我如何在ASP.NET中实现基于权限的授权？ [英] How can I implement permission-based authorization in ASP.NET?

问题描述

我工作的一个ASP.NET应用程序（不使用MVC），并需要用户角色的权限基于授权scheeme，其中页面和/或方法可以要求他们需要（在特定的权限，而不是哪个角色的用户具有）。有没有一种方法来扩展表单验证（或建筑物的东西）来解决这个？

I'm working an a ASP.NET application (not using MVC) and need a User-Role-Permission based authorization scheeme, where pages and/or methods can demand the specific permission they require (instead of which role the user has). Is there a way to extend Forms Authentication (or building something) to solve this?

如果可能，我希望能够使用属性：

If possible I would like to be able to use attributes:

[RequirePermission("UserEdit")]
public partial class EditUser : System.Web.UI.Page
{
}

也许甚至是方法：

Perhaps even for methods:

public class MyClass
{
    ...
    [RequirePermission("UserEdit")]
    public void Save()
    {
        ...
    }
}

这可能吗？

我发现此页面，使用角色的权限提示：

I found this page, that suggested using Roles for permissions:

[Authorize(Roles = "UserEdit")]
public partial class EditUser : System.Web.UI.Page
{
}

我不的非常的喜欢这个解决方案，但也将是解决事情的可能方式，但什么，我需要做的就是它的工作？

I am not very fond of this solution, but that would also be a possible way to solve things, but what do I need to do to get it working?

推荐答案

微软的授权模型吸...和它的广泛承认
<一href=\"http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/\">http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/).

Microsoft's authorization model sucks...and it's widely acknowledged http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/).

这说。这是很好的拟合到他们的 IPrincipal.IsInRole API（从而能够充分利用授权属性有交叉兼容性）

That said. It's nice to have cross compatibility by fitting into their IPrincipal.IsInRole API (and thus being able to leverage the Authorize attribute)

所以...我做什么妥协是在一个数据库中的完全权限模型，用户，角色和权限......但是当我的code设置 CurrentPrincipal 我拼合用户的角色和权限到的IPrincipal 的角色集合。这是很不理想......但恕我直言这是一个体面的妥协。其他（罗克福德Lhotka）也采取了这种方式：<一href=\"http://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx\">http://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx

So...what I do to compromise is have a full permission model in the DB with Users, Roles, and Permissions...but when my code sets the CurrentPrincipal I flatten the User's Roles and Permissions into the Roles collection of the IPrincipal. It's far from ideal...but IMHO it's a decent compromise. Others (Rockford Lhotka) have also taken this approach: http://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx

这篇关于我如何在ASP.NET中实现基于权限的授权？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！