权限处理的模式/设计建议 [英] Patterns / design suggestions for permission handling

问题描述

我们的 (ASP.NET web) 应用程序中有一个相当复杂的权限处理系统.用户可以对不同类型的对象拥有特定的权限，有些权限甚至打包到分配给用户的组/角色中.总而言之，这最终导致了一个相当复杂的混乱，要确定用户是否可以执行/查看某些事情，您必须评估许多不同的权限来源，而这是按需并基于特定情况以某种方式完成的.

We have a rather complicated system of permission handling in our (ASP.NET web) application. Users can have specific permissions on different kinds of objects, some permissions are even packed into groups / roles that are assigned to users. All in all this ends up in a pretty complicated mess where for determining whether a user can do / see something you have to evaluate many different sources of permissions and this is done somehow on-demand and based on specific situations.

我的问题是(从高层次的角度来看)是否有一些建议/通用设计模式来处理一般的权限概念，以及您在架构中处理它们的经验.

My question is (from a high level point of view) whether there are some suggestions / common design patterns to deal with permission concept in general and probably also what is your experience with handling them in your architecture.

推荐答案

Users 和 Groups 具有测试bool UserHasPermission( SOME_PERMISSION ) 与组关联的原子权限是标准的授权方法，但事情正在改变为基于声明:

Users and Groups with the ability to test bool UserHasPermission( SOME_PERMISSION ) for an atomic permission associated with a Group is the standard approach for authorization, however things are changing to Claims-based:

http://msdn.microsoft.com/en-us/magazine/ee335707.aspx

http://msdn.microsoft.com/en-us/magazine/cc163366.aspx

http://www.infoq.com/news/2009/10/Guide-Claim-Based-Identity

然而，它并不适合所有情况.

It however, is not ideal for all situations.

对于旧模型，我发现可以通过在权限检查期间使用记忆来提高性能.这样我就不会在每个会话中访问数据库 n 次来检查访问控制.Memoization 有效地将具有相同参数的调用结果存储在缓存中，因此特定用户检查 XYZ 权限的所有调用都将返回相同的结果.当然，您要确保在 Session 中存储了用户的记忆权限，因此它是每个用户的.如果您在登录时加载权限，则不需要缓存它们，但在具有许多权限的大型系统中，有时最好仅在需要时获取它们.

For the old model, I find that performance can be gained by using memoization during permissions checks. That way I'm not going to the database n times per session to check access control. Memoization effectively stores in a cache the result of a call with the same parameters, so all calls by a particular user to check XYZ permission would return the same result. Of course, you'd make sure you stored the memoized permissions for the user in the Session so it's per-user. If you load the permissions at login then you don't need to cache them, but in large systems with many permissions sometimes it's best to get them only when needed.

http://www.infoq.com/news/2007/01/CSharp-内存

这篇关于权限处理的模式/设计建议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！