角色VS索赔授权Asp.net网页API-2 WIF和OWIN中间件 [英] Roles vs Claims Authorization Asp.net web api-2 with WIF and OWIN Middleware
问题描述
我想,以确保asp.net web的API 2.0与Windows身份验证基础2.选择,我必须做出基于角色的授权和基于声明的授权之间的选择。作为一种实践,我添加了一个用户 DbInitializer 并指派他两个角色(管理员和经理)。当我登录与用户,我看到 ClaimsPrincipal 在调试模式下,它已经具备,索赔有关的角色(管理员和经理)。因此,这里有问题。
1 - 如果角色也可以作为债权处理,有什么不一样的B / W的角色和要求呢?
2 - 如果我保持距离的角色了,我怎么能使用要求保护的Web API控制器和相关操作方法。就像,我有一个包含CRUD方法的单控制器。我想一个用户(比如一个经理),以获得创建和获取方式和第二用户(管理员)来访问所有这些方法。我会怎么做呢?通过基于角色的系统,我只是装饰作用的方法适当授权(角色=管理员)属性。我将如何管理自身索赔?我需要将它们添加数据库和赋予/撤消通过我的应用程序,以不同的用户这些说法?
问候
在本金有角色和索赔之间没有巨大的差异。我一直都迷上了基于声明的授权,进行了大量的研究和一些测试项目。而在这一天一切归因于你的决定到底哪一个是使用。
正如你所说,角色被增加到类型索赔。因此,在交货方面没有区别。但MVC /的WebAPI已经内置的基础设施来处理角色和拒绝,如果用户不具备所需的角色。所以,你不会有太多要自己做。结果
但是,你必须拿出与控制器/动作一堆属性,并确保所有的人在DB存在,所以用户可以分配给他们。
不过,我发现,你可以有太多的角色,并成为他们太多的负担,维护。你也不能分配给您的用户太多的角色 - 他们的身份验证cookie将成为巨大的,最终将不得不无法登陆是由于浏览器(4K每个Cookie,16K所有的HTTP头)的cookie大小限制
通过声明可以更加灵活。你可以有很多不同类型的声明(我们有一点少于每个控制器)和几个声明值(读取,创建,编辑,删除)。随着血统大小的应用程序(我们上面100),你必须有角色(4%控制器)大量此级别的权限控制模型。随着要求我们有一个枚举的声明类型(个人,产品,订单)和枚举的声明值(创建,阅读,编辑,删除)。而在饼干可以设置整数作为索赔的类型和声明值 - 这节省了大量的空间,身份验证cookie
但是,随着债权你必须code中的身份验证机制自己。
我一直在这里玩这个概念,这是<一个href=\"https://github.com/trailmax/ClaimsAuthorisation/blob/master/ClaimsAuth/Infrastructure/Identity/ClaimsAuthorisationFilter.cs\">authentication过滤器为MVC,但的WebAPI过滤器会看起来非常相似。现在这个原型的结果是在生产和工作得很好。
总体而言,回答你的问题是看情况。大多是关于如何颗粒状的认证必须要和有多大的应用程序。
I am trying to secure asp.net web-api 2.0 with Windows Identity foundation 2. The choice, I have to make a choice between role based authorization and claims based authorization. As a practice, I added a users in DbInitializer and assigned him two roles (Admin and Manager). When I log in with that user, I see that ClaimsPrincipal in debug mode, it already has those roles (Admin and Manager) associated as claims. So here are the questions
1- If roles are also treated as claims, what is the difference b/w roles and claims then?
2- If I keep away from roles, how can I use claims to protect web api controllers and associated action methods. Like, I have an orders controller containing CRUD methods. I want one user (say a manager) to have access to Create and Get method and the second user (an admin) to have access to all those methods. How would I do that? with role based system, I would simply decorate the action methods with appropriate Authorize(Role = "Admin") attribute. How would I manage the claims itself? do I need to add them in database and grant/revoke those claims to different users through my application?
Regards
In principal there is no massive difference between Role and a Claim. I've been all hooked up for Claims-based authorisation, done a lot of research and a few test projects. And at the end of the day it all down to you to decide which one is to use.
As you said, roles are added as type of claims. So in delivery terms it makes no difference. But MVC/WebApi already have built-in infrastructure to handle roles and deny if user does not have the required role. So you won't have to do much yourself.
But you'll have to come up with a bunch of attributes on controllers/actions and make sure all of them exist in DB, so users can be assigned to them.
However I found that you can have too many roles and they become too much of a burden to maintain. Also you can't have too many roles assigned to your user - their authentication cookie will become massive and eventually will have to be unable to login due to cookie size limitation in browsers (4K per cookie, 16K for all HTTP headers).
With claims you can be more flexible. You can have many different types of claims (we have a bit less than one per controller) and a few claim values (Read, Create, Edit, Delete). With a descent sized application (we have above 100) you'll have to have a LOT of roles (4 per controller) to model this level of permission control. With claims we have an enum for claim types (Person, Product, Order) and enum for claim values (Create, Read, Edit, Delete). And in cookie you can set integers as a claim type and claim value - that saves a lot of space on authentication cookie.
But with claims you'll have to code the authentication mechanisms yourself.
I've been playing with this concept here and this is authentication filter for MVC, but WebApi filter will look very similar. Now results of this prototype are in production and working very well.
Overall, the answer to your question is "it depends". Mostly on how granular the authentication have to be and how big is the application.
这篇关于角色VS索赔授权Asp.net网页API-2 WIF和OWIN中间件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
