0

I am building a new Web API 2 based RESTful API. (I have to target the full framework due to some dependencies in the solution).

I have in the past used System.Security.Claims.ClaimAuthorizationManager to build in custom user security checks. This solution however is not very test friendly (DI) or async enabled.

I would like to use the Policy-based authorization available in aspnet core (https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies) as this seems to be a great model that fit my needs perfectly.

I am however stuck as to whether or not this is actually possible for not. It seems that the real technical sticking point may be that the policy requirement finds the requirement handler through registration of the handler in the services collection, for example:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();

    services.AddAuthorization(options =>
    {
        options.AddPolicy("AtLeast21", policy =>
            policy.Requirements.Add(new MinimumAgeRequirement(21)));
    });

    services.AddSingleton<IAuthorizationHandler, MinimumAgeHandler>();
}

Is there any way to get the requirement handler to be picked up by the authorization service in a Web API 2 service?

Sezer Türkdal
  • 193
  • 2
  • 10
G Clayden
  • 1
  • 1
  • Both use ASP.NET Identity. Why don't you use *ASP.NET Core* though? You *can* target the Full Framework with ASP.NET Core, it's not tied to the .NET Core *runtime* – Panagiotis Kanavos Aug 10 '18 at 14:16
  • Check [Why use the full .NET Framework with ASP.NET Core?](https://stackoverflow.com/questions/39865054/why-use-the-full-net-framework-with-asp-net-core) – Panagiotis Kanavos Aug 10 '18 at 14:17
  • I suppose I'm just a bit confused as to how I can (or should) mix and match asp.net core and web api 2 (System.Web.Http). Are you suggesting replacing web api 2 with asp.net core, but target full framework? – G Clayden Aug 10 '18 at 14:44
  • Yes, ASP.NET Core is the new name of ASP.NET MVC 6. It's *not* tied to the .NET Core runtime. In the project creation dialog select the full runtime from the list of runtimes – Panagiotis Kanavos Aug 10 '18 at 14:45
  • Ok, thanks @PanagiotisKanavos I'll give that a go. – G Clayden Aug 10 '18 at 14:52

1 Answers1

0

I have code similar to yours and the authorization policy works as intended. In my startup, I call a class to load all the policies:

services.AddAuthorization(options => {
   foreach(var item in Policies.Build()) {
       options.AddPolicy(item.Key, item.Value);
   }
});

The policies class just returns a list of strings / authorization attributes

var ret = new Dictionary<string, System.Action<AuthorizationPolicyBuilder>>();

ret.Add(PermissionNames.LocationsCreate, policy => policy.Requirements.Add(new PermissionRequirement(PermissionNames.LocationsCreate)));

And then on the controllers, we just decorate with the authorize attribute:

[Authorize(Policy = PermissionNames.LocationsCreate)]

Seems to work on our .net core 2.0 web api projects.

Josh
  • 10,352
  • 12
  • 58
  • 109