基于索赔的授权设计在ASP.NET MVC应用程序条件的编辑操作 [英] Claim based authorization design for conditional edit operation in ASP.NET MVC App
问题描述
设计使用基于请求模型一个ASP.Net MVC应用程序授权。比方说,我们有一个名为对象 - 产品。通常情况下,有4个不同的操作 - 创建,编辑,删除和查看。授权使用ClaimsAuthorize属性来完成。
Designing an ASP.Net MVC application authorization using claim based model. Lets say that we have an object called - Product. Typically, there are 4 different actions - Create, Edit, Delete and View. Authorization is done using ClaimsAuthorize attribute.
[Authorize]
public class ProductController : Controller
{
[ClaimsAuthorize("Product", "VIEW")]
public List<Product> GetProducts()
{
// ....
}
[ClaimsAuthorize("Product", "CREATE")]
public Product CreateNewProduct(Product product)
{
//....
}
}
但在我而言,我要支持不同类型的编辑权限:
But in my case, I have to support different types of EDIT permissions:
-
有些用户可以编辑产品,如果同一用户已经创建了最初的产品
Some Users can Edit the product if the same user has created the Product originally
有些用户可以编辑该产品,如果产品属于特定类别和用户也可以访问相同的类别
Some users can Edit the product if the Product belongs to a specific category and the user also has access to the same category
一些用户可以编辑的所有产品(这是正常的产品编辑操作)
Some users can Edit all the products (this is the normal Product Edit operation)
你如何优雅地授权所有这些编辑操作(preferably属性驱动如上图所示),并在同一时间,我想保持授权code从正常的MVC控制器code和业务分离逻辑。
How do you elegantly authorize all these Edit operations (preferably attribute driven as shown above) and at the same time I want to keep the authorization code separate from the normal MVC controller code and business logic.
[以上code样本不语法正确的,我只是做它为解释这一问题的目的]
让我知道你的想法。
[Above code sample is not syntactically correct, I just made it up for the purpose of explaining this question] Let me know your thoughts.
推荐答案
对于你的问题的第一部分,根据索赔的授权,我已回答了在<一个href=\"http://stackoverflow.com/questions/29988858/custom-authentication-and-authorization-based-on-user-rights/31755231#31755231\">this类似的问题。而且我不打算在这里重复。
For first part of your question, Claim based authorization, I have already answered it in this similar question. And I am not going to repeat here.
但是,对于您的同类产品的另一个规则只能由所有者编辑。你可以写单独的 AuthorizeAttribute 每个规则,并将其应用在你的操作认为这是一个简单的例子:
But for your another rules like products editable only by owner. You could write separate AuthorizeAttribute for each rule and apply them on your Actions consider this as an simple example:
using Microsoft.AspNet.Identity;
public class OwnerAuthorizeAttribute : AuthorizeAttribute
{
private string _keyName;
public bool IsPost { get; set; }
public OwnerAuthorizeAttribute(string keyName)
{
_keyName = keyName;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
// imagine you have a service which could check owner of
// product based on userID and ProductID
return httpContext.User.Identity.IsAuthenticated
&& this.ContainsKey
&& _productService.IsOwner(httpContext.User.Identity.GetUserId(),
int.Parse(this.KeyValue.ToString()));
}
private bool ContainsKey
{
get
{
return IsPost
? HttpContext.Current.Request.Form.AllKeys.Contains(_keyName)
// for simplicity I just check route data
// in real world you might need to check query string too
: ((MvcHandler)HttpContext.Current.Handler).RequestContext
.RouteData.Values.ContainsKey(_keyName);
}
}
private object KeyValue
{
get
{
return IsPost
? HttpContext.Current.Request.Form[_keyName]
// for simplicity I just check route data
// in real world you might need to check query string too
: ((MvcHandler)HttpContext.Current.Handler)
.RequestContext.RouteData.Values[_keyName];
}
}
}
您可以重复同样的模式到其他的规则了。
You could repeat same pattern to your other rules too.
和你可以简单地套用您的自定义属性,你的行动:
And you could simply apply your custom attributes to your actions:
[OwnerAuthorize("id")]
public ActionResult Edit(int id)
{
// your code
}
[HttpPost]
// double checking in post back too
[OwnerAuthorize("id", IsPost = true)]
public ActionResult Edit(Product product)
{
// your code
}
很明显,你可以申请一个以上的 AuthorizeAttribute 行动吧。在这种情况下的所有的他们必须返回真正。
It is obvious you could apply more then one AuthorizeAttribute to your actions. In this case all of them must return true.
[ClaimsAuthorize("Product", "EDIT")]
[OwnerAuthorize("id")]
[YetOtherAuthorize]
public ActionResult MyFancyAction(int id)
{
}
这篇关于基于索赔的授权设计在ASP.NET MVC应用程序条件的编辑操作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
