{"id":6311,"date":"2016-03-23T11:00:45","date_gmt":"2016-03-23T11:00:45","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/webdev\/?p=6311"},"modified":"2021-11-01T05:13:22","modified_gmt":"2021-11-01T12:13:22","slug":"get-started-with-asp-net-core-authorization-part-2-of-2","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/get-started-with-asp-net-core-authorization-part-2-of-2\/","title":{"rendered":"Get Started with ASP.NET Core Authorization \u2013 Part 2 of 2"},"content":{"rendered":"<p>After learning about the new Authorization Policy model in ASP.NET Core, our intrepid reporter <a href=\"https:\/\/channel9.msdn.com\/Blogs\/Seth-Juarez\" target=\"_blank\" rel=\"noopener noreferrer\">Seth Juarez<\/a> wanted to learn about more complicated ASP.NET Authorization policies.\u00a0 In the following video, he speaks with ASP.NET Security Analyst <a href=\"https:\/\/twitter.com\/blowdart\" target=\"_blank\" rel=\"noopener noreferrer\">Barry Dorrans<\/a>.\u00a0 Last time, Barry showed us how to <a title=\"Get Started with ASP.NET Core Authorization \u2013 Part 1 of 2\" href=\"https:\/\/devblogs.microsoft.com\/aspnet\/get-started-with-asp-net-core-authorization-part-1-of-2\/\" target=\"_blank\" rel=\"noopener noreferrer\">get started with the new ASP.NET Policy model<\/a>.\u00a0 Notes and links from their discussion follow.<\/p>\n<div style=\"text-align: center;\">\n  <iframe width=\"540\" height=\"320\" src=\"https:\/\/channel9.msdn.com\/Blogs\/Seth-Juarez\/Advanced-aspNET-Core-Authorization-with-Barry-Dorrans\/player\" allowfullscreen><\/iframe>\n<\/div>\n<p>Previously with ASP.NET you had to authorize based on the membership of a role or the value of a claim.\u00a0 In the new ASP.NET Core Policies, these security requirements can be expressed through code and enforce more complicated and more realistic authorization requirements.<\/p>\n<p>Barry explained that claims are properties of an Identity that are not necessarily stored in a Cookie, but for the purposes of this demo they are and that makes them very easy to use in multi-webserver scenarios.\u00a0 Seth cautioned against storing entire data tables in a claim. Examples of good claims to store include name, birth date, email address.\u00a0 If you need more information from a claim, you could store a single value in a claim and then use that value to look up in a database using a Claims Transformation.<\/p>\n<p>&nbsp;<\/p>\n<p>Barry used the example of the American minimum age to drink, 21 years old to help define authorizing users.\u00a0 He inserted his birth date as a claim record into the sample code, yes Barry&#8217;s birth date is June 8th &#8211; be sure to wish him a happy birthday.\u00a0 We&#8217;d like to make the policy work in other countries where the minimum age may be 16, 18 or some other age.<\/p>\n<p>To enforce this requirement for a policy, the MinimumAgeRequirement class was created that implements the AuthorizationHandler&lt;MinimumAgeRequirement&gt; base class and the IAuthorizationRequirement marker interface.\u00a0 The Handle method provided by the base class is where the enforcement of this requirement takes place.\u00a0 The AuthorizationContext that is passed in to this method is used to mark if the acting user passes this requirement by calling the Succeed method.\u00a0 Other possible outcomes from this method are to not mark success on the context, indicating that the requirement is not met and allowing another class to attempt to handle it and finally you can mark the context with Fail that will stop all policy checks when there is a system error.<\/p>\n<p>The new requirement is added to the policy by calling policy.Requirements.Add(new MinimumAgeRequirement(21)) in the Startup.ConfigureServices method.<\/p>\n<p>In the real world, there may be multiple requirements that are logically OR&#8217;d together.\u00a0 The next sample highlights an office security scenario where people can be admitted entrance with either an employee badge, a visitor badge, or a temporary employee badge.\u00a0 In this case, the OfficeEntryRequirement is defined in one class and implements the marker IAuthorizationRequirement.\u00a0 There is no fancy logic for this, just a check for a badge and that will be implemented by one of several AuthorizationHandler classes.\u00a0 Barry implemented these as AuthorizationHandler&lt;OfficeEntryRequirement&gt; subclasses.\u00a0\u00a0 In the HasBadgeHandler, the Handle method inspected the claim for the BadgeNumber and the issuer of the claim to verify that it meets the security requirements for the office.\u00a0 The second class was created to verify if a temporary badge was issued and the expiration date.<\/p>\n<p>Barry demonstrated that a policy needs to be registered in the Startup.ConfigureServices methods and then the two handlers that were constructed need to be registered with the dependency injection framework so that they are available when testing the OfficeEntryRequirement.\u00a0 At the end of the same ConfigureServices method, Barry added two registrations that mapped IAuthorizationHandler to the Handler classes he previously created.\u00a0 These simple classes were registered as Singletons because they are simple and stateless.<\/p>\n<p>In the multiple requirement handler scenario, all requirements will always be evaluated so that any side-effects of the requirement handlers like logging are still enabled.<\/p>\n<p>Next, Barry and Seth looked at a demo about Resource-based Authorization.\u00a0 This allows you to grant access based on the action a user wants to take on some resource, perhaps a document, that the user may or may not have access to.\u00a0 This additional check can be enforced in AuthorizationHandler classes that implement a second type in the generic AuthorizationHandler&lt;T,K&gt; base class.\u00a0 The second type is the resource to inspect in order to determine access.\u00a0 However, the enforcement of the resource authorization can no longer take place in an Attribute, and needs to take place in an AuthorizationService.\u00a0 In the MVC controller, Barry showed a test using the AUthorizationService.AuthorizeAsync method and in the case of failure returning a ChallengeResult that will route the user to an appropriate 403 Forbidden page or requests for additional credentials.<\/p>\n<p>Seth pointed out that this new design of authentication and authorization can be built completely separate from the application and added in where appropriate as the application is constructed.\u00a0 Additionally, this means that the policy and requirements code can be unit-tested.<\/p>\n<p>Barry showed an additional sample where he injected the AuthorizationService into a razor view with the @inject directive and used the AuthorizationService to show and hide items in the user-interface.\u00a0 This does not prevent access to the resource, just hides the user-interface components and the Controller class still requires the authorization check in place to prevent someone, like Seth, from navigating directly to the hidden menu items.<\/p>\n<p>Barry suggests you work through the <a href=\"https:\/\/github.com\/blowdart\/AspNetAuthorizationWorkshop\" target=\"_blank\" rel=\"noopener noreferrer\">workshop on his GitHub repository<\/a> and take a look at the other samples he has available.\u00a0 Some are sarcastic, some are interesting samples that you could use.\u00a0 All of the security features for the new ASP.NET Core are documented at <a href=\"http:\/\/docs.asp.net\" target=\"_blank\" rel=\"noopener noreferrer\">docs.asp.net<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>\/\/ &lt;![CDATA[\nif (typeof(lpcurruser) == &#8216;undefined&#8217;) lpcurruser = &#8221;; if (document.getElementById(&#8216;lpcurruserelt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurruserelt&#8217;).value != &#8221;) { lpcurruser = document.getElementById(&#8216;lpcurruserelt&#8217;).value; document.getElementById(&#8216;lpcurruserelt&#8217;).value = &#8221;; } if (typeof(lpcurrpass) == &#8216;undefined&#8217;) lpcurrpass=&#8221;; if (document.getElementById(&#8216;lpcurrpasselt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurrpasselt&#8217;).value != &#8221;) { lpcurrpass = document.getElementById(&#8216;lpcurrpasselt&#8217;).value; document.getElementById(&#8216;lpcurrpasselt&#8217;).value = &#8221;; } var lploc=&#8221;1&#8243;;var lponlyfill=null;var link=document.getElementById(&#8220;i1668&#8243;); if(link&amp;&amp;typeof(g_lpclicked)==&#8221;undefined&#8221;){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent(&#8220;onclick&#8221;,evt);}else{var evt2 = document.createEvent(&#8220;MouseEvents&#8221;);evt2.initMouseEvent(&#8220;click&#8221;, true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;} if(lploc==3){var pholders=[&#8220;idDiv_PWD_UsernameExample&#8221;,&#8221;idDiv_PWD_PasswordExample&#8221;,&#8221;i0116_hint&#8221;,&#8221;i0118_hint&#8221;]; for(var i=0;i\/\/ &lt;![CDATA[\nif (typeof(lpcurruser) == &#8216;undefined&#8217;) lpcurruser = &#8221;; if (document.getElementById(&#8216;lpcurruserelt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurruserelt&#8217;).value != &#8221;) { lpcurruser = document.getElementById(&#8216;lpcurruserelt&#8217;).value; document.getElementById(&#8216;lpcurruserelt&#8217;).value = &#8221;; } if (typeof(lpcurrpass) == &#8216;undefined&#8217;) lpcurrpass=&#8221;; if (document.getElementById(&#8216;lpcurrpasselt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurrpasselt&#8217;).value != &#8221;) { lpcurrpass = document.getElementById(&#8216;lpcurrpasselt&#8217;).value; document.getElementById(&#8216;lpcurrpasselt&#8217;).value = &#8221;; } var lploc=&#8221;1&#8243;;var lponlyfill=null;var link=document.getElementById(&#8220;i1668&#8243;); if(link&amp;&amp;typeof(g_lpclicked)==&#8221;undefined&#8221;){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent(&#8220;onclick&#8221;,evt);}else{var evt2 = document.createEvent(&#8220;MouseEvents&#8221;);evt2.initMouseEvent(&#8220;click&#8221;, true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;} if(lploc==3){var pholders=[&#8220;idDiv_PWD_UsernameExample&#8221;,&#8221;idDiv_PWD_PasswordExample&#8221;,&#8221;i0116_hint&#8221;,&#8221;i0118_hint&#8221;]; for(var i=0;i\/\/ &lt;![CDATA[\nif (typeof(lpcurruser) == &#8216;undefined&#8217;) lpcurruser = &#8221;; if (document.getElementById(&#8216;lpcurruserelt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurruserelt&#8217;).value != &#8221;) { lpcurruser = document.getElementById(&#8216;lpcurruserelt&#8217;).value; document.getElementById(&#8216;lpcurruserelt&#8217;).value = &#8221;; } if (typeof(lpcurrpass) == &#8216;undefined&#8217;) lpcurrpass=&#8221;; if (document.getElementById(&#8216;lpcurrpasselt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurrpasselt&#8217;).value != &#8221;) { lpcurrpass = document.getElementById(&#8216;lpcurrpasselt&#8217;).value; document.getElementById(&#8216;lpcurrpasselt&#8217;).value = &#8221;; } var lploc=&#8221;1&#8243;;var lponlyfill=null;var link=document.getElementById(&#8220;i1668&#8243;); if(link&amp;&amp;typeof(g_lpclicked)==&#8221;undefined&#8221;){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent(&#8220;onclick&#8221;,evt);}else{var evt2 = document.createEvent(&#8220;MouseEvents&#8221;);evt2.initMouseEvent(&#8220;click&#8221;, true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;} if(lploc==3){var pholders=[&#8220;idDiv_PWD_UsernameExample&#8221;,&#8221;idDiv_PWD_PasswordExample&#8221;,&#8221;i0116_hint&#8221;,&#8221;i0118_hint&#8221;]; for(var i=0;i\/\/ &lt;![CDATA[\nif (typeof(lpcurruser) == &#8216;undefined&#8217;) lpcurruser = &#8221;; if (document.getElementById(&#8216;lpcurruserelt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurruserelt&#8217;).value != &#8221;) { lpcurruser = document.getElementById(&#8216;lpcurruserelt&#8217;).value; document.getElementById(&#8216;lpcurruserelt&#8217;).value = &#8221;; } if (typeof(lpcurrpass) == &#8216;undefined&#8217;) lpcurrpass=&#8221;; if (document.getElementById(&#8216;lpcurrpasselt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurrpasselt&#8217;).value != &#8221;) { lpcurrpass = document.getElementById(&#8216;lpcurrpasselt&#8217;).value; document.getElementById(&#8216;lpcurrpasselt&#8217;).value = &#8221;; } var lploc=&#8221;1&#8243;;var lponlyfill=null;var link=document.getElementById(&#8220;i1668&#8243;); if(link&amp;&amp;typeof(g_lpclicked)==&#8221;undefined&#8221;){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent(&#8220;onclick&#8221;,evt);}else{var evt2 = document.createEvent(&#8220;MouseEvents&#8221;);evt2.initMouseEvent(&#8220;click&#8221;, true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;} if(lploc==3){var pholders=[&#8220;idDiv_PWD_UsernameExample&#8221;,&#8221;idDiv_PWD_PasswordExample&#8221;,&#8221;i0116_hint&#8221;,&#8221;i0118_hint&#8221;]; for(var i=0;i\/\/ &lt;![CDATA[\nif (typeof(lpcurruser) == &#8216;undefined&#8217;) lpcurruser = &#8221;; if (document.getElementById(&#8216;lpcurruserelt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurruserelt&#8217;).value != &#8221;) { lpcurruser = document.getElementById(&#8216;lpcurruserelt&#8217;).value; document.getElementById(&#8216;lpcurruserelt&#8217;).value = &#8221;; } if (typeof(lpcurrpass) == &#8216;undefined&#8217;) lpcurrpass=&#8221;; if (document.getElementById(&#8216;lpcurrpasselt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurrpasselt&#8217;).value != &#8221;) { lpcurrpass = document.getElementById(&#8216;lpcurrpasselt&#8217;).value; document.getElementById(&#8216;lpcurrpasselt&#8217;).value = &#8221;; } var lploc=&#8221;1&#8243;;var lponlyfill=null;var link=document.getElementById(&#8220;i1668&#8243;); if(link&amp;&amp;typeof(g_lpclicked)==&#8221;undefined&#8221;){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent(&#8220;onclick&#8221;,evt);}else{var evt2 = document.createEvent(&#8220;MouseEvents&#8221;);evt2.initMouseEvent(&#8220;click&#8221;, true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;} if(lploc==3){var pholders=[&#8220;idDiv_PWD_UsernameExample&#8221;,&#8221;idDiv_PWD_PasswordExample&#8221;,&#8221;i0116_hint&#8221;,&#8221;i0118_hint&#8221;]; for(var i=0;i\/\/ &lt;![CDATA[\nif (typeof(lpcurruser) == &#8216;undefined&#8217;) lpcurruser = &#8221;; if (document.getElementById(&#8216;lpcurruserelt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurruserelt&#8217;).value != &#8221;) { lpcurruser = document.getElementById(&#8216;lpcurruserelt&#8217;).value; document.getElementById(&#8216;lpcurruserelt&#8217;).value = &#8221;; } if (typeof(lpcurrpass) == &#8216;undefined&#8217;) lpcurrpass=&#8221;; if (document.getElementById(&#8216;lpcurrpasselt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurrpasselt&#8217;).value != &#8221;) { lpcurrpass = document.getElementById(&#8216;lpcurrpasselt&#8217;).value; document.getElementById(&#8216;lpcurrpasselt&#8217;).value = &#8221;; } var lploc=&#8221;1&#8243;;var lponlyfill=null;var link=document.getElementById(&#8220;i1668&#8243;); if(link&amp;&amp;typeof(g_lpclicked)==&#8221;undefined&#8221;){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent(&#8220;onclick&#8221;,evt);}else{var evt2 = document.createEvent(&#8220;MouseEvents&#8221;);evt2.initMouseEvent(&#8220;click&#8221;, true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;} if(lploc==3){var pholders=[&#8220;idDiv_PWD_UsernameExample&#8221;,&#8221;idDiv_PWD_PasswordExample&#8221;,&#8221;i0116_hint&#8221;,&#8221;i0118_hint&#8221;]; for(var i=0;i\/\/ &lt;![CDATA[\nif (typeof(lpcurruser) == &#8216;undefined&#8217;) lpcurruser = &#8221;; if (document.getElementById(&#8216;lpcurruserelt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurruserelt&#8217;).value != &#8221;) { lpcurruser = document.getElementById(&#8216;lpcurruserelt&#8217;).value; document.getElementById(&#8216;lpcurruserelt&#8217;).value = &#8221;; } if (typeof(lpcurrpass) == &#8216;undefined&#8217;) lpcurrpass=&#8221;; if (document.getElementById(&#8216;lpcurrpasselt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurrpasselt&#8217;).value != &#8221;) { lpcurrpass = document.getElementById(&#8216;lpcurrpasselt&#8217;).value; document.getElementById(&#8216;lpcurrpasselt&#8217;).value = &#8221;; } var lploc=&#8221;1&#8243;;var lponlyfill=null;var link=document.getElementById(&#8220;i1668&#8243;); if(link&amp;&amp;typeof(g_lpclicked)==&#8221;undefined&#8221;){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent(&#8220;onclick&#8221;,evt);}else{var evt2 = document.createEvent(&#8220;MouseEvents&#8221;);evt2.initMouseEvent(&#8220;click&#8221;, true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;} if(lploc==3){var pholders=[&#8220;idDiv_PWD_UsernameExample&#8221;,&#8221;idDiv_PWD_PasswordExample&#8221;,&#8221;i0116_hint&#8221;,&#8221;i0118_hint&#8221;]; for(var i=0;i\/\/ &lt;![CDATA[\nif (typeof(lpcurruser) == &#8216;undefined&#8217;) lpcurruser = &#8221;; if (document.getElementById(&#8216;lpcurruserelt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurruserelt&#8217;).value != &#8221;) { lpcurruser = document.getElementById(&#8216;lpcurruserelt&#8217;).value; document.getElementById(&#8216;lpcurruserelt&#8217;).value = &#8221;; } if (typeof(lpcurrpass) == &#8216;undefined&#8217;) lpcurrpass=&#8221;; if (document.getElementById(&#8216;lpcurrpasselt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurrpasselt&#8217;).value != &#8221;) { lpcurrpass = document.getElementById(&#8216;lpcurrpasselt&#8217;).value; document.getElementById(&#8216;lpcurrpasselt&#8217;).value = &#8221;; } var lploc=&#8221;1&#8243;;var lponlyfill=null;var link=document.getElementById(&#8220;i1668&#8243;); if(link&amp;&amp;typeof(g_lpclicked)==&#8221;undefined&#8221;){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent(&#8220;onclick&#8221;,evt);}else{var evt2 = document.createEvent(&#8220;MouseEvents&#8221;);evt2.initMouseEvent(&#8220;click&#8221;, true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;} if(lploc==3){var pholders=[&#8220;idDiv_PWD_UsernameExample&#8221;,&#8221;idDiv_PWD_PasswordExample&#8221;,&#8221;i0116_hint&#8221;,&#8221;i0118_hint&#8221;]; for(var i=0;i\/\/ &lt;![CDATA[\nif (typeof(lpcurruser) == &#8216;undefined&#8217;) lpcurruser = &#8221;; if (document.getElementById(&#8216;lpcurruserelt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurruserelt&#8217;).value != &#8221;) { lpcurruser = document.getElementById(&#8216;lpcurruserelt&#8217;).value; document.getElementById(&#8216;lpcurruserelt&#8217;).value = &#8221;; } if (typeof(lpcurrpass) == &#8216;undefined&#8217;) lpcurrpass=&#8221;; if (document.getElementById(&#8216;lpcurrpasselt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurrpasselt&#8217;).value != &#8221;) { lpcurrpass = document.getElementById(&#8216;lpcurrpasselt&#8217;).value; document.getElementById(&#8216;lpcurrpasselt&#8217;).value = &#8221;; } var lploc=&#8221;1&#8243;;var lponlyfill=null;var link=document.getElementById(&#8220;i1668&#8243;); if(link&amp;&amp;typeof(g_lpclicked)==&#8221;undefined&#8221;){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent(&#8220;onclick&#8221;,evt);}else{var evt2 = document.createEvent(&#8220;MouseEvents&#8221;);evt2.initMouseEvent(&#8220;click&#8221;, true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;} if(lploc==3){var pholders=[&#8220;idDiv_PWD_UsernameExample&#8221;,&#8221;idDiv_PWD_PasswordExample&#8221;,&#8221;i0116_hint&#8221;,&#8221;i0118_hint&#8221;]; for(var i=0;i\/\/ &lt;![CDATA[\nif (typeof(lpcurruser) == &#8216;undefined&#8217;) lpcurruser = &#8221;; if (document.getElementById(&#8216;lpcurruserelt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurruserelt&#8217;).value != &#8221;) { lpcurruser = document.getElementById(&#8216;lpcurruserelt&#8217;).value; document.getElementById(&#8216;lpcurruserelt&#8217;).value = &#8221;; } if (typeof(lpcurrpass) == &#8216;undefined&#8217;) lpcurrpass=&#8221;; if (document.getElementById(&#8216;lpcurrpasselt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurrpasselt&#8217;).value != &#8221;) { lpcurrpass = document.getElementById(&#8216;lpcurrpasselt&#8217;).value; document.getElementById(&#8216;lpcurrpasselt&#8217;).value = &#8221;; } var lploc=&#8221;1&#8243;;var lponlyfill=null;var link=document.getElementById(&#8220;i1668&#8243;); if(link&amp;&amp;typeof(g_lpclicked)==&#8221;undefined&#8221;){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent(&#8220;onclick&#8221;,evt);}else{var evt2 = document.createEvent(&#8220;MouseEvents&#8221;);evt2.initMouseEvent(&#8220;click&#8221;, true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;} if(lploc==3){var pholders=[&#8220;idDiv_PWD_UsernameExample&#8221;,&#8221;idDiv_PWD_PasswordExample&#8221;,&#8221;i0116_hint&#8221;,&#8221;i0118_hint&#8221;]; for(var i=0;i\/\/ &lt;![CDATA[\nif (typeof(lpcurruser) == &#8216;undefined&#8217;) lpcurruser = &#8221;; if (document.getElementById(&#8216;lpcurruserelt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurruserelt&#8217;).value != &#8221;) { lpcurruser = document.getElementById(&#8216;lpcurruserelt&#8217;).value; document.getElementById(&#8216;lpcurruserelt&#8217;).value = &#8221;; } if (typeof(lpcurrpass) == &#8216;undefined&#8217;) lpcurrpass=&#8221;; if (document.getElementById(&#8216;lpcurrpasselt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurrpasselt&#8217;).value != &#8221;) { lpcurrpass = document.getElementById(&#8216;lpcurrpasselt&#8217;).value; document.getElementById(&#8216;lpcurrpasselt&#8217;).value = &#8221;; } var lploc=&#8221;1&#8243;;var lponlyfill=null;var link=document.getElementById(&#8220;i1668&#8243;); if(link&amp;&amp;typeof(g_lpclicked)==&#8221;undefined&#8221;){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent(&#8220;onclick&#8221;,evt);}else{var evt2 = document.createEvent(&#8220;MouseEvents&#8221;);evt2.initMouseEvent(&#8220;click&#8221;, true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;} if(lploc==3){var pholders=[&#8220;idDiv_PWD_UsernameExample&#8221;,&#8221;idDiv_PWD_PasswordExample&#8221;,&#8221;i0116_hint&#8221;,&#8221;i0118_hint&#8221;]; for(var i=0;i\/\/ &lt;![CDATA[\nif (typeof(lpcurruser) == &#8216;undefined&#8217;) lpcurruser = &#8221;; if (document.getElementById(&#8216;lpcurruserelt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurruserelt&#8217;).value != &#8221;) { lpcurruser = document.getElementById(&#8216;lpcurruserelt&#8217;).value; document.getElementById(&#8216;lpcurruserelt&#8217;).value = &#8221;; } if (typeof(lpcurrpass) == &#8216;undefined&#8217;) lpcurrpass=&#8221;; if (document.getElementById(&#8216;lpcurrpasselt&#8217;) &amp;&amp; document.getElementById(&#8216;lpcurrpasselt&#8217;).value != &#8221;) { lpcurrpass = document.getElementById(&#8216;lpcurrpasselt&#8217;).value; document.getElementById(&#8216;lpcurrpasselt&#8217;).value = &#8221;; } var lploc=&#8221;1&#8243;;var lponlyfill=null;var link=document.getElementById(&#8220;i1668&#8243;); if(link&amp;&amp;typeof(g_lpclicked)==&#8221;undefined&#8221;){if(document.createEventObject){var evt = document.createEventObject();link.fireEvent(&#8220;onclick&#8221;,evt);}else{var evt2 = document.createEvent(&#8220;MouseEvents&#8221;);evt2.initMouseEvent(&#8220;click&#8221;, true, true, document.defaultView, 1, 0, 0, 0, 0, false, false, false, false, 0, null);link.dispatchEvent(evt2);}g_lpclicked=1;} if(lploc==3){var pholders=[&#8220;idDiv_PWD_UsernameExample&#8221;,&#8221;idDiv_PWD_PasswordExample&#8221;,&#8221;i0116_hint&#8221;,&#8221;i0118_hint&#8221;]; for(var i=0;i<\/p>\n","protected":false},"excerpt":{"rendered":"<p>After learning about the new Authorization Policy model in ASP.NET Core, our intrepid reporter Seth Juarez wanted to learn about more complicated ASP.NET Authorization policies.\u00a0 In the following video, he speaks with ASP.NET Security Analyst Barry Dorrans.\u00a0 Last time, Barry showed us how to get started with the new ASP.NET Policy model.\u00a0 Notes and links [&hellip;]<\/p>\n","protected":false},"author":405,"featured_media":58792,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197,7509],"tags":[123],"class_list":["post-6311","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aspnet","category-aspnetcore","tag-security"],"acf":[],"blog_post_summary":"<p>After learning about the new Authorization Policy model in ASP.NET Core, our intrepid reporter Seth Juarez wanted to learn about more complicated ASP.NET Authorization policies.\u00a0 In the following video, he speaks with ASP.NET Security Analyst Barry Dorrans.\u00a0 Last time, Barry showed us how to get started with the new ASP.NET Policy model.\u00a0 Notes and links [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/6311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/405"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=6311"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/6311\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/58792"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=6311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=6311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=6311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}