在ASP.NET Web应用程序作为事后实施安全 [英] Implementing Security in ASP.NET Web App as afterthought

问题描述

与许多现实世界的应用程序在那里，安全（登录/密码）只是有授予/拒绝访问完整的应用程序。现在，客户已经要求细粒度的安全性像某些网页只应可见，一些用户可以删除其他不能等。
基本上客户端请求以下

有效权限::用户 - >网页 - >访问类型（查看，创建/编辑，删除）

应用程序的详细信息。

• ASP.NET/C＃


• 对于商务数据MSSQL Server 2008中


• SQLCE用户名/密码/型材/日志


• Ext.NET主UI

我们讨论，这是更好地增强 security.sdf 文件，并有屏幕（网页），一张桌子和一个连接用户+屏幕+表的一个数字，表示访问即<类型/ p>

• 1：读


• 2：编写


• 4：删除

这些可以使用位运算符来检查。该应用程序使用ASP.NET模拟来访问MSSQL2008

问题是如何实现它在Web应用程序？

如果任何人有更好的想法，请分享！

解决方案

您可以使用 IsInRole 的功能和用户分类到角色。每个角色可以有一些动作，只能完成。因此，通过询问在女巫的作用是可以让他做什么或没有用户认为。

  HttpContext.Current.User.IsInRole（角色）
 

或者你也可以做反向，问，如果这个动作可这个角色，这里是一个简单的对象，处理权限和检查。

 公开枚举csPermissions
{
    pActionDelete = 1，
    pActionEdit = 2，
    //更多的名字......
}私人诠释[] = AdminPermission {
    （INT）csPermissions.pActionEdit，
    （INT）csPermissions.pActionDelete，
    //更多的权限？
};私人诠释[] = BackOfficePermission {
    （INT）csPermissions.pActionEdit，
    //更多的权限？
};公共静态布尔IsThisAllowed（csPermissions AskPermitForThisAction）
{
    //问题在这里对所有用户的角色...
    //这里仅是一个例子
    如果（HttpContext.Current.User.IsInRole（Administator）））
    {
        的for（int i = 0; I＆LT; AdminPermission.Length;我++）
            如果（AdminPermission [I] ==（INT）AskPermitForThisAction）
                返回true;
    }    //无权发现
    返回false;
 }
 

As with many real world applications out there, the security (login/password) was just there to grant/deny access to the complete application. Now the client has asked for fine grained security like some web pages should only be viewable, some users can delete other cannot etc. basically the client is requesting the following.

Effective Permission:: Users--> Web page --> Type of Access (View,Create/Edit,Delete)

Details of Application

• ASP.NET/C#
• MSSQL Server 2008 for Biz data
• SQLCE for users/passwords/profiles/logs
• Ext.NET for main UI

We discussed that it is better to enhance the security.sdf file and have a table for screens (webpages) and a join table of user + screens + a number that denotes type of access i.e.

• 1: Read
• 2: Write
• 4: Delete

These can be checked using bitwise operator. The application uses ASP.NET impersonation to gain access to MSSQL2008

The problem is how to implement it in the web application?

If anyone has better ideas please share!!!

解决方案

You can use the IsInRole function and categorize your users into roles. Each role can have some action that can be done only. So by asking in witch role is the user you can let him do or not thinks.

HttpContext.Current.User.IsInRole("Role")

Or you can do it reversely, ask if this action is available for this role, here is a simple object, with permissions and checks.

public enum csPermissions
{
    pActionDelete = 1,   
    pActionEdit = 2 , 
    // more names...
}

private int[] AdminPermission = { 
    (int)csPermissions.pActionEdit, 
    (int)csPermissions.pActionDelete, 
    // more permissions...
};

private int[] BackOfficePermission = { 
    (int)csPermissions.pActionEdit, 
    // more permissions...
}; 

public static bool IsThisAllowed(csPermissions AskPermitForThisAction)
{
    // questions here for all users roles...
    // here is only an example 
    if (HttpContext.Current.User.IsInRole("Administator")))
    {
        for (int i = 0; i < AdminPermission.Length; i++)
            if (AdminPermission[i] == (int)AskPermitForThisAction)
                return true;
    } 

    // no permission found  
    return false;
 }

这篇关于在ASP.NET Web应用程序作为事后实施安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！