细粒度控制页面和按钮访问的客户可配置的asp.net网站安全 [英] customer-configurable asp.net web site security for fine-grained control of page and button access
问题描述
我有一个ASP.NET 2.0 [没有阿贾克斯......然而]的网站,将被部署在编译的形式在多个客户现场。通常情况下,网站将仅内部网。有些客户相信他们所有的人并不在乎限制访问网站和/或页面功能,别人信任任何人,只希望某些人和/或团体能够查看某些网页,单击某些按钮,等人。
I have an ASP.NET 2.0 [no ajax...yet] web site that will be deployed in compiled form on multiple customer sites. Typically the site will be intranet only. Some customers trust all of their people and don't care about limiting access to the site and/or page functions, others trust no one and want only certain people and/or groups to be able to view certain pages, click certain buttons, et al.
我可以做一些本土的解决方案,可能从数据库表驱动的访问权限,但在此之前我走这一步我想我会问这样:什么是这种情况好的解决办法? preferably一个可以completedly在web.config文件和/或数据库进行控制,因为重建的网站是不可能的(客户端,而我不希望有一遍又一遍地为他们做)。 Active Directory集成将是一个奖金,但不是必需的(除非这只是更容易)。
i could do some home-grown solution, possibly drive the access permissions from a database table, but before i go down that road i thought i'd ask in SO: what is a good solution for this situation? preferably one that can be controlled completedly in the web.config file and/or database, since rebuilding the web site is not possible (for the client, and i don't want to have to do it for them over and over). Active Directory integration would be a bonus, but not a requirement (unless that's just easier).
为出发点,我在想,在网站的每个页面/功能点被赋予的身份和权限组相关...
as a starting point, i'm thinking that each page/function point in the site be given an identity and associated with a permission group...
编辑:web.config中的授权部分允许/拒绝访问按角色和用户是很好的,但是,这只是问题的一半 - 另一半则是控制访问的每个页面上的单个方法(按钮,不管)。例如,一些用户可以查看whatchamacallits而另一些则允许编辑,创建,删除或禁用/启用它们。所有这些按钮/链接/行动都认为页...
web.config authorization section to allow/deny access by role and user is good, but that is only half of the problem - the other half is controlling access to the individual methods (buttons, whatever) on each page. For example, some users can view whatchamacallits while others are allowed to edit, create, delete, or disable/enable them. All of these buttons/links/actions are on the view page...
[地理位置优越,我会做的禁用的按钮不可见,但在这里并不重要]
[ideally i would make the disabled buttons invisible, but that is not important here]
编辑:一些很好的建议,到目前为止,但没有完整的解决方案,但 - 还是倾向于一个数据库驱动的解决方案...
some good suggestions so far, but no complete solution yet - still leaning towards a database-driven solution...
- 在安全权限需求的属性会抛出异常时,按钮被点击,这是不是一个友好的事情;我宁愿隐藏,用户不允许使用按钮
- LoginView控件也很有趣,但需要复制的大部分页面内容几次(一次为每个角色),不得处理其中一个用户是多个角色的情况下 - 我不能假定角色分层,因为它们会由客户定义
编辑:平台的Win2K / XP,SQL Server 2005中,ASP.NET 2.0中,没有使用AJAX
platform is Win2K/XP, Sql Server 2005, ASP.NET 2.0, not using AJAX
推荐答案
我preFER授予访问权限,AD组,而不是特定的用户。我发现它是灵活得多。
I prefer to grant access rights to AD groups rather than specific users. I find it's much more flexible.
我不知道很多关于你的应用程序,但你可能想看看在web.config文件中的授权标签:
I don't know much about your application, but you might want to look at the authorization tag in the web.config file:
<authorization>
<!--
<deny users="?" />
<allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>
您可以单独的Web.config文件Web应用程序中的每个目录,你可以嵌套目录。每个web.config文件可以有它自己的授权部分。如果你把不同的页面中的每个目录中,你可以通过允许每个web.config中特定的角色,并否认其他一切有效的严格管理的安全性。然后你就可以管理Active Directory中每个角色的成员。我发现这是一种情感的解决方案,因为它充分利用了微软的Active Directory和ASP.NET安全框架无需编写自己的自定义的东西,如果你使用的角色,它可以卸载角色成员的管理的人谁没有以往任何时候都具有触摸,他们只需要知道如何使用AD管理控制台的web.config文件。
You can separate web.config files each directory within your web application, and you can nest directories. Each web.config file can have it's own authorization section. If you put different pages in each directory you can effectively tightly manage security by allowing a specific role in each web.config, and denying everything else. Then you can manage members of each role in active directory. I've found this to be an affective solution because it makes good use of Microsoft's Active Directory and ASP.NET security framework without writing your own custom stuff, and if you use roles, it's possible to offload the management of role membership to someone who doesn't ever have to touch the web.config file they just need to know how to use the AD management console.
这篇关于细粒度控制页面和按钮访问的客户可配置的asp.net网站安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
