如何针对不同部门实施同一索赔 [英] How to implement the same claim for different departments
问题描述
我正在构建一个使用Windows身份验证的Web应用程序,并使用本地数据库的角色和声明对其进行补充.我计划在用户通过身份验证后使用JWT来存储此信息.
I am building a webapp that uses windows authentication and supplements it with roles and claims from a local DB. I am planning to use a JWT to store this information once the user is authenticated.
我们的组织有不同的部门,我想知道在这种情况下如何实现角色/要求.
Our organization has different departments and I am wondering how I could go about implementing roles/claims in this case.
例如:
Bob是部门A和部门B的管理员.
Bob is an admin for both department A and B.
按照鲍勃的原则,我该如何添加反映这一点的主张. I.E.
In Bob's principle, how could I add claims that reflect this. I.E.
bob.claims = new claim[] {
new claim() { department = "A", role = Roles.Admin },
new claim() { department = "B", role = Roles.Admin }
}
然后我可以做类似的事情:
Then I could do something like:
[Authorize(IsInDepartmentRole(Department: "A", Role: Roles.Admin)]
请记住,这都是伪代码.
Keep in mind this is all pseudo-code.
我意识到在JWT中存储此信息可能无法正常工作,因此我愿意移至内存中的缓存(或类似缓存)中.
I realize storing this info in a JWT might not work out, so I am willing to move to an in memory cache (or similar).
我该怎么做?
推荐答案
您可以将此信息添加为声明,但是由于声明由类型值组成,因此伪代码中的方法将行不通.
You can add this information as claims, but since a claim consists of a type-value, the approach in the pseudo code will not work.
有一些选择,但是我建议以下几点:
There are some options, but I would suggest the following:
new Claim { Type = "DepartmentRole", Value = "A;Admin" }
在任何情况下,都应保持类型不变.该值可以分为A和Admin,分别对应于部门和角色.您可以添加多个相同类型的声明.
In any case, keep the type a constant. The value can be split into A and Admin, corresponding to department and role. You can add multiple claims of the same type.
现在您可以定义一个策略:
Now you can define a policy:
services.AddAuthorization(options =>
{
options.AddPolicy("AdminOfDeptA", policy =>
policy.RequireClaim("DepartmentRole", "A;Admin"));
}
authorize属性仅允许使用字符串作为参数,因此再次,您的伪代码将不起作用.但是您现在可以使用它,其中AdminOfDeptA是已配置的策略:
The authorize attribute only allows strings as parameter, so again your pseudocode won't work. But you can now use this, where AdminOfDeptA is the configured policy:
[Authorize("AdminOfDeptA")]
If you don't want to define all combinations, you may want to take a look at resource-based authorization.
这篇关于如何针对不同部门实施同一索赔的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!