根据用户权限定制的认证和授权 [英] Custom authentication and authorization based on user rights
问题描述
目前我正在开发使用MS SQL Server数据库的一个ASP.Net MVC 5应用程序。我需要基于ASP.Net 2.0的身份来实现身份验证和授权。我只是通过Identity的基本概念去,并试图实现相同的在我的应用程序。由于数据库已经定义,我需要定制身份一点点。当我看着到数据库中,表是有点不同,我通常在样本标识项目中。
Currently I’m developing an ASP.Net MVC 5 application with MS Sql server database. I need to implement authentication and authorization based on ASP.Net identity 2.0. I just went through basic concepts of Identity and try to implement the same in my application. Since the database is already defined, I need to customize Identity a little bit. When I looked on to the database, tables are little bit different that I normally found in sample identity projects.
从图像中可以看到,有一个名为用户组并定义一套基于模块的权利对他们的表。有相同的权利将是默认用户访问。如果你想改变任何权利,你可以通过设置用户权限表权限覆盖它。
From the image you can see that there is a table named user group and defined set of rights to them based on module. The same rights will be accessible to the user by default. If you want to change any rights you can override it by setting permission in User Rights table.
所以我的第一个问题是,ASP。使用自定义的授权和授权网络身份是实现这样的情况下正确的方法是什么?
So my first question is, ASP. Net Identity with Custom Authorization and Authorization is the right method to implement a scenario like this?
从视图的角度来看,我不得不生成基于用户/用户组权限的菜单,还需要启用/基于这些禁用的按钮。我能够生成菜单基于数据库的值。但我需要授权每一位客户的要求和我认为AuthorizeAttribute是最好的选择。请建议?任何一个优秀的设计模式或交的是AP preciated。
From the view perspective, I have to generate a menu based on user / user group rights and also want to enable / disable buttons based on them. I was able to generate menu based on database values. But I need to authorize each and every client request and for that I think AuthorizeAttribute is the best option. Please suggest? Any good design patterns or post are appreciated.
推荐答案
当然身份如此强大和灵活的可定制的。使用您的用户权利,索赔然后写一个自定义的 AuthorizeAttribute 来检查例如索赔考虑这个code:
Sure Identity so powerful and flexible you can customized it. Use your user right as a claim then write a customized AuthorizeAttribute to check the claims for example consider this code:
[HttpPost]
public ActionResult Login(string username, string password)
{
if (_userManager.IsValid(username, password)) // your own user manager
{
var ident = new ClaimsIdentity(
new[]
{
// adding following 2 claim just for supporting default antiforgery provider
new Claim(ClaimTypes.NameIdentifier, username),
new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "ASP.NET Identity", "http://www.w3.org/2001/XMLSchema#string"),
new Claim(ClaimTypes.Name, username),
// populate assigned user rightID's form the DB and add each one as a claim
new Claim("UserRight","FirstAssignedUserRightID"),
new Claim("UserRight","SecondAssignedUserRightID"),
},
DefaultAuthenticationTypes.ApplicationCookie);
HttpContext.GetOwinContext().Authentication.SignIn(
new AuthenticationProperties { IsPersistent = false }, ident);
return RedirectToAction("MyAction"); // auth succeed
}
// invalid username or password
ModelState.AddModelError("", "invalid username or password");
return View();
}
和写索赔依据授权属性:
And write the claim based authorize attribute:
public class ClaimsAccessAttribute : AuthorizeAttribute
{
// in the real world you could get claim value form the DB,
// I simplified the example
public string ClaimType { get; set; }
public string Value { get; set; }
protected override bool AuthorizeCore(HttpContextBase context)
{
return context.User.Identity.IsAuthenticated
&& context.User.Identity is ClaimsIdentity
&& ((ClaimsIdentity)context.User.Identity).HasClaim(x =>
x.Type == ClaimType && x.Value == Value);
}
}
目前你只需要你的属性添加到你的行动结束:
At the end you just need to add your attribute to your actions:
[ClaimsAccess(CliamType="UserRight",Value="YourRightID"]
public ActionResult MyAction()
{
// also you have access the authenticated user's claims
// simply by casting User.Identity to ClaimsIdentity
// ((ClaimsIdentity)User.Identity).Claims
}
我省略用户组简化的例子,也是我辛苦$ C $的CD,你需要某些部分来写提供商从数据库获取。
I omitted user group to simplify the example and also I hardcoded some parts which you need to write a provider to fetch from DB.
这篇关于根据用户权限定制的认证和授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
