是否可以在ASP.NET MVC&中缓存授权身份2.0? [英] Is it possible to cache authorizations in ASP.NET MVC & Identity 2.0?

问题描述

如果这个问题有点离题，请告诉我.我将把它带到其他地方，但是我想对如何在现有项目中完成某件事获得一些想法.

if this question is somehow off-topic, let me know. I will take it elsewhere, but I wanted to get some ideas on how to accomplish something within an existing project.

我的Web应用程序(使用ASP.NET MVC 5和ASP.NET Identity 2.0)通过自定义角色提供程序执行授权(通过那些奇特的 Authorize 属性).每次授权检查(例如 Authorize(Roles ="Admin"))都需要查询数据库以执行以下操作:

My web app (using ASP.NET MVC 5 and ASP.NET Identity 2.0) performs authorization (via those fancy Authorize attributes) with a custom Role Provider. Every authorization check (like Authorize(Roles = "Admin")) requires querying the database to perform the following:

• 从 Semesters 表中获取当前的学期"(检查当前日期和时间在哪个日期范围内)
• 从 Positions 表中获取名称为"Admin"的职位
• 检查 Leaders 表中是否存在包含当前用户ID，获取的学期ID和获取的职位ID的记录.

• Get the current "semester" (check what date range the current date & time falls within) from the Semesters table
• Get the position with the name "Admin" from the Positions table
• Check if there exists a record in the Leaders table containing the current user ID, the obtained semester ID, and the obtained position ID.

如果有记录，则对用户进行授权，否则就没有授权.明确地说，对角色的分配与一个学期绑定在一起，以便将相应的特权限制在一个学期内.也就是说，一旦学期结束，用户将不再拥有自己的权力，但是下一个学期被任命的下一个人将立即获得其权力.

If a record exists, the user is authorized, otherwise they are not. To be clear, assignment to a role is tied to a semester in order to limit the corresponding privileges to the duration of a semester. I.e., once the semester ends, the user no longer has their powers, but the next person appointed for the next semester will immediately gain theirs.

我的大多数用户都属于角色，这些角色在他们访问的大部分页面(而非全部)中都得到了检查.每当我需要授权时，所有这些步骤都会执行.

Most of my users fall into roles that are checked on a great majority of the pages they visit, but not all. All of those steps are performed, every time I need to authorize.

这里是数据库的图像，只是为了清楚起见:

Here is an image of the database just to make it clear:

是否有一种方法可以缓存(这样我就不必不断查询数据库)这些授权的时间长度等于从第一次执行/缓存检查到本学期结束的时间?还是只在合理的时间内缓存它们?理想情况下，如果由于任何原因更新了一个学期或职位，那么授权将以某种方式变得无效并重新缓存.最后，自定义RoleProvider是实现此目标的可靠方法吗?

Is there a way to cache (so that I don't have to constantly query the database) these authorizations for a length of time equivalent to the time from when the check is first performed/cached to the end of the semester? Or just cache them at all for any amount of time that's reasonable? Ideally, if a semester or position is updated for whatever reason, the authorizations would somehow be made invalid and re-cached. Lastly, is a custom RoleProvider a solid way to go about this?

推荐答案

我会小心缓存授权本身.您想要保持灵活性，而无需仔细设计，就可以轻松戳破应用程序中的安全漏洞.

I'd be careful of caching the authorization, itself. You want to remain flexible with that, and without careful design, you can easily poke security holes in your application.

但是，您为获取用于进行授权确定的信息而进行的查询可能会被缓存.为此，我建议使用 MemoryCache .简单地:

However, the queries you're making to get the information that is used to make the authorized determination could be potentially cached. For that, I'd recommend using MemoryCache. Simply:

ObjectCache cache = MemoryCache.Default;

...

var foos = cache.Get("key") as List<Foo>;
if (foos == null)
{
    foos = repo.GetFoos();
    cache.Add("key", foos, new CacheItemPolicy
    { 
        AbsoluteExpiration = DateTimeOffset.Now.AddHours(1)
    });
}

// do something with `foos`

基本上就是它的工作方式，但是在类似Web的环境中，您需要考虑并发性.我在博客上写了一个帖子，该帖子提供了扩展程序，使处理起来更加容易.

That's basically how it works, but in an environment like the web, you need to think about concurrency. I wrote a post on my blog that provides an extension to make handling this a lot easier.

这篇关于是否可以在ASP.NET MVC&中缓存授权身份2.0?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！