WindowsTokenRoleProvider 的性能不佳 [英] Poor Performance with WindowsTokenRoleProvider

问题描述

我正在使用 WindowsTokenRoleProvider 来确定 ASP.NET Web 应用程序中的 Active Directory 组成员身份.

I'm using WindowsTokenRoleProvider to determine Active Directory group membership in an ASP.NET web application.

我的问题是性能不好，尤其是当用户在多个组中时.例如，我在 253(!) 个组中，WindowsTokenRoleProvider 需要大约 150 秒来确定我在哪些组中.

My problem is that performance is not good, especially when a user is in many groups. As an example, I am in 253(!) groups, and WindowsTokenRoleProvider is taking around 150 seconds to determine what groups I am in.

我知道我可以使用缓存，这样就不会在对用户的后续请求中执行此操作，但显然在第一次点击时花费这么长时间是不可接受的.

I know I can use caching so that this isn't done on subsequent requests for a user, but obviously it isn't acceptable to take that long on the first hit.

我有哪些选择?我可以强制 WindowsTokenRoleProvider 只考虑某些组吗?(我只对 5 个感兴趣).

What are my options? Can I force WindowsTokenRoleProvider to only consider certain groups? (I'm only interested in 5).

推荐答案

一些测试表明我的问题是调用:

Some testing has revealed that my problem is that calling:

Roles.IsUserInRole(groupName)

正在访问 RoleProvider 中的方法 GetRolesForUser - 该方法检索用户所属的每个角色的详细信息.

is accessing the method GetRolesForUser in the RoleProvider - which is retrieving details of every role the user is a member of.

但是打电话:

Roles.Provider.IsUserInRole(groupName)

确定用户是否在组中 - 无需检索用户所在的每个角色的详细信息.

determines whether or not the user is in the group - without retrieving the details of every role the user is in.

很奇怪，但看起来使用 Roles.Provider.IsUserInRole 可以解决我的问题.

Weird, but it looks like using Roles.Provider.IsUserInRole will solve my problem.

* 更新 *

事实证明，这只是部分解决方法；如果我使用命令式权限检查，或者在 web.comfig 中使用允许"和拒绝"，那么 WindowsTokenRoleProvider 仍然会继续并且 缓慢 获取用户所属的每个组的详细信息:o(

It turns out that this is just a partial workaround; if I use imperative permission checks, or 'allow' and 'deny' in web.comfig, then WindowsTokenRoleProvider still goes and slowly gets details of every group the user is a member of :o(

所以我的问题仍然存在......

So my question still stands...

* 更新 *

我通过创建一个从 WindowsTokenRoleProvider 扩展并覆盖 GetRolesForUser 的类解决了这个问题，因此它只检查配置中指定的角色的成员资格.它也包括缓存:

I solved this by creating a class that extends from WindowsTokenRoleProvider and overriding GetRolesForUser so it only checks for membership of roles specified in the configuration. It includes caching too:

/// <summary>
/// Retrieve the list of roles (Windows Groups) that a user is a member of
/// </summary>
/// <remarks>
/// Note that we are checking only against each system role because calling:
/// base.GetRolesForUser(username);
/// Is _very_ slow if the user is in a lot of AD groups
/// </remarks>
/// <param name="username">The user to check membership for</param>
/// <returns>String array containing the names of the roles the user is a member of</returns>
public override string[] GetRolesForUser(string username)
{
    // Will contain the list of roles that the user is a member of
    List<string> roles = null;

    // Create unique cache key for the user
    string key = String.Concat(username, ":", base.ApplicationName);

    // Get cache for current session
    Cache cache = HttpContext.Current.Cache;

    // Obtain cached roles for the user
    if (cache[key] != null)
    {
        roles = new List<string>(cache[key] as string[]);
    }

    // Was the list of roles for the user in the cache?
    if (roles == null)
    {
        roles = new List<string>();

        // For each system role, determine if the user is a member of that role
        foreach (SystemRoleElement role in WebConfigSection.Settings.SystemRoles)
        {
            if (base.IsUserInRole(username, role.Name))
            {
                roles.Add(role.Name);
            }
        }

        // Cache the roles for 1 hour
        cache.Insert(key, roles.ToArray(), null, DateTime.Now.AddHours(1), Cache.NoSlidingExpiration);
    }

    // Return list of roles for the user
    return roles.ToArray();
}

这篇关于WindowsTokenRoleProvider 的性能不佳的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！