MVC / ASP.Net最佳实践为记录级授权 [英] MVC / ASP.Net Best Practice for Record-Level Authorization
问题描述
有没有人有一个很好的方法,强制执行记录级的授权,同时保持一个ASP.Net MVC的Web站点中的关注点分离有什么建议?
Does anyone have any suggestions on a good methodology for enforcing record-level authorization while maintaining separation of concerns within an ASP.Net MVC web site?
使用的PrincipalPermission,你可以装饰用的方法:
With PrincipalPermission, you can decorate a method with:
PrincipalPermission(SecurityAction.Demand, Role = "GroupLeader")
要求对任何游客到该页面是固定的作用GroupLeader中的一员。
to require that any visitor to that page be a member of the fixed role "GroupLeader".
另外,你可以用装饰的方法:
Alternatively, you could decorate a method with:
[ClaimsPrincipalPermission(SecurityAction.Demand, Operation = "Manage", Resource = "Group")]
要求对任何访问者的页面一般允许管理组。
to require that any visitor to that page be allowed generically to manage a group.
不过,这些都不真正解决其中一个用户可能有权限修改某些群体,但不是别人的情况。至于我可以告诉大家,即使我实现一个自定义 ClaimsAuthorizationManager ,有没有办法让为了做有条件的授权访问方法参数。
However, neither of these really address the scenario in which a user might have permission to edit some groups, but not others. As far as I can tell, even if I implement a custom ClaimsAuthorizationManager, there is no way to get access to the method parameters in order to do conditional authorization.
此外,两个以上只是扔的方法的 SecurityException异常如果用户不具有访问,而不是允许一方法对用户正常重定向到一个网页,解释发生了什么,他们可以做来获得必要的授权。
Additionally, both of the methods above just throw a SecurityException if the user doesn't have access rather than allowing a method to gracefully redirect the user to a page that explains what happened and what they might do to gain the necessary authorization.
当然,我也意识到,我可能只是code授权逻辑到方法本身并相应地重定向,但我宁愿分开了这一点,如果可能的话,并保持方法code清洁,只有真正处理处理请求,也能够可更一般地应用于一个框架内工作
Obviously, I also realize that I could just code authorization logic into the method itself and redirect accordingly, but I would rather separate that out, if possible, and keep the method code clean to only handle actually processing the request and also to be able to work within a framework that can be more generically applied.
那么,有没有一个乱用的方式来处理这种情况下,或者说我要实现自定义的个IAuthorizationFilter ?我想我可以同时处理记录级授权和优美的重定向,但没有在方法级别的任何参数,这将是本质上是一个巨大的如果...否则,如果声明。
So, is there an "out-of-the-box" way to handle this scenario, or do I have to implement a custom IAuthorizationFilter? I think I could handle both the record-level authorization and the graceful redirect, but without any parameters at the method level, it would be essentially a massive if ... else if statement.
推荐答案
来处理这种情况的最直接的方式是建立在你的实体来存储实体的所有者或创造者的属性。然后,当你查询的对象,您可以通过此过滤器。例如:
The most straight forward way to handle this situation is creating a property on your entities to store the "owner" or "creator" of the entity. Then, when you query objects, you filter by this. For example:
public class Foo
{
public int Id { get; set; }
...
public string Creator { get; set; }
}
然后:
public ActionResult FooDetails(int id)
{
var foo = db.Foos.SingleOrDefault(m => m.Id == id && m.Creator == User.Identity.Name);
if (foo == null)
{
return new HttpNotFoundResult();
}
return View(foo);
}
这不是真的适合通过授权的过滤器,因为你必须选择该行,以确定用户的权限来处理这个问题。然后,您必须再次选择该行的动作里面把它发送到视图。此外,你必须做一些杂技让过滤器能够知道应该如何选择在那里,让你甚至可以检查权限摆在首位的。在操作,你已经选择了实体,所以只需调节它根据用户是否拥有它在同一时间。
It's not really appropriate to handle this via an authorization filter because you have to select the row to determine the user's permissions. Then, you must select the row again inside the action to send it to the view. Also, you'd have to do some acrobatics to get the filter to be able to know how it should select what from where so that you can even check the permissions in the first place. In the action, you're already selecting the entity, so just condition it based on whether the user "owns" it at the same time.
这篇关于MVC / ASP.Net最佳实践为记录级授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
