.Net 5 Blazor 服务器 AD 组授权问题

编程问答 2022-05-24

问题描述

我无法让我的 Blazor 服务器应用程序来尊重 AD 组成员资格,我可以让它读取我的用户 ID,所以我认为 NTLM 正在工作,但它似乎没有将我识别为组中的 bing。

>

我已经尝试过 IIS 和 IIS Expresss

launchSettings.json

{
  "iisSettings": {
    "windowsAuthentication": true,"anonymousAuthentication": false,"iisExpress": {
      "applicationUrl": "http://localhost:58855","sslPort": 44394
    }
  },"profiles": {
    "IIS Express": {      
      "commandName": "IISExpress","launchBrowser": true,"environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },"AppName": {
      "commandName": "Project","dotnetRunMessages": "true","applicationUrl": "https://localhost:5001;http://localhost:5000","environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    }
  }
}

Startup.cs

    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddRazorPages();
            services.AddServerSideBlazor();
            services.AddHttpContextAccessor();

            services.AddAuthentication(IISDefaults.AuthenticationScheme);
            services.AddAuthorization(options =>
            {
                options.AddPolicy("ADRoleOnly",policy => policy.RequireRole("DOMAIN\\GroupName"));

            });
        }

        public void Configure(IApplicationBuilder app,IWebHostEnvironment env,ILoggerFactory loggerFactory)
        {
            
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios,see https://aka.ms/aspnetcore-hsts.
                //app.UseHsts();
            }

            //app.UseHttpsRedirection();
            app.UseStaticFiles();

            app.UseRouting();

            app.UseAuthentication();
            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapBlazorHub();
                endpoints.MapFallbackToPage("/_Host");
            });
        }
    }

然后在我的 Razor 页面之一中,我有以下内容,正如我所说的,即使在 NotAuthorized 部分,我的用户名仍然显示

<AuthorizeView Policy="ADRoleOnly">
    <Authorized>
        @context.User.Identity.Name is authorized.
    </Authorized>
    <NotAuthorized>
        @context.User.Identity.Name is not authorized.
    </NotAuthorized>
</AuthorizeView>

<AuthorizeView Roles="DOMAIN\\GroupName">
    <Authorized>
        @context.User.Identity.Name is authorized.
    </Authorized>
    <NotAuthorized>
        @context.User.Identity.Name is not authorized.
    </NotAuthorized>
</AuthorizeView>

目前我已经推出了我自己的安全性,它只是隐藏了共享布局页面上的所有内容,但我不喜欢它,它很慢,如果你能帮助它,你永远不应该编写自己的安全模型,a) 我不会让它保持最新,并且 b) 它比其他任何东西都更有可能存在错误。

我真的很想知道我错过了什么导致它无法正常工作。

解决方法

我现在是不是觉得自己很愚蠢,我试图授权的组只是 AD 中的分发组,而不是安全组。我使用了不同的组,现在工作正常。

.net-5asp.net-coreasp.net5ntlm

相关问答

matplotlib报错:AttributeError: module 'backend_interagg' has no attribute 'FigureCanvas'. Did you mean: 'FigureCanvasAgg'?
使用本地python环境可以成功执行 import pandas as pd impor...
gitlab登录失败,报错:This challenge page was accidentally cached by an intermediary and is no longer available.
设置时间 控制面板
后端开发常见错误
错误1:Request method ‘DELETE‘ not supported 错误还原:...
docker常见错误
错误1:启动docker镜像时报错:Error response from daemon:...
idea常见错误
错误1:private field ‘xxx‘ is never assigned 按Alt...
pip安装依赖失败
报错如下,通过源不能下载,最后警告pip需升级版本 Requirem...