基于asp.net的MVC角色访问控制 [英] asp.net MVC role based access to controller
问题描述
很多网上的文章对基于角色的访问将是这样的,以确保到控制器或动作
A lot of articles online on role based access speak of applying something like this to ensure role based access to a controller or action
[Authorize(Roles = "Admin, Manager")]
public class SomeController : Controller
{
}
这一切都很好,但现在如果我需要实现我自己的自定义基于角色的访问,其中我有一个[RoleMaster表的角色和另一个表从[用户]表中分配给用户的角色叫[的UserRole ]。在我的code我将在会话的用户对象现在将在它的角色列表
All this is fine, but now if I need to implement my own custom role based access wherein I have roles in a [RoleMaster] table and the roles assigned to a user from a [User] table in another table called [UserRoles]. In my code I will have a user object in session which will now have a Roles list in it
public class RegisteredUsers
{
//... other user properties
public List<UserRole> Roles { get; set; }
}
public class UserRole
{
public string RoleID { get; set; }
public string RoleName { get; set; }
//... other properties
}
现在我该如何检查在RegisteredUsers角色列表中UserRole.RoleName财产不受任何我已经分配给授权值匹配的对象属性使用:[授权(角色=管理员,经理)] 。在某些情况下,如果角色具有admin或经理,他们应该获得访问权。在某些情况下,我会希望他们有两个管理员和经理角色来获得访问权限。
Now how do I check for the UserRole.RoleName property in the Roles list in the RegisteredUsers object as matching against any of the values I have assigned to the Authorize attribute using : [Authorize(Roles = "Admin, Manager")]. In some case if the roles have either Admin or Manager they should get access. In some cases I will want them to have both Admin as well as Manager Role to get access.
此外,如果新的角色被添加到系统会我需要重建和重新部署我的应用程序未来的所有授权属性重做?
Also, in the future if new roles get added to the system will I need to rebuild and redeploy my application with all the Authorize attributes redone?
我一直没能找到任何明显的例子,实现相同的,或者是我不正常搜索。请帮我以任何方式就可以了。感谢您的时间...
I have not been able to find any clear example implementing the same, or perhaps I am not searching correctly. Please help me out in any way you can. Thanks for your time...
推荐答案
您需要实现自定义的的IPrincipal (或自定义的 RoleProvider ,但在我看来的IPrincipal是比较容易)。
You need to implement a custom IPrincipal (or a custom RoleProvider, but in my view IPrincipal is easier).
在您的表单验证控制器,验证对用户表,并从您的角色表的角色创建一个IPrincipal。你可能也想设置窗体身份验证cookie的,而你在它与你的角色,所以你不需要打数据库中的每个请求(或使用一个会话)。看一看在<一的code href=\"http://stackoverflow.com/questions/3945907/custom-iidentity-and-iprincipal-using-formsauthenticationticket-cookie-in-mvc2\">this问题这种方法的一个例子。
In your forms authentication controller, authenticate against your user table and create an IPrincipal with roles from your role table. You will probably also want to set a Forms Auth cookie while you're at it with your roles so you don't need to hit the database each request (or use a session). Have a look at the code in this question for an example of this approach.
如果你没有对用户的任何自定义属性,您可以使用内置的GenericIdentity和的GenericPrincipal。
If you don't have any custom attributes on your users, you may be able to use the built-in GenericIdentity and GenericPrincipal.
修改 - 如果你在会话中存储用户信息,你只需要确保你在每次开始时设置HttpContext.Current.User到您的会话衍生的IPrincipal请求(OnPostAuthenticate)
Edit - if you're storing your user information in the session, you'll just need to make sure you set HttpContext.Current.User to your session-derived IPrincipal at the start of each request (OnPostAuthenticate)
您将需要重建/重新部署,以应付这种方法的新角色。如果要动态地分配角色并在运行时处理它们,你需要实现自定义AuthorizationAttribute - 这可能需要(例如)的字符串操作参数,它可以匹配在DB的角色。我个人离开这,直到它变得很明显,你需要它。
You will need to rebuild/redeploy to cater for new roles with this approach. If you want to dynamically assign roles and handle them at runtime, you'd need to implement a custom AuthorizationAttribute - this could take (e.g.) a string 'Operation' parameter which can be matched to roles in the DB. I would personally leave this until it becomes obvious you need it.
这篇关于基于asp.net的MVC角色访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
