与WindowsTokenRoleProvider性能下降 [英] Poor Performance with WindowsTokenRoleProvider

问题描述

我用 WindowsTokenRoleProvide 研究，以确定在ASP.NET Web应用程序的Active Directory组成员。

I'm using WindowsTokenRoleProvider to determine Active Directory group membership in an ASP.NET web application.

我的问题是，表现并不好，尤其是当用户在多个组。举个例子，我在253（！）组和 WindowsTokenRoleProvider 正在约150秒，以确定我在什么组。

My problem is that performance is not good, especially when a user is in many groups. As an example, I am in 253(!) groups, and WindowsTokenRoleProvider is taking around 150 seconds to determine what groups I am in.

我知道我可以使用缓存，这样，这是不是对用户的后续请求完成，但显然它会持续多长时间上的第一个命中是不能接受的。

I know I can use caching so that this isn't done on subsequent requests for a user, but obviously it isn't acceptable to take that long on the first hit.

我有什么选择？我可以强制 WindowsTokenRoleProvider 只考虑某些群体？ （我只关心在5）。

What are my options? Can I force WindowsTokenRoleProvider to only consider certain groups? (I'm only interested in 5).

推荐答案

一些测试显示，我的问题是，调用：

Some testing has revealed that my problem is that calling:

Roles.IsUserInRole(groupName)

正在访问的 RoleProvider 的方法 GetRolesForUser - 每一个角色被检索的详细信息的用户是一个成员的。

is accessing the method GetRolesForUser in the RoleProvider - which is retrieving details of every role the user is a member of.

但呼吁：

Roles.Provider.IsUserInRole(groupName)

确定用户是否是该组中 - 而不检索的每一个角色的用户是在细节

determines whether or not the user is in the group - without retrieving the details of every role the user is in.

怪异，但它看起来像使用 Roles.Provider.IsUserInRole 将解决我的问题。

Weird, but it looks like using Roles.Provider.IsUserInRole will solve my problem.

*更新*

事实证明，这仅仅是一个局部的解决办法;如果我使用必要的权限检查，或允许和拒绝在web.comfig，那么 WindowsTokenRoleProvider 还是去和慢慢的每一个获取详情集团用户中的一员：O（

It turns out that this is just a partial workaround; if I use imperative permission checks, or 'allow' and 'deny' in web.comfig, then WindowsTokenRoleProvider still goes and slowly gets details of every group the user is a member of :o(

所以我的问题仍然有效...

So my question still stands...

*更新*

我通过创建一个从WindowsTokenRoleProvider扩展一个类并覆盖解决了这个 GetRolesForUser 所以它只能在配置中指定的角色的成员资格检查。它包含缓存太：

I solved this by creating a class that extends from WindowsTokenRoleProvider and overriding GetRolesForUser so it only checks for membership of roles specified in the configuration. It includes caching too:

/// <summary>
/// Retrieve the list of roles (Windows Groups) that a user is a member of
/// </summary>
/// <remarks>
/// Note that we are checking only against each system role because calling:
/// base.GetRolesForUser(username);
/// Is _very_ slow if the user is in a lot of AD groups
/// </remarks>
/// <param name="username">The user to check membership for</param>
/// <returns>String array containing the names of the roles the user is a member of</returns>
public override string[] GetRolesForUser(string username)
{
    // Will contain the list of roles that the user is a member of
    List<string> roles = null;

    // Create unique cache key for the user
    string key = String.Concat(username, ":", base.ApplicationName);

    // Get cache for current session
    Cache cache = HttpContext.Current.Cache;

    // Obtain cached roles for the user
    if (cache[key] != null)
    {
        roles = new List<string>(cache[key] as string[]);
    }

    // Was the list of roles for the user in the cache?
    if (roles == null)
    {
        roles = new List<string>();

        // For each system role, determine if the user is a member of that role
        foreach (SystemRoleElement role in WebConfigSection.Settings.SystemRoles)
        {
            if (base.IsUserInRole(username, role.Name))
            {
                roles.Add(role.Name);
            }
        }

        // Cache the roles for 1 hour
        cache.Insert(key, roles.ToArray(), null, DateTime.Now.AddHours(1), Cache.NoSlidingExpiration);
    }

    // Return list of roles for the user
    return roles.ToArray();
}

这篇关于与WindowsTokenRoleProvider性能下降的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！