如何使用 activedirectorymembershipprovider 在 asp.net mvc 应用程序中实现角色层次结构 [英] How can i implement a role-hierarchy in an asp.net mvc app using activedirectorymembershipprovider
问题描述
在我的 asp.net mvc 应用程序中,我使用的是 activedirectorymembershipprovider.在活动目录中,我创建了几个角色(组),为简单起见,类似于普通"和管理员".
In my asp.net mvc app i am using the activedirectorymembershipprovider. In the active directory i have created a couple of roles (groups) similar to, for simplicity of this example, "normal" and "administrator".
我目前正在通过获取 httpcontext 的 IPrincipal 并调用 User.IsInRole(nameOfRoleGoesHere); 来查询用户是否在角色中.
I am currently querying whether user is in role by getting the IPrincipal of the httpcontext and calling User.IsInRole(nameOfRoleGoesHere);.
我正在寻找的行为是让我能够询问用户是否处于管理员"角色,然后隐式询问用户是否处于该角色以下的所有角色(在这种情况下,角色正常"将低于管理员"").由于我的角色主要是垂直的(如果这有意义的话),目前这种角色继承似乎对我的应用程序有意义.
The behaviour im looking for is for me to be able to ask whether user is in role "administrator" and then implicitly be asking whether user is in all roles below that (in this case role "normal" would be below "administrator"). As my roles are mainly vertical (if that makes any sense) this kind of role-inheritance seems to make sense for my application at the moment.
我怎样才能得到这种行为——我是否必须实现一些允许我要求角色管理员"的自定义逻辑,但抽象出实际上在幕后的活动目录中要求普通"和管理员"——或者是有可能在活动目录中以某种方式自动给我这种行为吗?
How can i get this behavior - must i implement some custom logic allowing me to ask for role "administrator", but abstracting away actually asking for both "normal" and "administrator" in the active directory behind the scenes - or is it possible to structure groups in active directory somehow giving me this behaviour automatically?
对于我对 asp.net、活动目录和 .net 安全性的任何严重误解,我深表歉意 - 我是新手,正在试验中.
Apologies for any gross misunderstandings of asp.net, active directory and .net security on my part - i am rookie and experimenting.
推荐答案
AD 支持一个组是另一个组的成员的概念吗?
AD supports the concept of a group being a member of another group?
所以你可以有以下内容:
So you could have the following:
用户:安妮、鲍勃、查理、道格拉斯、艾略特、弗雷德和乔治.
Users: Anne, Bob, Charlie, Douglas, Elliot, Fred and George.
角色:普通、编辑、管理员
然后在定义每个组为:
Admin 有以下成员:George
Admin has the following members: George
Editor 有以下成员:Admin"、Douglas、Elliot
Editor has the following members: "Admin", Douglas, Elliot
Normal 有以下成员:Editor"、Admin"、Anne、Bob、Charlie
Normal has the following members: "Editor", "Admin", Anne, Bob, Charlie
因此,您知道 George 是 Normal、Editor 和 Admin 的成员,因为 Admin 的所有成员都包含在这些组中,而 Douglas 只是 Editor 和 Normal 的成员,而 Anne 只是普通用户,并且如果你问,AD 会说是的,George 是普通用户".
Therefore, you know that George is a member of Normal, Editor and Admin, because all members of Admin are included in those groups, while Douglas is only a member of Editor and Normal, and Anne is just a Normal user, and AD would say "yes, George is a Normal user" if you asked it.
然而:(据我所知)没有(据我所知)官方支持的 ActiveDirectory RoleProvider 可以用正确的 AD 角色填充 RolesPrinciple - 有一对夫妇 像 CodePlex 上的这个,您将什么定义为您的角色提供者?
HOWEVER: There isn't (as far as I know) an offical, MS supported ActiveDirectory RoleProvider that would populate the RolesPrinciple with the correct AD roles - there are a couple out there like this one on CodePlex what have you defined as your role provider?
默认的 ASP.NET 角色提供程序不支持角色层次结构,因此您要么需要:
The default ASP.NET role provider doesn't support role hierarchies, so you would either need to either:
- 将用户置于他们有权访问的每个角色中,并且只检查您感兴趣的角色.
- 将用户置于他们可以访问的最强大的角色中,然后检查每个应该具有访问权限的角色.
- 编写/查找支持层次结构的角色提供程序 - 很简单如果用户处于更高级别的角色,则返回 true.
- Put the user in each role they have access to, and only check for the role you're interested in.
- Put the user in the most powerful role they can access, and then check for every role that should have access.
- Write/find a role provider that supports hierarchies - simiply by returning true if the user is in a higher order role.
这篇关于如何使用 activedirectorymembershipprovider 在 asp.net mvc 应用程序中实现角色层次结构的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
