nothing Then
customstate = New CustomAuthState()
state = customstate
Else
customstate = CType(state, CustomAuthState)
End If
Console.WriteLine("Inside MyAuthorizationPolicy::Evaluate")
' If the claims have not been added yet...
If Not customstate.ClaimsAdded Then
' Create an empty list of Claims
Dim claims As New List(Of Claim)
' Iterate through each of the claimsets in the evaluation context.
Dim cs As ClaimSet
For Each cs In evaluationContext.ClaimSets
' Look for Name claims in the current claim set.
Dim c As Claim
For Each c In cs.FindClaims(ClaimTypes.Name, Rights.PossessProperty)
' Get the list of operations the given username is allowed to call.
Dim s As String
For Each s In GetAllowedOpList(c.Resource.ToString())
' Add claims to the list
claims.Add(New Claim("http://example.org/claims/allowedoperation", _
s, Rights.PossessProperty))
Console.WriteLine("Claim added {0}", s)
Next s
Next c
Next cs
' Add claims to the evaluation context.
evaluationContext.AddClaimSet(Me, New DefaultClaimSet(Me.Issuer, claims))
' Record that claims have been added.
customstate.ClaimsAdded = True
' Return true, which indicates the method need not to be called again.
bRet = True
Else
' Should never get here, but just in case...
bRet = True
End If
Return bRet
End Function 'Evaluate
Public ReadOnly Property Issuer() As ClaimSet Implements IAuthorizationPolicy.Issuer
Get
Return ClaimSet.System
End Get
End Property
Public ReadOnly Property Id() As String Implements IAuthorizationPolicy.Id
Get
Return value_id
End Get
End Property
' This method returns a collection of action strings that indicate the
' operations that the specified username is allowed to call.
Private Shared Function GetAllowedOpList(ByVal username As String) As IEnumerable(Of String)
Dim ret As New List(Of String)
If username = "test1" Then
ret.Add("http://Microsoft.ServiceModel.Samples/ICalculator/Add")
ret.Add("http://Microsoft.ServiceModel.Samples/ICalculator/Multiply")
ret.Add("http://Microsoft.ServiceModel.Samples/ICalculator/Subtract")
ElseIf username = "test2" Then
ret.Add("http://Microsoft.ServiceModel.Samples/ICalculator/Add")
ret.Add("http://Microsoft.ServiceModel.Samples/ICalculator/Subtract")
End If
Return ret
End Function
' This is an internal class for state.
Class CustomAuthState
Private bClaimsAdded As Boolean
Public Sub New()
End Sub
Public Property ClaimsAdded() As Boolean
Get
Return bClaimsAdded
End Get
Set(ByVal value As Boolean)
bClaimsAdded = value
End Set
End Property
End Class
End Class
注解
实现接口 IAuthorizationPolicy ,将一组声明添加或映射到另一组声明。 授权策略检查一组声明,并根据当前集添加其他声明。 例如,授权策略可能会评估包含出生日期的声明,并添加声明,声明用户超过 21 岁,并向其中 EvaluationContext添加 Over21 声明。
实现接口的 IAuthorizationPolicy 类不会授权用户,但它们允许该 ServiceAuthorizationManager 类执行此操作。 ServiceAuthorizationManager调用Evaluate生效的每个授权策略的方法。 该方法 Evaluate 根据当前上下文确定是否应为用户添加其他声明。 可以多次调用授权策略 Evaluate 的方法,因为声明将添加到 EvaluationContext 其他授权策略中。 完成所有授权策略后,类 ServiceAuthorizationManager 会根据最终声明集做出授权决策。 然后,该 ServiceAuthorizationManager 类将创建一个 AuthorizationContext 包含一组不可变声明的声明,这些声明反映这些授权决策。
属性
| 名称 | 说明 |
|---|---|
| Id |
获取标识此授权组件的字符串。 (继承自 IAuthorizationComponent) |
| Issuer |
获取一个声明集,该声明集表示授权策略的颁发者。 |
方法
| 名称 | 说明 |
|---|---|
| Evaluate(EvaluationContext, Object) |
评估用户是否满足此授权策略的要求。 |
