在ASP.NET Core Web API中,可以通过添加授权策略来限制只有授权用户才能访问API的特定部分。以下是一个解决方法的示例代码:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = Configuration["Jwt:Issuer"],
ValidAudience = Configuration["Jwt:Audience"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["Jwt:SecretKey"]))
};
});
services.AddAuthorization(options =>
{
options.AddPolicy("RequireAuthenticatedUser", policy =>
{
policy.RequireAuthenticatedUser();
});
});
app.UseAuthentication();
app.UseAuthorization();
[ApiController]
[Route("api/[controller]")]
[Authorize(Policy = "RequireAuthenticatedUser")]
public class ValuesController : ControllerBase
{
// Controller的代码
}
使用上述示例代码,只有经过授权的用户才能访问被[Authorize]属性保护的Controller或Action,未经授权的用户将收到401未经授权的HTTP响应。