Web应用程序的细粒度的授权 [英] Fine-grained authorization for web applications
问题描述
我有一个C#.NET应用程序,服务器都公司的内部用户和外部客户。我需要做喜欢谁访问什么资源的细粒度授权。所以,我需要像基于资源或属性为基础的,而不是基于角色的授权。
I have a C# .net application which servers both company's internal users and external customers. I need to do fine-grained authorization like who accesses what resource. So I need something like resource-based or attribute-based rather than a role-based authorization.
什么在我脑海中是要么:
What comes to my mind is to either:
- 实现自己的授权机制和SQL表对我的.NET应用程序
- 使用/执行标准的机制,这样的实施XACML(例如希尔伯特)软件
与第一种方法的问题是,它不集中,也没有标准,以便其他系统不能使用它进行授权。
The problem with the first method is that it is not centralized nor standard so other systems cannot use it for authorization.
与第二方法的问题是,它是潜在的慢(由于需要为每个资源额外呼叫)。另外,我不知道如何像广XACML标准授权由应用程序在市场支持,以使未来的整合更容易。
The problem with the second approach is that it is potentially slower (due to extra calls needed for each resource). Also I am not sure how widely a standard authorization like XACML is supported by applications in the market to make future integrations easier.
所以,一般什么是应该服务于内部用户和外部客户的Web应用程序的良好做法细粒度的授权
推荐答案
我肯定会去的外部化授权。这并不意味着它会慢一些。这意味着你已经仅从商业逻辑访问控制。
I would definitely go for externalized authorization. It doesn't mean it will be slower. It means you have cleanly separated access control from the business logic.
概述
XACML是一个很好的路要走。该TC是非常活跃和公司,如波音公司,EMC,退伍军人管理局,Oracle和公理化都是活跃会员。
Overview XACML is a good way to go. The TC is very active and companies such as Boeing, EMC, the Veterans Administration, Oracle, and Axiomatics are all active members.
的XACML架构保证你可以得到你想要的性能。由于执法(PEP)和决策引擎(PDP)是松散耦合的,你可以选择他们如何沟通,他们使用什么协议,是否使用多个决策,等等。这意味着你可以选择去为它整合满足您的性能需求。
The XACML architecture guarantees you can get the performance you want. Since the enforcement (PEP) and the decision engine (PDP) are loosely coupled you can choose how they communicate, what protocol they use, whether to use multiple decisions, etc... This means you have the choice to go for the integration which fits your performance needs.
有也是在SAML配置文件XACML定义的标准PDP接口。这保证,你不会被锁定到任何特定供应商的解决方案,你'面向未来'的访问控制。
There is also a standard PDP interface defined in the SAML profile for XACML. That guarantees you 'future-proof' access control where you are not locked into any particular vendor solution.
为web应用访问控制
您可以在针对.NET的webapps一个PEP在ISAPI和ASP.NET使用HTTP过滤器简单的丢弃。希尔伯特已经得到了一次性的,现成了点。
Access control for webapps You can simply drop in a PEP for .Net webapps by using HTTP Filters in ISAPI and ASP.NET. Axiomatics has got one off-the-shelf for that.
当前实施
如果您检查公理化的客户页面,你会看到他们有宝,贝尔直升机,等等。所以XACML确实是一个现实,它可以处理非常大的部署(亿万用户的)。
Current implementations If you check Axiomatics's customers page, you'll see they have Paypal, Bell Helicopter, and more. So XACML is indeed a reality and it can tackle very large deployments (hundreds of millions of users).
此外,DATEV例如,一个领先的金融服务提供商正在使用公理化的.Net PDP实现其服务/应用程序。由于净PDP嵌入在这种情况下,性能是最佳的。
Also, Datev eG, a leading financial services provider is using Axiomatics's .Net PDP implementation for its services / apps. Since the .Net PDP is embedded in that case, performance is optimal.
否则,你总是可以从场外的现成的PEP对于.NET,选择与任何PDP整合 - 例如基于SOAP的XACML授权服务
Otherwise, you can always choose from off-the-shelf PEPs for .Net that integration with any PDP - for instance a SOAP-based XACML authorization service.
性能高水平与XACML
在Gartner的催化剂会议去年七月,希尔伯特宣布了他们最新的产品,公理化反向查询,可帮助您解决十亿纪录挑战赛的释放。它的目标数据源以及RIA访问控制。它采用纯XACML的解决方案,使之保持与其他解决方案的互操作性。
High levels of performance with XACML Last July at the Gartner "Catalyst" conference, Axiomatics announced the release of their latest product, the Axiomatics Reverse Query which helps you tackle the 'billion record challenge'. It targets access control for data sources as well as RIA. It uses a pure XACML solution so that it remains interoperable with other solutions.
由于事实上,Kuppinger科尔将很快主办的专题网络研讨会: http://www.kuppingercole.com /事件/ n10058
As a matter of fact, Kuppinger Cole will host a webinar on the topic very soon: http://www.kuppingercole.com/events/n10058
退房的公理化ARQ preSS发布过这里:<一href=\"http://www.axiomatics.com/latest-news/216-axiomatics-releases-new-reverse-query-authorization-product-a-breakthrough-innovation-for-authorization-services.html\">http://www.axiomatics.com/latest-news/216-axiomatics-releases-new-reverse-query-authorization-product-a-breakthrough-innovation-for-authorization-services.html
Check out the Axiomatics ARQ press release too here: http://www.axiomatics.com/latest-news/216-axiomatics-releases-new-reverse-query-authorization-product-a-breakthrough-innovation-for-authorization-services.html
这篇关于Web应用程序的细粒度的授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
