如何在WCF中使用自己的权限? [英] How do I use my own permissions in WCF?

问题描述

我正在研究使用WCF内置功能来帮助我实现位于WCF之上的授权服务.我已经有一些表格，例如:

I am looking into using WCF built-in functionality to aid me in implementing an authorization service that sits on top of WCF. I already have tables such as:

User ， Role ， Permission (我还有复合实体: UserRole 和 RolePermission ).

User, Role, Permission (I also have composite entities: UserRole and RolePermission).

Permission 对象具有自定义属性，例如 bool CanRead ， bool CanWrite .角色可以包含许多权限.

The Permission objects have custom properties like bool CanRead, bool CanWrite. The roles can contain many permissions.

这如何与WCF的现有授权框架联系在一起?我想尽量不要重新发明轮子.如何使用我自己的权限?我可以从.NET示例中看到角色的工作方式，但不能从我自己的自定义 Permission 实体中看到角色.有什么提示让我朝正确的方向开始吗?

How does this tie into WCF's existing framework for authorization? I'd like try not to reinvent the wheel as much as possible. How do I use my own permissions? I can see how the roles work from the .NET examples but not my own custom Permission entities. Any hints to get me started in the right direction?

推荐答案

本文对执行此操作的常规方法进行了基本概述.基本上，您将在 IAuthorizationPolicy 中构造一个包含与用户权限相关的数据的自定义主体，并将该自定义主体附加到WCF OperationContext .这样可以保证，无论如何管理线程，您都可以始终通过 Thread.CurrentPrincipal 访问此主体.

This article gives a basic overview of the normal way of doing this. Basically you construct a custom principal that contains the data relevant to a user's permissions in an IAuthorizationPolicy and attach the custom principal to the WCF OperationContext. This guarantees that regardless of how the threads are managed you can always access this principal via Thread.CurrentPrincipal.

如果您的权限仅基于角色成员身份，则可以简单地使用诸如 PrincipalPermission.Demand()之类的标准机制，或者使用 PrincipalPermissionAttribute 来包装您的操作.

If your permissions are simply based on role membership you can simply use standard mechanisms like PrincipalPermission.Demand() or wrapping your operations with PrincipalPermissionAttribute.

或者，如果您具有更复杂的权限(例如，创建|删除|更新等)，则一种方法是创建实现 IPermission 的自定义权限.这种方法还可以很好地用于基于价值的权限之类的事情(例如，批准不超过500美元的订单).然后，可以在您的代码中构造所需的权限，并让其调用 Demand()来检查是否允许当前的自定义主体.如果可以使这些权限可序列化，则通常也有必要创建一个伴随属性来支持使用每个权限的声明性安全性.

Alternatively if you have more sophisticated permissions (e.g. Create | Delete | Update etc.), one approach would be to create a custom permission that implements IPermission. This approach also works well for things like value based permissions (e.g. approve orders up to $500). In your code you can then construct the required permission and have it call Demand() to check whether your current custom principal is permitted. If these permissions can be made serializable it often also makes sense to create a companion attribute to support declarative security that uses each permission.

以上方法可以与WCF和.NET安全基础结构很好地集成在一起，一旦您掌握了 IPermission 即可提供一种优雅且可维护的解决方案.

The above approaches integrate nicely with WCF and the .NET security infrastructure and once you get your head around IPermission provide an elegant and maintainable solution.

这篇关于如何在WCF中使用自己的权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！