创建基于_simple_细粒度用户的安全系统 [英] creating a _simple_ fine grained user based security system

问题描述

（我希望有人检查我的想法是完全愚蠢还是确定？）


我有一个中期需要细粒度用户的酒店的复杂应用程序

安全系统。换句话说，管理员应该能够拒绝/授予

对用户的特定访问权限，例如能够进行预订或

打印报告的能力。


现在，我在想业务对象可以采取类似的方式：


enum UserPrivileges {各种权限.......};


IPrivilegedUser

{

public UserPrivileges Privileges

{

get;

}

}


用户类继承自此接口，业务对象

可以将此用户带入函数并按照

所需权限返回true / false，或者抛出异常：


用户user1 = new User（） ; //类用户继承自IPrivilegedUser

并从DB加载权限

Reservations.LoadPrivileges（user1）; //检查返回值.. ??

Reservations.EditReservation（）//如果

特权不够，调用它会失败！？


这是否足够好设计，它会在某个地方分崩离析还是

还有更好的方法吗？


像.NET中的CAS这样的声明性安全性会因为它的成功而过度杀伤

不是一个非常大的应用程序，但我确实需要设计足够灵活

这样如果应用确实变大了我就不会乱七八糟。


谢谢


Gideon

(I want someone to check if my idea is utterly stupid or ok??)

I have a mid complex app for a hotel that needs a fine grained user
security system. In other words an admin should be able to deny/grant
specific access to users like Ability to make a Reservation or the
ability to print reports.

Now, I''m thinking the business objects could take something like:

enum UserPrivileges { various privileges....... };

IPrivilegedUser
{
public UserPrivileges Privileges
{
get;
}
}

The user class inherits from this interface, the business objects
could take this user in a function and return true/false as per the
needed privileges, or maybe throw an exception:

User user1 = new User(); //class User inherits from IPrivilegedUser
and loads the right privileges from the DB
Reservations.LoadPrivileges(user1);//check the returned value..??
Reservations.EditReservation() // calling this should fail if the
privileges are not enough!?

Is this a good enough design, will it break apart somewhere or is
there a better way to do this?

Declarative security like CAS in .NET would be an overkill since its
not a very large app, but I do need the design to be flexible enough
so that if the app does grow big I''m not in a mess.

Thanks

Gideon

推荐答案

嗨Peter，


非常感谢您的回复。

hi Peter,

Thanks so much for your reply.

IUserPermissionService

{

* * bool CanCreateReservations（用户用户）;

* * bool CanEditReservation（用户）用户，预订）;

* *等


}

IUserPermissionService
{
* * bool CanCreateReservations(User user);
* * bool CanEditReservation(User user, Reservation reservation);
* * etc

}

这很好，我还有一些简单的问题，我应该使用ServiceProvider单例吗？所以它随处可用？


另外，我将在UI的演示中测试用户权限

类，所以有一个很好的方法来禁用/当新用户登录时启用菜单，基于

的按钮？


我在考虑MainWorkspace（表单）和子视图（usercontrols）

和菜单响应UserChanged事件，然后调用服务

检查是否有正确的权限。但是UserChanged活动应该从哪里来？
来自哪里？


非常感谢


Gideon

This is nice, I''ve still got just few simple question, should I make
the ServiceProvider singleton? So its available everywhere?

Also, I will be testing for user rights in the UI''s presentation
classes so is there a nice way to Disable/Enable menus, buttons based
on when a new User signs in?

I was thinking the MainWorkspace(Form) and the subview(usercontrols)
and menus respond to a UserChanged event and then call the service to
check for the right privileges. But where should the UserChanged event
come from in the first place?

Thanks so much

Gideon

说实话，我仍然想要使用IPrincipal。使用现有API，您可以获得所需的一切。你总是可以添加一个静态的

类来提供简化的访问，即


public static bool CanCreateReservation（）{

返回HasAccess （某些常数）

}

私有静态bool HasAccess（字符串角色）{

//获取主体并调用IsInRole ...

}


如果你不想创建自己的校长，你可以非常简单地使用

GenericPrincipal / GenericUser。 br />

Marc

To be honest, I''d still be tempted to use an IPrincipal. This does
everything you want with existing APIs. You could always add a static
class to provide simplified access, i.e.

public static bool CanCreateReservation() {
return HasAccess(some constant)
}
private static bool HasAccess(string role) {
// get principal and call IsInRole...
}

If you don''t want to create your own principal, you can use
GenericPrincipal / GenericUser very simply.

Marc

>>

这很好，我还有几个简单的问题，我应该使用ServiceProvider单例制作

吗？所以它随处可用？

<<


只要您确保服务中的线程安全，您就可以这样做。

>>
This is nice, I''ve still got just few simple question, should I make
the ServiceProvider singleton? So its available everywhere?
<<

You could do, yes, as long as you ensure thread safety in your services.

>>

>>

另外，我将在UI的演示文稿中测试用户权限

类，所以有一个不错的当新用户登录时，禁用/启用菜单，按钮的方式

？

<<


你在登录后必须执行一些代码，以便根据安全服务的结果启用或禁用它们

。

Also, I will be testing for user rights in the UI''s presentation
classes so is there a nice way to Disable/Enable menus, buttons based
on when a new User signs in?
<<

You''d have to execute some code after login to enable or disable them based
on results from the security service.

>>

>>

我在考虑MainWorkspace（Form）和子视图（usercontrols）

和菜单响应UserChanged事件和然后拨打服务

检查是否有正确的权限。但是UserChanged事件应该从哪里开始？
来自哪里？

<<


您希望用户你的应用程序运行时更改？你能解释一下吗？


Pete

I was thinking the MainWorkspace(Form) and the subview(usercontrols)
and menus respond to a UserChanged event and then call the service to
check for the right privileges. But where should the UserChanged event
come from in the first place?
<<

You expect the user to change whilst your app is running? Can you explain?

Pete

这篇关于创建基于_simple_细粒度用户的安全系统的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！