索赔授权特定资源 [英] Claims authorization for specific resources

问题描述

我写一个例子文件存储系统（例如只是计算器）。

I am writing an example file storage system (example just for stackoverflow).

我现在的域模型看起来像这样的：

My current domain models look as such:

public class User
{
    public int ID { get; set; }
    public string LoginIdentifier { get; set; }
    public string Password { get; set; }
}

public class File
{
    public int ID { get; set; }
    public int UserID { get; set; }
    public string FileName { get; set; }
    public byte[] Data { get; set; }
}

在code我写来创建IPrincipal的：

The code I am writing to create the IPrincipal:

private static IPrincipal CreatePrincipal(User user)
{
    Debug.Assert(user != null);

    var identity = new GenericIdentity(user.LoginIdentifier, "Basic");

    // TODO: add claims
            identity.AddClaim(new Claim("Files", "Add"));

    return new GenericPrincipal(identity, new[] { "User" });
}

在我的系统中，用户可以添加文件，也可以检索，删除和更新它们，但是，告诫这是一个用户只能检索和修改自己的文件（其中文件.UserID 应匹配的身份登录的用户）。

In my system, a user can add files, they can also retrieve, delete, and update them, however, the caveat to that is a user can only retrieve and modify their own files (where File.UserID should match the identity of the logged in user).

我的文件控制器如下所示。

My Files controller looks as follows.

[Authorize]
public class FilesController : ApiController
{
    private readonly FileRepository _fileRepository = new FileRepository();

    public void Post(File file)
    {
        // not sure what to do here (...pseudo code...)
        if (!CheckClaim("Files", "Add"))
        {
            throw new HttpError(HttpStatusCode.Forbidden);
        }

        // ... add the file
        file.UserID = CurrentPrincipal.UserID; // more pseudo code...

        _fileRepository.Add(file);
    }

    public File Get(int id)
    {
        var file = _fileRepository.Get(id);

        // not sure what to do here (...pseudo code...)
        if (!CheckClaim("UserID", file.UserID))
        {
            throw new HttpError(HttpStatusCode.Forbidden);
        }

        return file;
    }
}

也许使用要求 s是不正确的工具来完成工作，但希望这能说明问题。

Maybe using Claims isn't the right tool for the job, but hopefully this illustrates the problem.

我应该如何丝打我的控制器，以确保当前登录的用户可以访问做具体的行动和更具体的，特定的资源？

How should I wire up my controllers to ensure the currently logged in user has access to do specific actions and more specifically, certain resources?

推荐答案

我不知道，如果索赔是正确的方法为你在做什么。你真的想重新present有什么权限。一位自称通常重新present身份属性，如用户的姓名，电子邮件或角色是属于，但不是权限。你可以重新present权限与要求，而是取决于有多大你的应用程序可能需要吨吧。一个典型的方法是映射一个角色一组权限（在你的情况，添加文件将是一个许可）。您还可以创建自定义过滤器的授权从AuthorizeAttribute派生来检查当前主体拥有正确的权限来执行该操作。该过滤器可能会收到要执行的动作作为参数所需的权限。

I am not sure if claims are the right approach for what you are doing. What you really want to represent are permissions. A claim typically represent an identity attribute such as user name, email or roles it belong to, but not permissions. You could represent permissions with claims, but you might need tons of it depending on how big your application is. A typical approach is to map a role to a set of permissions (in your case, add files would be a permission). You can also create a custom Authorization filter deriving from the AuthorizeAttribute to check if the current principal has the right permissions to execute the action. That filter might receive the permissions required to execute the action as arguments.

这篇关于索赔授权特定资源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！