Net Core policy authorization, however it is looking very static to me. Because in the Enterprise Application, there is an often need for new roles which will need new policies (as far as i understand) or if you want to implement new type of policy specific for certain client. For example if we are building an CMS which will be driven by those policies, we will want, each client to be able to define hes own. So can this new policy base mechanism be more dynamic or, it's idea is entire different?
thanks :))
Dynamic authorization is a technology in which authorization and access rights to an organization's network, applications, data, or other sensitive assets are granted dynamically in real-time using attribute-based rules and policies.
Authorization Policy Even when you use claim-based or role-based authorization, you are actually using Policy-based Authorization. A Policy defines a collection of requirements, that the user must satisfy in order to access a resource. The user must satisfy all the requirements.
In this article Typically when using policy-based authorization, policies are registered by calling AuthorizationOptions. AddPolicy as part of authorization service configuration.
Role-Based Authorization in ASP.NET Core is a way to restrict/allow users to access specific resources in the application. The [Authorize] attribute when declared in the Controller or any action methods, restricts users bases on his/her role settings.
I always recommend that people take a look @ the least privilege repo as it has some great examples of all the various approaches one can take with the new ASP.NET Core Authentication and Authorization paradigms.
Can this new policy base mechanism be more dynamic?
Yes, in fact it is more dynamic than the previous role based concepts. It allows for you to define policies that can be data driven. Here is another great resource for details pertaining to this. You can specify that an API entry point for example is protected by a policy (for example), and that policy can have a handler and that handler can do anything it needs to, i.e.; examine the current User
in context, compare claims to values in the database, compare roles, anything really. Consider the following:
Define an entry point with the Policy
[Authorize(Policy = "DataDrivenExample")] public IActionResult GetFooBar() { // Omitted for brevity... }
Add the authorization with the options that add the policy.
public void ConfigureServices(IServiceCollection services) { services.AddMvc(); services.AddAuthorization(options => { options.AddPolicy("DataDrivenExample", policy => policy.Requirements.Add(new DataDrivenRequirement())); }); services.AddSingleton<IAuthorizationHandler, DataDrivenHandler>(); }
Then define the handler.
public class MinimumAgeHandler : AuthorizationHandler<DataDrivenRequirement> { protected override void Handle(AuthorizationContext context, DataDrivenRequirement requirement) { // Do anything here, interact with DB, User, claims, Roles, etc. // As long as you set either: // context.Succeed(requirement); // context.Fail(); } }
Is the idea entirely different?
It should feel very similar to the previous concepts that you're accustomed to with auth8 and authz.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With