是否可以对复杂的索赔建模(分层/嵌套/等)? [英] Is It Possible to Model Complex Claims (hierarchical / nested / etc)?
问题描述
将Windows Identity Foundation(WIF)与安全令牌服务(STS)一起使用,是否有可能创建可以满足以下问题的复杂声明:
Using Windows Identity Foundation (WIF) in tandem with a Security Token Service (STS), is it possible to create complex claims that could satisfy a question such as:
对于拥有支持角色的用户,该用户:
For a user with a claim to a role "Support", that user:
- 只能查看和使用resource1
- 不能更新,创建或删除资源2
- 不能创建或删除资源3
- 只能使用和更新资源
- Can only view and use resource1
- CAN NOT update, create, or delete resource2
- CAN NOT create, or delete resource3
- Can only use and update resources with a "resource" tag.
这是一个必不可少的示例,但这可能吗?我想我想用基本声明授权经过身份验证的用户,然后在应用程序中添加相关的复杂声明(这些声明将存储在数据库中,并在应用程序用户的控制下)。
It's a necessarily contrived example but is this possible? I'm thinking I want to authorize the authenticated user with basic claims and then add the relevant complex claims in the application (where those claims will be stored in a database and under control of application users).
谢谢,
理查德
Thanks, Richard
推荐答案
您绝对可以像这样建模-它们只是字符串-可以对字符串执行的所有操作都可以对声明执行;)
You can definitely model it like that - they are just strings - whatever you can do to strings you can do to claims ;)
但这绝对是一种反模式。声明描述了用户的身份-可能包括粗粒度的授权信息。
But it would be definitely an anti-pattern. Claims describe the identity of a user - which might include coarse grained authorization information. There's a fine line here.
但是对于您的用例,您宁愿在ClaimsAuthorizationManager中实现授权策略,并使用身份声明作为输入来计算您的细粒度授权决定。
But for your use case you would rather implement your authorization policy in a ClaimsAuthorizationManager and use the identity claims as input to "calculate" your fine grained authorization decisions.
这篇关于是否可以对复杂的索赔建模(分层/嵌套/等)?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
