使用权利为基础的授权 [英] Using Claim-Based Authorization
问题描述
新的ASP.NET 4.5 code的重新父的ASP.NET RoleProvider到ClaimsProvider。
我试图弄清楚,是什么将基于声明一个授权的样子(pferably在MVC4 $ P $)的例子吗?怎么我的属性授权交互,还是不行,这个功能?该WebSecurity和角色API没有带变化;没有DoesUserHaveClaim()的签名。同样地,它是不明确的授权属性如何与权利要求交互。
是这样的索赔授权的功能主要是为OAuth的?如果是这样,如何索赔转发到我的应用程序?饼干吗?或者是打算更广泛地利用这一声明的提供者的功能?
在短,什么是使用ClaimsPrincipal的故事?
我见过的东西,还挺有道理的,最接近的是这个讨论。但是,我怀疑是过时 - 它应该是比MVC4互联网项目模板生成的结果。即使如此,它仍然没有建议如何使用授权的属性和设置。
更新
我已经从这些来源找到了答案,我的问题:
- ClaimsPrincipal的备注部分解释说WebSecurity,角色和AuthorizeAttribute的API实际上做熬下来权利要求的检查是必要的。
- 基于声明的MVC4例子是这里(连同其他)。
- 基本 SAML故事这里图所示。
基于声明的安全可以帮助您的应用程序域解耦的安全模型。一位自称可以要附加到用户的身份,如电子邮件,电话号码或标志,指示用户是否是超级用户任何东西。这给你你怎么想设置你的授权过程中最大的灵活性。历史上在ASP.NET应用程序,你必须确定你想要什么样的角色,允许和编程应用程序时使用它们。然后检查,如果用户是在角色授权他们。这种交织在一起的安全模型与应用程序。在基于声明的你有更大的灵活性,这是比较典型的设置的授权方案,它需要的资源(例如:订单在订单管理系统)和操作(如:读,写,执行)作为输入参数到您的授权过程,有效地从应用程序中解耦的安全性。见<一href=\"http://msdn.microsoft.com/en-us/library/microsoft.identitymodel.claims.claimsprincipalpermissionattribute.aspx\"相对=nofollow> ClaimsPrincipalPermissionAttribute 这种技术的一个例子。
基于声明的安全需要通过OAuth,但它与其他授权模式运作良好,以及。你在你的应用程序中使用自定义声明来自访问ClaimsPrincipal.Current 。有技术,在Cookie中存储这些信息,以及,虽然ASP.NET安全管道默认情况下不执行此操作。
您引用的讨论是Windows身份验证基础(WIF)现在是.NET的一部分,4.5,这就是为什么基于声明的身份是一等公民。所有主要类型的从ClaimsPrincipal继承。对于在这个免费的电子书指南索赔基于声明的安全性的外观很好的概述基于身份认证和访问控制(第二版)。在这方面真正的专家是多米尼克拜尔和的他的博客是摆满充满了关于这一主题的有用信息。他还对Pluralsight一个伟大的在线培训课程叫身份和放大器;在ASP.NET 4.5 <访问控制/ A>
The new ASP.NET 4.5 code has "re-parented" the ASP.NET RoleProvider to a ClaimsProvider.
What I'm trying to figure out, is what would a "claims based" example of authorization look like (preferably in MVC4)? How does my Authorize attribute interact, or not, with this capability? The WebSecurity and Roles API havn't changed; there is no "DoesUserHaveClaim()" signature. Similarly, it is not clear how the Authorize attribute interacts with claims.
Was this "claims authorization" feature intended primarily for OAuth? If so, how are claims forwarded to my application? A cookie? Or was this claims-provider functionality intended for a broader use?
In short, what is the story for using a ClaimsPrincipal?
The closest thing I've seen to something that kinda makes sense, is this discussion. But I suspect that is dated - it should be compared to what the MVC4 internet project template produces. And even then, it still did not suggest how to use the Authorize attribute with the setup.
UPDATE
I've found the answers to my questions from these sources:
- The remarks section of ClaimsPrincipal explains that WebSecurity, Roles, and AuthorizeAttribute APIs do in fact boil-down to claims checks as necessary.
- A claims-based MVC4 example is here (along with others).
- The basic SAML story is shown here.
Claims-based security helps decouple your security model from your application domain. A claim can be anything you want to attach to the identity of the user, such as an email, phone number, or flag indicating whether the user is a super user. This gives you the ultimate flexibility on how you want to setup your authorization process. Historically in an ASP.NET application you have to determine what roles you want to allow and apply them when programming your application. Then you check if the user is in the role to authorize them. This mingles your security model with your application. In claims-based you have much more flexibility and it is more typical to setup an authorization scheme that takes a resource (ex: Orders in an order management system) and an operation (ex: read, write, execute) as input parameters to your authorization process, effectively decoupling security from your application. See ClaimsPrincipalPermissionAttribute for an example of this technique.
Claims-based security is required with OAuth but it works well with other authorization schemes as well. The custom claims you use in your application are accessible from ClaimsPrincipal.Current. There are techniques to store this information in cookies as well, although the ASP.NET security pipeline does not do this by default.
The discussion you reference is for Windows Identity Foundation (WIF) which is now part of .NET in 4.5 and is why claims-based identity is a first class citizen. All of the Principal types inherit from ClaimsPrincipal. For a good overview of claims-based security look at this free ebook "A Guide to Claims-Based Identity and Access Control (2nd Edition)". A real expert in this area is Dominick Baier and his blog is chocked full of useful information on this topic. He also has a great online training course on Pluralsight called "Identity & Access Control in ASP.NET 4.5".
这篇关于使用权利为基础的授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
