ASP.NET Identity中角色与声明的最佳实践 [英] Best Practices for Roles vs. Claims in ASP.NET Identity

问题描述

我对在ASP.NETIdentity中使用claims完全陌生，希望了解使用Roles and/or Claims的最佳实践.

I am completely new to the use of claims in ASP.NETIdentity and want to get an idea of best practices in the use of Roles and/or Claims.

在阅读完所有内容后，我仍然有类似的问题...

After all this reading, I still have questions like...

问:我们不再使用角色了吗?
问:如果可以，为什么仍然提供角色?
问:我们只应使用Claims?
问:我们应该使用Roles&一起索赔吗?

Q: Do we no longer use Roles?
Q: If so, why are Roles still offered?
Q: Should we only use Claims?
Q: Should we use Roles & Claims together?

我最初的想法是我们应该"一起使用它们.我认为Claims是它们支持的Roles的子类别.

My initial thought is that we "should" use them together. I see Claims as sub-categories to the Roles they support.

示例:
角色:会计
索赔:CanUpdateLedger，CanOnlyReadLedger，CanDeleteFromLedger

FOR EXAMPLE:
Role: Accounting
Claims: CanUpdateLedger, CanOnlyReadLedger, CanDeleteFromLedger

问:它们打算互斥吗?
问:还是只进行索赔并完全合格"您的索赔更好?
问:那么这里的最佳做法是什么?

Q: Are they intended to be mutually exclusive?
Q: Or is it better to go Claims ONLY and "fully-qualify" you claims?
Q: So what are the best practices here?

示例:使用角色&一起索赔
当然，您必须为此编写自己的属性逻辑...

EXAMPLE: Using Roles & Claims Together
Of course, you would have to write your own Attribute logic for this...

[Authorize(Roles="Accounting")]
[ClaimAuthorize(Permission="CanUpdateLedger")]
public ActionResult CreateAsset(Asset entity)
{
    // Do stuff here

    return View();
}

示例:完全符合您的要求

[ClaimAuthorize(Permission="Accounting.Ledger.CanUpdate")]
public ActionResult CreateAsset(Asset entity)
{
    // Do stuff here

    return View();
}

推荐答案

角色是一个象征性类别，它将具有相同安全特权级别的用户聚集在一起.基于角色的授权需要首先标识用户，然后确定为用户分配的角色，最后将这些角色与被授权访问资源的角色进行比较.

A role is a symbolic category that collects together users who share the same levels of security privileges. Role-based authorization requires first identifying the user, then ascertaining the roles to which the user is assigned, and finally comparing those roles to the roles that are authorized to access a resource.

相反，声明不是基于组的，而是基于身份的.

In contrast, a claim is not group based, rather it is identity based.

来自 Microsoft文档:

创建身份后，可以为其分配一个或多个由受信任方发出的声明.声明是一个名称值对，表示对象是什么，而不是对象可以做什么.

When an identity is created it may be assigned one or more claims issued by a trusted party. A claim is a name value pair that represents what the subject is, not what the subject can do.

安全检查稍后可以根据一个或多个声明的值确定访问资源的权利.

A security check can later determine the right to access a resource based on the value of one or more claims.

您可以同时使用这两种类型，或者在某些情况下使用一种类型，而在其他情况下使用另一种类型.它主要取决于与其他系统的互操作以及您的管理策略.例如，对于管理员来说，管理分配给角色的用户列表比管理分配了特定索赔的人要容易得多.声明在RESTful场景中非常有用，您可以将声明分配给客户端，然后客户端可以提出声明以进行授权，而不是为每个请求传递用户名和密码.

You can use both in concert, or use one type in some situations and the other in other situations. It mostly depends on the inter-operation with other systems and your management strategy. For example, it might be easier for a manager to manage a list of users assigned to a role than it is to manage who has a specific Claim assigned. Claims can be very useful in a RESTful scenario where you can assign a claim to a client, and the client can then present the claim for authorization rather than passing the Username and Password for every request.

这篇关于ASP.NET Identity中角色与声明的最佳实践的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！