ClaimsAuthorizationManager.CheckAccess(AuthorizationContext) 方法

定义

在派生类中实现时,检查对指定上下文中的主题的授权,以在指定资源上执行指定操作。When implemented in a derived class, checks authorization for the subject in the specified context to perform the specified action on the specified resource.

public:
 virtual bool CheckAccess(System::Security::Claims::AuthorizationContext ^ context);
public virtual bool CheckAccess (System.Security.Claims.AuthorizationContext context);
abstract member CheckAccess : System.Security.Claims.AuthorizationContext -> bool
override this.CheckAccess : System.Security.Claims.AuthorizationContext -> bool
Public Overridable Function CheckAccess (context As AuthorizationContext) As Boolean

参数

context
AuthorizationContext

包含要为其检查身份授权的主题、资源和操作。The authorization context that contains the subject, resource, and action for which authorization is to be checked.

返回

Boolean

如果授权该主题在指定的资源上执行指定操作,则为 true;否则为 falsetrue if the subject is authorized to perform the specified action on the specified resource; otherwise, false.

示例

本主题中使用的代码示例 ClaimsAuthorizationManager 摘自 Claims Based Authorization 示例。The code examples that are used in the ClaimsAuthorizationManager topics are taken from the Claims Based Authorization sample. 此示例提供了一个自定义声明授权管理器,该管理器可以根据在配置中指定的策略授权主题。This sample provides a custom claims authorization manager that can authorize subjects based on a policy that is specified in configuration. 自定义声明授权管理器由三个基本组件组成:派生自 ClaimsAuthorizationManager 的类,该类实现管理器、 ResourceAction 对资源和操作进行配对的类,以及读取和编译配置文件中指定的策略的策略读取器。The custom claims authorization manager consists of three basic components: a class derived from ClaimsAuthorizationManager that implements the manager, the ResourceAction class that pairs a resource and an action, and a policy reader that reads and compiles policy that is specified in the configuration file. 然后,声明授权管理器可以使用此编译的策略来评估主体,以便授予对资源的访问权限。This compiled policy can then be used by the claims authorization manager to evaluate a principal in order to authorize access to resources. 为了简洁起见,并未显示所有元素。Not all elements are shown for the sake of brevity. 有关此示例和可供 WIF 使用的其他示例的信息,请参阅 WIF 代码示例索引For information about this sample and other samples available for WIF and about where to download them, see WIF Code Sample Index.

下面的代码演示如何重写 CheckAccess 方法。The following code shows the override of the CheckAccess method. 此方法基于从配置文件读取和编译的策略授予或拒绝访问权限。This method grants or denies access based on a policy read and compiled from the configuration file.

static Dictionary<ResourceAction, Func<ClaimsPrincipal, bool>> _policies = new Dictionary<ResourceAction, Func<ClaimsPrincipal, bool>>();
PolicyReader _policyReader = new PolicyReader();
    /// <summary>
    /// Checks if the principal specified in the authorization context is authorized to perform action specified in the authorization context 
    /// on the specified resoure
    /// </summary>
    /// <param name="pec">Authorization context</param>
    /// <returns>true if authorized, false otherwise</returns>
    public override bool CheckAccess(AuthorizationContext pec)
    {
        //
        // Evaluate the policy against the claims of the 
        // principal to determine access
        //
        bool access = false;
        try
        {
            ResourceAction ra = new ResourceAction(pec.Resource.First<Claim>().Value, pec.Action.First<Claim>().Value);

            access = _policies[ra](pec.Principal);
        }
        catch (Exception)
        {
            access = false;
        }

        return access;
    }
}

下面的代码演示 ResourceAction 自定义声明管理器使用的类。The following code shows the ResourceAction class used by the custom claims manager.


using System;

namespace ClaimsAuthorizationLibrary
{
    /// <summary>
    /// Class to encapsulate resource/action pair
    /// </summary>
    public class ResourceAction
    {
        public string Resource;
        public string Action;

        /// <summary>
        /// Checks if the current instance is equal to the given object by comparing the resource and action values
        /// </summary>
        /// <param name="obj">object to compare to</param>
        /// <returns>True if equal, else false.</returns>
        public override bool Equals(object obj)
        {
            ResourceAction ra = obj as ResourceAction;
            if (ra != null)
            {
                return ((string.Compare(ra.Resource, Resource, true) == 0) && (string.Compare(ra.Action, Action, true) == 0));
            }

            return base.Equals(obj);
        }

        /// <summary>
        /// Gets the hash code.
        /// </summary>
        /// <returns>The hash code.</returns>
        public override int GetHashCode()
        {
            return (Resource + Action).ToLower().GetHashCode();
        }

        /// <summary>
        /// Creates an instance of ResourceAction class.
        /// </summary>
        /// <param name="resource">The resource name.</param>
        /// <param name="action">The action.</param>
        /// <exception cref="ArgumentNullException">when <paramref name="resource"/> is null</exception>
        public ResourceAction(string resource, string action)
        {
            if (string.IsNullOrEmpty(resource))
            {
                throw new ArgumentNullException("resource");
            }

            Resource = resource;
            Action = action;
        }
    }
}

声明授权管理器使用的策略由 <policy> < claimsAuthorizationManager > 元素下的自定义元素指定。The policy used by the claims authorization manager is specified by custom <policy> elements under the <claimsAuthorizationManager> element. 此策略由方法读取和编译 LoadCustomConfigurationThis policy is read and compiled by the LoadCustomConfiguration method. 在第一个策略中,主体必须拥有一个指定的声明,才能对指定的资源执行指定的操作。In the first policy, the principal must possess one of the specified claims in order to perform the specified action on the specified resource. 在第二个策略中,主体必须拥有两个声明,才能在指定资源上执行指定的操作。In the second policy, the principal must possess both claims to be able to perform the specified action on the specified resource. 在所有其他情况下,会自动向主体授予访问权限,而不考虑它所拥有的任何声明。In all others, the principal is automatically granted access regardless of the claims it possesses.

<system.identityModel>  
  <identityConfiguration>  
    <claimsAuthorizationManager type="ClaimsAuthorizationLibrary.MyClaimsAuthorizationManager, ClaimsAuthorizationLibrary">  
      <policy resource="http://localhost:28491/Developers.aspx" action="GET">  
        <or>  
          <claim claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" claimValue="developer" />  
          <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />  
        </or>  
      </policy>  
      <policy resource="http://localhost:28491/Administrators.aspx" action="GET">  
        <and>  
          <claim claimType="http://schemas.xmlsoap.org/claims/Group" claimValue="Administrator" />  
          <claim claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country" claimValue="USA" />  
        </and>  
      </policy>  
      <policy resource="http://localhost:28491/Default.aspx" action="GET">  
      </policy>  
      <policy resource="http://localhost:28491/" action="GET">  
      </policy>  
      <policy resource="http://localhost:28491/Claims.aspx" action="GET">  
      </policy>  
    </claimsAuthorizationManager>  

    ...  

  </identityConfiguration>  
</system.identityModel>  

注解

基实现始终返回 true ,这将授予访问权限。The base implementation always returns true, which authorizes access. 可以在派生类中重写此方法,以根据 RP 应用程序的要求授权访问权限。You can override this method in a derived class to authorize access based on the requirements of your RP application. 如果此方法返回 false ,Windows Identity Foundation (WIF) 会向调用方返回未经授权的错误; 否则,将执行传递给 RP 应用程序。If this method returns false, Windows Identity Foundation (WIF) returns an unauthorized error to the caller; otherwise, execution is passed to the RP application.

适用于