如何针对不同部门实施同一索赔 [英] How to implement the same claim for different departments

问题描述

我正在构建一个使用Windows身份验证的Web应用程序，并使用本地数据库的角色和声明对其进行补充.我计划在用户通过身份验证后使用JWT来存储此信息.

I am building a webapp that uses windows authentication and supplements it with roles and claims from a local DB. I am planning to use a JWT to store this information once the user is authenticated.

我们的组织有不同的部门，我想知道在这种情况下如何实现角色/要求.

Our organization has different departments and I am wondering how I could go about implementing roles/claims in this case.

例如:

Bob是部门A和部门B的管理员.

Bob is an admin for both department A and B.

按照鲍勃的原则，我该如何添加反映这一点的主张. I.E.

In Bob's principle, how could I add claims that reflect this. I.E.

bob.claims = new claim[] {

    new claim() { department = "A", role = Roles.Admin },
    new claim() { department = "B", role = Roles.Admin }
}

然后我可以做类似的事情:

Then I could do something like:

[Authorize(IsInDepartmentRole(Department: "A", Role: Roles.Admin)]

请记住，这都是伪代码.

Keep in mind this is all pseudo-code.

我意识到在JWT中存储此信息可能无法正常工作，因此我愿意移至内存中的缓存(或类似缓存)中.

I realize storing this info in a JWT might not work out, so I am willing to move to an in memory cache (or similar).

我该怎么做?

推荐答案

您可以将此信息添加为声明，但是由于声明由类型值组成，因此伪代码中的方法将行不通.

You can add this information as claims, but since a claim consists of a type-value, the approach in the pseudo code will not work.

有一些选择，但是我建议以下几点:

There are some options, but I would suggest the following:

new Claim { Type = "DepartmentRole", Value = "A;Admin" }

在任何情况下，都应保持类型不变.该值可以分为A和Admin，分别对应于部门和角色.您可以添加多个相同类型的声明.

In any case, keep the type a constant. The value can be split into A and Admin, corresponding to department and role. You can add multiple claims of the same type.

现在您可以定义一个策略:

Now you can define a policy:

services.AddAuthorization(options =>
{
    options.AddPolicy("AdminOfDeptA", policy => 
                                      policy.RequireClaim("DepartmentRole", "A;Admin"));
}

authorize属性仅允许使用字符串作为参数，因此再次，您的伪代码将不起作用.但是您现在可以使用它，其中AdminOfDeptA是已配置的策略:

The authorize attribute only allows strings as parameter, so again your pseudocode won't work. But you can now use this, where AdminOfDeptA is the configured policy:

[Authorize("AdminOfDeptA")]

如果您不想定义所有组合，则可能需要查看

If you don't want to define all combinations, you may want to take a look at resource-based authorization.

这篇关于如何针对不同部门实施同一索赔的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！