细粒度的权限;的PrincipalPermission - 从角色权限单独的; [英] fine-grained permissions; PrincipalPermission - roles seperate from permissions;
问题描述
我已经使用了的PrincipalPermission在WCF服务一段时间。
[的PrincipalPermission(SecurityAction.Demand,角色= SecurityRoles.CanManageUsers)]
I've been using PrincipalPermission for a while in wcf services. [PrincipalPermission(SecurityAction.Demand, Role = SecurityRoles.CanManageUsers)]
我们的角色的前缀为:可*,是我们如何实现细粒度的控制措施与内置的asp.net会员制度。
Our roles are prefixed with: Can* and is how we achieve fine grained actions control with the built in asp.net membership system.
这使得它知道作为一个业务部门有什么细粒度的角色,我们可以给到用户的硬盘。
This makes it hard to know as a business unit what fine grained roles we can give to a user.
下面是我的新方法,并想看看如果有人可以提供反馈,代码审查之前,我实现了我的建议。
Here is my new approach and wanted to see if anyone can provide feedback, code review before i implement my suggestion.
1 )aspnet_roles - 业务部门的作用
1) aspnet_roles - business unit role
2)通过创建权限表,Role_Permission表User_Permission表(多对多)延长asp.net会员制度
2) Extend the asp.net membership system by creating a permission table and Role_Permission table and User_Permission table (many to many)
3)创建自定义CodeAccessSecurityAttribute +,着眼于新表
[CustomPermissionCheck(Security.Demand,HasPermission =能*)]
首先,我将迭代静态新的依赖库..我非常希望有注入库IPermissionRepository.HasPermission(...)一个AOP样式属性;
3) create custom CodeAccessSecurityAttribute + that looks at new tables [CustomPermissionCheck(Security.Demand, HasPermission="can*")] first iteration i'll statically new the dependent repository.. ideally i would like an aop style attribute that has repository injected IPermissionRepository.HasPermission(...);
如果我接近新的AOP方式,我可能会停止从CodeAccessSecurityAttribute继承 - 什么做安全专家不得不说这个
If i approach new aop way i probably will stop inheriting from CodeAccessSecurityAttribute -- what do the security guys have to say about this?
有其他人解决了这个,有没有东西,我已经错过了框架?
has anyone else solved this, is there something in the framework that i've missed?
推荐答案
我实施第一次迭代,它是很好的工作。 [PermissionValidate(SecurityAction.Demand,HasPermission = CensusSchedulerRoles.CanUpdateCensusScheduler)]
I implemented first iteration and it is working nicely. [PermissionValidate(SecurityAction.Demand, HasPermission = CensusSchedulerRoles.CanUpdateCensusScheduler)]
public void Demand()
{
var principal = Thread.CurrentPrincipal;
if(principal == null || principal.Identity.IsAuthenticated == false)
{
throw new SecurityException("Unable to get IPrincipal.");
}
if(principal.Identity.IsAuthenticated == false)
{
throw new SecurityException("You must be authenticated.");
}
#warning this should be moved to an aop attribute that is injected by a ioc container.
using (var connection = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["......."].ConnectionString))
{
connection.Open();
using(var command = new SqlCommand(
@"
SELECT COUNT(t.name) FROM
(
SELECT p.name, u.UserName FROM
aspnet_Users as u
INNER JOIN [User_Permission] as up
ON up.user_id = u.UserId
INNER JOIN Permission as p
ON p.id = up.permission_id
UNION
SELECT p2.name, u2.UserName FROM
aspnet_Users as u2
INNER JOIN aspnet_UsersInRoles as uir
ON uir.UserId = u2.UserId
INNER JOIN aspnet_Roles as r
ON r.RoleId = uir.RoleId
INNER JOIN Role_Permission as rp
ON rp.role_id = r.RoleId
INNER JOIN Permission as p2
ON p2.id = rp.permission_id
) as t
WHERE t.UserName = @username AND t.name = @haspermission
", connection))
{
command.Parameters.Add("@username", SqlDbType.VarChar).Value = Thread.CurrentPrincipal.Identity.Name;
command.Parameters.Add("@haspermission", SqlDbType.VarChar).Value = _permissionRequested;
if( Convert.ToInt32(command.ExecuteScalar()) <=0)
{
throw new SecurityException(String.Format("User '{0}' is not assigned permission '{1}'.", principal.Identity.Name, _permissionRequested));
}
}
}
}
这篇关于细粒度的权限;的PrincipalPermission - 从角色权限单独的;的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
