在ASP.NET MVC应用程序中处理记录/实体级别的安全性 [英] Handling record/entity level security in an ASP.NET MVC application
问题描述
什么是大家做以处理ASP.NET MVC应用程序的安全性(检索和修改)的个人记录?此应用程序有一个服务/业务层和数据访问层是从Web用户界面完全分开的。我已经使用了成员资格和角色提供商来处理我的应用程序特定领域/功能验证和授权,但现在我需要保护个人记录。
What is everyone doing to handle security (retrieval and modification) of individual records in an ASP.NET MVC application? This application has a Service/Business layer and a Data Access layer that are completely separate from the Web user interface. I am already using the membership and roles providers to handle authentication and authorization for specific areas/features in my application, but now I need to secure individual records.
举例来说,假设Bob可以创建和编辑自己的FooBar的记录。我想,以确保其他用户无法查看或编辑Bob的记录。我想,以防止操纵URL和/或编程错误。我们也可能要允许鲍勃分享他与其他用户FooBars,允许他们查看但不能修改自己的记录。
For example, say Bob can create and edit his own FooBar records. I want to ensure that other users cannot view or edit Bob's records. I want to protect against URL manipulation and/or programming mistakes. We may also want to allow Bob to share his FooBars with other users, allowing them to view but not edit his records.
有我想出了几种方法:
- 请在数据访问层的安全检查,直接在检索和修改查询。
- 检查在服务层安全性,与业务逻辑出发之前执行额外的安全性的查询。
- 创建的UI和业务层之间存在一个安全层。用户界面将使通过安全层的所有请求。
- 使用面向方面编程(AOP)。创建安全问题和安全属性装饰服务层的方法。
我已经做了安全在previous项目的数据访问层(查询),它总是变成一个烂摊子。我想知道其他人在做什么,并且使用的是帮你什么框架(AOP框架。)
I've done security in the Data Access layer (in the queries) in previous projects, and it always turns into a mess. I would like to know what everyone else is doing, and what frameworks you are using to help you (AOP frameworks.)
推荐答案
我都把你的第二个方法和/或3日 - 一个明确的安全层某个UI和逻辑处理程序之间。
I always take 2nd and/or 3rd of your approaches - an explicit security layer somewhere between the UI and logic handlers.
AOP听起来像一个办法彻底失去对code控制和DAL安全听起来像一种错误的做法,因为它混淆了不同的责任。
AOP sounds like a way to completely lose control over the code and the security in DAL sounds like a wrong approach as it mixes up different responsibilities.
这篇关于在ASP.NET MVC应用程序中处理记录/实体级别的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
