对于一个WPF应用程序基于角色的访问控制 - 最佳实践 [英] Role-based access control for a WPF app - best practices
问题描述
我需要实现某种 RBAC 的为我在写一个WPF应用程序此时此刻。由于ASP.NET 2.0版已经具备了安全性,成员和角色管理基础设施(如描述的这里为例),虽然我可以用它认为还是要使用它在这方面将是一个有点哈克。我将欢迎来自人谁使用它,并曾在类似的情况下成功的反馈。
I need to implement some kind of RBAC for a WPF app that I'm writing at the moment. Since v2.0 ASP.NET has had the Security, Membership and Role Management infrastructure (as described here for example) and while I could use that it still feels that to use it in this context would be a bit hacky. I'll welcome feedback from anyone who has used it and had success in a similar context.
我已经使用AD LDS,请阅读TechNet文章还审议并看着某些MSDN代码样本,但我想知道如果有这么删除某些固有的复杂性背后创建数据库,将其设置为部署和持续维护的任何组件(.NET)在那里。免费或商业是在这种情况下还行。
I've also considered using AD LDS, read the TechNet articles and looked at some of the MSDN code samples but I'm wondering if there's any component (for .NET) out there that removes some of the inherent complexity behind creating the database, setting it up for deployment and the on-going maintenance. Free or commercial is okay in this instance.
在SO提到客户端应用程序服务的其他问题,但是这需要添加IIS混进去,这虽然不超出可能的范围,是我没在项目一开始就设想。
Other questions on SO mention Client Application Services but this entails adding IIS into the mix, which, while not beyond the bounds of possibility, was something I didn't envisage at the outset of the project.
什么是在这种情况下的最佳实践?该应用程序是一个典型的n层型事务,会谈到一个远程SQL Server数据库这样的角色可以存储在那里,如果需要的话
What are the best practices in this case? The app is a typical n-tier type affair, which talks to a remote SQL Server database so the roles could be stored there if needs be
推荐答案
您可以看看在P&放,P指导/代码的想法(或者你也许可以使用他们的块)。 http://msdn.microsoft.com/en-us/library/ff953196 (v = pandp.50)的.aspx
You could have a look at the P&P guidance / code for ideas (or you could use their block perhaps). http://msdn.microsoft.com/en-us/library/ff953196(v=pandp.50).aspx
我实现我自己的后端存储SQLServer中。它并不难,如用户,UserRole的,SecurityItem,SecurityItemUser,SecurityItemRole表。我验证用户的Windows登录对广告,但只存放他们的Windows登录名在数据库中(例如,用户表中的键)。
I implemented my own back-end store in SQLServer. Its not that hard, tables like User,UserRole,SecurityItem,SecurityItemUser,SecurityItemRole. I authenticate the user's windows login against AD, but only store their windows login name in the database (eg the key for the User table).
这是一个好主意通过接口/提供者模型离开抽象的东西。 。这样,如果您在未来的应用程序的变化,也不会需要太多重构
It is a good idea to abstract things away via interfaces / provider model. That way if your app changes in the future, it won't require much refactoring.
我建了2层的应用程序(WPF - > SQLServer的),该成长了很多,和管理已经决定为了安全,他们现在想要一个3层的应用程序(WCF中间层)。我现在在做这个,这是一个真正的痛苦,因为我的客户端应用程序太紧密结合我的授权码。现在明显的是授权应在服务层可以发生,但需要大量的工作。
I built a 2 tier app (WPF -> SQLServer) that grew a lot, and management have decided for security they now want a 3 tier app (WCF middle tier). I am working on this now, and it is a real pain because I coupled my authorization code too closely with the client app. It is apparent now that the authorization should be happening in the service tier, but will require a lot of work.
在如何识别特定保安全方面,我想出了一个很好的把戏,节省了大量的工作。虽然,讽刺的是,这是我现在试图重新设计它的3层问题的一部分。诀窍是作为唯一标识符使用类的完全限定名称为可靠的,那么你可以使用一些简单的代码每次检查时间:
In terms of how to identify a particular 'securable', I came up with a nice trick that saves a lot of work. Although, ironically this is part of the problem I now have trying to re-engineer it for 3 tiers. The trick is to use the fully qualified name of the class as a unique identifier for a securable, then you can use some simple code each time you check :
_secUtil.PromptSecurityCheck(_secUtil.GetFullyQualifiedObjectName(this, "Save"))
这里是一些其他的代码给你一个想法,我是如何做到了(用P&安培; P骨架)
Here is some other code to give you an idea how I did it (using P&P framework).
public class SecurityUtil : ISecurityUtil
{
public string DatabaseUserName { get { return LocalUserManager.GetUserName(); } }
public bool PromptSecurityCheck(string securityContext)
{
bool ret = IsAuthorized(securityContext);
if (!ret)
{
MessageBox.Show(string.Format("You are not authorised to perform the action '{0}'.", securityContext), Settings.Default.AppTitle,
MessageBoxButton.OK, MessageBoxImage.Error);
}
return ret;
}
public bool IsAuthorized(string securityContext)
{
IAuthorizationProvider ruleProvider = AuthorizationFactory.GetAuthorizationProvider("MyAuthorizationProvider");
//bool ret = ruleProvider.Authorize(LocalUserManager.GetThreadPrinciple(), securityContext);
bool ret = ruleProvider.Authorize(LocalUserManager.GetCurrentPrinciple(), securityContext);
return ret;
}
public string GetFullyQualifiedName(object element)
{
return element.GetType().FullName;
}
public string GetFullyQualifiedObjectName(object hostControl, string objectName)
{
return GetFullyQualifiedName(hostControl) + "." + objectName;
}
}
[ConfigurationElementType(typeof(CustomAuthorizationProviderData))]
public class MyAuthorizationProvider : AuthorizationProvider
{
public SitesAuthorizationProvider(NameValueCollection configurationItems)
{
}
public override bool Authorize(IPrincipal principal, string context)
{
bool ret = false;
if (principal.Identity.IsAuthenticated)
{
// check the security item key, otherwise check the screen uri
ret = LocalCacheManager.GetUserSecurityItemsCache(LocalUserManager.UserId, false).Exists(
si => si.SecurityItemKey.Equals(context, StringComparison.InvariantCultureIgnoreCase));
if (!ret)
{
// check if this item matches a screen uri
ret = LocalCacheManager.GetUserSecurityItemsCache(LocalUserManager.UserId, false).Exists(
si => si.Uri.Equals(context, StringComparison.InvariantCultureIgnoreCase));
}
}
return ret;
}
}
这篇关于对于一个WPF应用程序基于角色的访问控制 - 最佳实践的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
