如何确保IsInRole检查未使用缓存的凭据 [英] How can I ensure that IsInRole checks are not using cached credentials
问题描述
我有一个连接到WCF服务的WPF客户端,并且我想锁定某些功能,以便仅某些用户可以执行某些操作。 WCF服务在执行服务方法时模拟客户端用户。操作系统是Windows XP。
I have a WPF client that connects to a WCF service, and I want to lock down some of the functionality so that only certain users can perform certain actions. The WCF service impersonates the client user when executing service methods. The OS is Windows XP.
我正在阅读这个问题是我调查将用户角色应用于应用程序功能的最佳方法的一部分(我想将用户分配给AD安全组,然后检查IsInRole),并且担心缓存的权限会允许用户已将其权限降低为访问他们不再有权的功能的用户。相反,我还担心已经升级了权限的用户将需要注销其Windows帐户,甚至可能需要重新启动WCF服务(最坏的情况),才能访问新功能。
I was reading this question as part of my investigation into the best way to apply user roles to features in my application (I want to assign users to AD security groups, and then check IsInRole), and am worried that cached permissions will allow users who have had their permissions reduced to access functionality they no longer have permission to. Conversely, I am also worried that users who have had their permissions upgraded will need to log out of their windows account, or even that the WCF service might have to be restarted (worst case scenario) before they can access the new functionality.
确保客户端和服务器都能立即看到AD安全组的更改的最简单方法是什么?
What is the simplest way to ensure that both client and server can immediately see changes to the AD security groups?
推荐答案
您始终可以实现自己的查询AD的成员资格提供程序。
这很容易,您可以确保所有权限评估都是准确的,或者至少完全符合您的期望。
You can always implement your own membership provider that queries the AD. It's pretty easy and you'll be sure that all permission evaluations are accurate, or at least exactly as you want them to be.
如果您发现查询每次评估中的AD服务器在性能上都是昂贵的,您可以在客户端上创建自己的缓存,您可以强制定期或按需刷新。
此缓存可以很简单,就像可以快速查询权限的索引列表(如Dictionary)一样。
If you find querying the AD server on each evaluation to be "expensive" on performance you can create your own cache on the client which you can force to refresh periodically or on demand. This cache can be as simple as an indexed list (like a Dictionary) of permissions that you can query pretty fast.
这是一篇有关如何与AD交互的好文章:
http://www.codeproject.com/KB/system/everythingInAD.aspx
Here's a good article on how to interact with AD: http://www.codeproject.com/KB/system/everythingInAD.aspx
这篇关于如何确保IsInRole检查未使用缓存的凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
