授权和放大器;在服务层用户信息(.NET应用程序) [英] Authorization & User info in a Service Layer (.NET application)
问题描述
我目前在.NET环境中(正分层)企业应用程序工作,我想知道来管理我的BussinessLayer(BL)认证/授权+数据过滤的最佳方法。我们将使用多个接口(ASP.NET应用程序和Web服务)的BL,我认为我的ServiceLayer应该做的工作,但我无法找到的最好办法。
I am currently working with an enterprise application in a .NET environment (n-layered) and I would like to know the best way to manage authentication / authorization + data filtering in my BussinessLayer (BL). We will use that BL from several interfaces (ASP.NET applications and WebServices) and I think that my ServiceLayer should do the job but I just can't find the best way.
我想这可能是这样的:
(1)用户通过认证(ASP.NET Web客户端),可能使用FormsAuthentication。
(2)ASP .NET code(控制器/ codeBehind)实例化服务得到一些用户的情况下完成的,在某种程度上传递了用户。
(3)如果用户存在(认证)和他的角色(授权)服务的方法检查,以验证他可以调用该方法。如果没有认证或授权的异常。
(4)服务使用存储库+等服务+无论它需要把工作做好。如果需要某种形式的细颗粒过滤(例如,用户只需在权限部分项目)的服务将自动应用它。
I suppose it could be something like this: (1) User gets authenticated (ASP.NET web client), perhaps using FormsAuthentication. (2) ASP .NET code (Controller / CodeBehind) instanciate a Service to get some user case done, passing somehow the 'User'. (3) Service method checks if 'User' exists (authentication) and his roles (authorization) to verify that he can call that method. If not authenticated or authorized an exception is thrown. (4) Service uses repositories + other services + whatever it needs to get the job done. If some kind of fine-grain filtering is required (for example the User only has permissions over some projects) the service applies it automatically.
我想要的是摆脱网络的东西(不是accesing会话...),但谁知道用户调用其方法正确行事隔离的ServiceLayer。此外,我不知道如何与ASP .NET认证的工作相匹配的好方式...
我想在构造函数服务的suministrating用户,这样它的方法有'背景',他们所需要的,能运作的?...我会AP preciate一些迹象或现有的code片段上这一点。
What I want is to get a ServiceLayer isolated from 'the web stuff' (not accesing session...) but who knows the User calling its methods to act correctly. Also I don't know how to match that work with ASP .NET authentication in a good manner... I am thinking in suministrating the 'User' in the Service ctor, so that its methods have the 'context' they need, could that work?... I would appreciate some indications or existing code snippets on that.
感谢你的帮助......
Thank you for your help...
推荐答案
所有的,认证的第一和授权是两回事。你的问题意味着你已经知道这一点,但我只是想是明确了。
First of all, Authentication and Authorization are two separate things. Your question implies that you already know this, but I just wanted to be explicit about it.
验证应在应用程序边界发生(例如窗体身份验证在Web应用程序)。
Authentication should happen at the application boundary (e.g. Forms Authentication in a web application).
默认的做法是,身份验证模块集<一href=\"http://msdn.microsoft.com/en-us/library/system.threading.thread.currentprincipal.aspx\">Thread.CurrentPrincipal一旦验证成功。
The default approach is that the Authentication module sets Thread.CurrentPrincipal upon successful authentication.
在一般情况下,<一href=\"http://msdn.microsoft.com/en-us/library/system.security.principal.iprincipal.aspx\">IPrincipal是在.NET中模拟用户环境的标准依据。例如, HttpContext.User中是一个IPrincipal。
In general, IPrincipal is the standard basis for modeling user context in .NET. For example, HttpContext.User is an IPrincipal.
在你的域模型和数据访问模块,可以使用Thread.CurrentPrincipal中实现授权逻辑。这使您可以独立地改变对方的身份验证和授权。
In your Domain Model and Data Access modules, you can use Thread.CurrentPrincipal to implement Authorization logic. This allows you to vary Authentication and Authorization independently of each other.
这篇关于授权和放大器;在服务层用户信息(.NET应用程序)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
