.NET的WebAPI集中授权 [英] .NET WebAPI centralized Authorization
问题描述
在.NET中的WebAPI,我创建了一个办法让所有的授权规则在一个中心位置,而不是分散在整个控制器。我很好奇,为什么这个集权没有做更多的时候;是否有反响/安全问题?
In .NET WebAPI, I've created a way to have all of the authorization rules in a central location, rather than scattered throughout controllers. I'm curious why this centralization isn't done more often; are there repercussions/security concerns?
我目前的做法是创建一个包含所有我的授权数据,然后使用DelegatingHandler申请的限制(低于code)App_Start期间词典。这本字典关键是控制器和动作的元组,和值是授权的角色。该DelegatingHandler关系到的WebAPI的路由配置可以让该控制器被调用,然后使用字典,以确定该请求是否被允许。
My current approach is to create a Dictionary during App_Start that contains all of my Authorization data then using a DelegatingHandler to apply the restrictions (code below). The dictionary key is a Tuple of the Controller and Action, and the value is the authorized roles. The DelegatingHandler ties into WebAPI's routing config to get which controller is called, then uses the Dictionary to determine whether the request is allowed.
词典:
var authorizations = new Dictionary<Tuple<string, string>, string>();
authorizations.Add(new Tuple<string, string>("values", "get"), "public");
authorizations.Add(new Tuple<string, string>("values", "put"), "private");
DelegatingHandler:
public class SecurityDelegateHandler : DelegatingHandler
{
private readonly Dictionary<Tuple<string, string>, string> _authorizations;
public SecurityDelegateHandler(Dictionary<Tuple<string, string>, string> auth)
{
_authorizations = auth;
}
protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
{
var config = GlobalConfiguration.Configuration;
var controllerSelector = new DefaultHttpControllerSelector(config);
var descriptor = controllerSelector.SelectController(request);
string restrictions;
if (!_authorizations.TryGetValue(
new Tuple<string, string>(descriptor.ControllerName.ToLower(),
request.Method.ToString().ToLower()), out restrictions))
{
return Task<HttpResponseMessage>.Factory.StartNew(() =>
request.CreateResponse(HttpStatusCode.Forbidden,
"Access denied on unconfigured actions"),
cancellationToken);
}
if (!(Roles.Provider).GetRolesForUser(
HttpContext.Current.User.Identity.Name).Any(r =>
restrictions.Contains(r)))
{
return Task<HttpResponseMessage>.Factory.StartNew(() =>
request.CreateResponse(HttpStatusCode.Forbidden,
"Access Denied"), cancellationToken);
}
return base.SendAsync(request, cancellationToken);
}
}
在总之,我的问题是:
- 有没有以这种方式实现基于角色授权任何问题?
- 有什么好看的包在那里,手柄集中授权的WebAPI?我看着FluentSecurity,但这似乎并不支持的WebAPI 。
- Are there any problems with implementing Role Based Authorization in this way?
- Are there any good packages out there that handle centralizing authorization for WebAPI? I've looked into FluentSecurity, but that doesn't appear to support WebAPI.
谢谢!
推荐答案
您的做法是一个很好的一个。你应该分开的担忧。这意味着从非功能逻辑/需求分离业务逻辑(例如记录,验证和当然授权)。
Your approach is a good one. You should separate concerns. This means separating business logic from non-functional logic/requirements (e.g. logging, authentication, and of course authorization).
为什么这次却没有做更广泛的原因是因为它更容易外化身份验证或记录比它是外部授权哪个更关系到你的业务。
The reason why this hasn't been done more broadly is because it's much easier to externalize authentication or logging than it is to externalize authorization which is more related to your business.
不同的编程框架,提供了当今外部化授权。微软基于声明的授权,Java有例如几个框架春季安全,SunXACML ... PHP有Yii的,Ruby有康康舞......这些框架让你实现基于角色的访问控制,甚至基于属性的访问控制。如果你不熟悉这些术语,请查看NIST的网页:
Different programming frameworks provide externalized authorization today. Microsoft has claims-based authorization, Java has several frameworks e.g. Spring Security, SunXACML... PHP has Yii, Ruby has CanCan... These frameworks let you implement role-based access control and even attribute-based access control. If you're not familiar with these terms, check out NIST's webpage:
- NIST RBAC
- NIST ABAC
如果你想有一个解决方案,技术中立的,即是你可以使用面向Java,.NET,PHP ...您可以使用XACML,即可扩展访问控制标记语言。这是OASIS标准就像是SAML(SAML的重点是联合ID和SSO; XACML侧重于细粒度授权)。您可以在 OASIS 的网站上和的维基百科,我尽量保持页面。除了外部化授权,XACML还定义了一个基于策略的方法来授权,这使得一个非常可扩展的方法。
If you want a solution that is technology-neutral, i.e. something you can use for Java, .NET, PHP... you can use XACML, the eXtensible Access Control Markup Language. It's an OASIS standard just like SAML is (SAML focuses on federated id and SSO; XACML focuses on fine-grained authorization). You can read more on XACML on the OASIS website and on Wikipedia where I try to maintain the page. In addition to externalizing authorization, XACML also defines a policy-based approach to authorization which makes a very scalable approach.
有几个开源选项(JBoss的,SunXACML,OpenAM ...)为XACML,以及供应商,如一个我工作,的公理化。
There are several open source options (JBoss, SunXACML, OpenAM...) for XACML as well as vendors such as the one I work for, Axiomatics.
心连心
这篇关于.NET的WebAPI集中授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
