在ASP.NET MVC自定义安全方案 [英] Custom security scenario in ASP.NET MVC

问题描述

我没有很多这方面的经验，我真的很希望能够从你们那里得到了很好的建议。我需要实现以下安全的情况，我想知道做到这一点的最好办法。

I don't have a lot of experience with this and I am really hoping to get a good suggestion from you guys. I need to implement the following security scenario and I would like to know the best way to do it.

想象我们有员工，主管和部门经理。
员工和主管都经理ID都会根据关闭，指着他们所属的部门经理。

Imagine we have Employees, Supervisors and Department managers. Both Employees and Supervisors have ManagerId assigned based off and pointing to the department manager they belong to.

当我在一个主管用户登录想让他只能看到属于同一经理ID作为他的员工记录。
如果与另一个经理ID用户登录并手动其他主管拳打在URL其他员工的信息（例如：wwww.domain.com/employee/details/{id}）
因为他的经理ID！=雇员的经理ID，我想访问受到限制。

When a supervisor user logs in I want him to only see records for employees that belong to the same ManagerId as his. If another supervisor with another ManagerId user logs in and manually punches other employee's information in url (ex: wwww.domain.com/employee/details/{id} ), because his ManagerId != employee's ManagerId I would like the access to be restricted.

是否有意义？

我开始打字上的所有ActionMethods检查，如：

I started typing out checks on all ActionMethods such as:

public ActionResult Details(int id)
{
    var employee = employeeRepository.Get(id)
    var user = (CustomIdentity)ControllerContext.HttpContext.User.Identity;

    if(employee.managerId == user.managerId)
    {
        Do whatever...
    }   
    else    
    {
        Not allowed
    }
}

但在所有ActionMethods打字说出来似乎是多余的和just..ehh ......我知道必须有一个更好的办法。

But typing that out in all ActionMethods seems redundant and just..ehh... I know there must be a better way.

推荐答案

下面是一个解决方案，一刺。这需要一点清理，但应该给你你所需要的一切。

Here is a stab at a solution. It needs a bit of cleanup but should give you everything you need.

创建自定义ActionFilter，然后装点你的方法吧。

Create a custom ActionFilter, and then decorate your methods with it.

[ManagerIdAuthentication]
public ActionResult Details(int id)
{
     // Gets executed if the filter allows it to go through.
}

接下来的类可以在一个单独的库中创建，因此您可以包括在需要验证这一切行动。

The next class can be created in a separate library so you can include it in all your actions that require this validation.

public class ManagerIdAuthentication : ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext filterContext)
    {
        // the next line needs improvement, only works on an httpGet since retrieves
        // the id from the url.  Improve this line to obtain the id regardless of 
        // the  method (GET, POST, etc.)
        var id = filterContext.HttpContext.Request.QueryString["id"];

        var employee = employeeRepository.Get(id);
        var user = filterContext.HttpContext.User.Identity;
        if (employee.managerId  == user.managerId)
        {
            var res = filterContext.HttpContext.Response;
            res.StatusCode = 402;
            res.End();
            filterContext.Result = new EmptyResult();  //may use content result if want to provide additional info in the error message.
        }
        else
        {
            // OK, let it through.
        }
    }
}

这篇关于在ASP.NET MVC自定义安全方案的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！