Role-based authorization in ASP. NET Core 2.1

Role-based authorization in ASP. NET Core 2.1

Authorization is the process of describing what a user can do. For example, only administrators can be allowed to install and uninstall software on their computers. Users who are not administrators can only use the software to install and uninstall software. It is independent and is used in conjunction with authentication and requires an authentication mechanism. For an application, you first need to authenticate and then authorize.

Yi Le Zhu
Original link: https://www.cnblogs.com/yilezhu/p/9508267.html

Identity is a membership system that allows us to add login functionality to our applications, which may belong to one or more roles. For example, "User1" belongs to the "Admin" role, "User2" is the role of "HR".
We can use the Authorizefilter feature on controllers in our MVC or Web API applications to control user access. Role-based authorization checks whether the logged-on user has permission to access the page. Here developers can add roles to their code.
Here we use an example to illustrate, we will create three characters, corresponding we will build three users. The code is as follows:

public void Configure (Iapplicationbuilder app, Ihostingenvironment env, IServiceProvider serviceprovider) {.... ..... app. USEMVC (routes = {routes.      MapRoute (name: "Default", Template: "{controller=home}/{action=index}/{id}");        }); Createroles (serviceprovider).  Wait (); } Private Async Task createroles (IServiceProvider serviceprovider) {//initializing custom roles var Rolema      Nager = serviceprovider.getrequiredservice<rolemanager<identityrole>> ();      var Usermanager = serviceprovider.getrequiredservice<usermanager<identityuser>> ();      String[] Rolenames = {"Admin", "User", "HR"};        Identityresult Roleresult;          foreach (Var roleName in rolenames) {var roleexist = await rolemanager.roleexistsasync (roleName); if (!roleexist) {//create the roles and seed them to the Database:question 1 roleres Ult = await RolemAnager.          Createasync (New Identityrole (RoleName));        }} Identityuser user = await Usermanager.findbyemailasync ("[email protected]");              if (user = = null) {user = new Identityuser () {UserName = "[email protected]",          Email = "[Email protected]",};      Await Usermanager.createasync (user, "[email protected]");          } await Usermanager.addtoroleasync (user, "Admin");        Identityuser user1 = await Usermanager.findbyemailasync ("[email protected]");               if (User1 = = null) {user1 = new Identityuser () {UserName = "[email protected]",          Email = "[Email protected]",};      Await Usermanager.createasync (user1, "[email protected]");        } await Usermanager.addtoroleasync (user1, "User");        Identityuser user2 = await Usermanager.findbyemailasync ("[email protected]"); if (User2 = =NULL) {user2 = new Identityuser () {UserName = "[email protected]",          Email = "[Email protected]",};      Await Usermanager.createasync (User2, "[email protected]");    } await Usermanager.addtoroleasync (User2, "HR");    }

We can use the roles property of the authorize property to specify the roles that have access to the requested resource. For example, the following code allows an action method that is assigned the user of the "Admin" role to access.

[Authorize(Roles = "Admin")]  public IActionResult OnlyAdminAccess()  {      ViewData["role"] = "Admin";      return View("MyPage");  

We can use the comma-separated list of characters in English to allow multiple roles to access the method. For example, in the following code snippet, the action method can only be accessed by users of the "Admin" or "user" role.

[Authorize(Roles = "Admin,User")]  public IActionResult MultipleAccess()  {      ViewData["role"] = "Admin";      return View("MyPage");  

We can also use the following code for multi-role access control

[Authorize(Roles = "Admin")]  [Authorize(Roles = "User")]  public IActionResult MultipleAccess()  {      ViewData["role"] = "Admin";      return View("MyPage");  

Policy-based role checking

We can also create policy-based access control. We can use the authorization service to add and register policies. In the following code, we create a policy that allows only users with the "Admin" role to access.

public void ConfigureServices(IServiceCollection services)  {  ....  ....  services.AddAuthorization(options =>     {         options.AddPolicy("OnlyAdminAccess", policy => policy.RequireRole("Admin"));     });  

We can use the "policy" attribute of the authorize attribute to apply policies

[Authorize(Policy = "OnlyAdminAccess")]  public IActionResult PolicyExample()  {      ViewData["role"] = "Admin";      return View("MyPage");  

Using this strategy we can also apply role-based authorization in the Razor page. For example, if we have a "test1.cshtml" Razor page, and this page only allows users with the "Admin" role to access, we can use the following code to perform authorization access control on the Razor page.

public void ConfigureServices(IServiceCollection services)  {      ...      ...      services.AddMvc().AddRazorPagesOptions(options =>      {          options.Conventions.AuthorizePage("/test1", "OnlyAdminAccess");          }).SetCompatibilityVersion(CompatibilityVersion.Version_2_1);        services.AddAuthorization(options =>      {          options.AddPolicy("OnlyAdminAccess", policy => policy.RequireRole("Admin"));      });  }  

Summarize

This article is a translation of the https://www.c-sharpcorner.com/article/role-base-authorization-in-asp-net-core-2-1/article, which describes the ASP. 2.1 Role-based authorization, the content is very simple, easy to understand!

Role-based authorization in ASP. NET Core 2.1