用于权限处理的模式/设计建议 [英] Patterns / design suggestions for permission handling

问题描述

我们在（ASP.NET Web）应用程序中有一个相当复杂的权限处理系统。用户可以对不同类型的对象拥有特定权限，甚至将某些权限打包到分配给用户的组/角色中。所有这一切最终都是一个非常复杂的混乱，用于确定用户是否可以/看到某些您必须评估许多不同的权限来源，这是按某种方式按需并根据具体情况完成的。

我的问题是（从高层次的角度来看）是否有一些建议/共同的设计模式来处理一般的权限概念，也可能是你在处理它们时的经验

解决方案

用户和组 code> bool UserHasPermission（SOME_PERMISSION）用于与组相关联的原子权限是授权的标准方法，但是事情正在更改为基于声明的方式：

http://msdn.microsoft.com/en- us / magazine / ee335707.aspx

http://msdn.microsoft.com/en-us/magazine/cc163366 .aspx

http://www.infoq.com/news/2009/10/Guide-Claim-Based-Identity

它然而，对于所有情况来说，这不是理想的。

对于旧模型，我发现在权限检查期间可以通过使用memoization来获得性能。这样我不会每次会话去数据库，以检查访问控制。 Memoization在缓存中有效地将具有相同参数的调用结果存储在一起，因此特定用户检查XYZ权限的所有调用将返回相同的结果。当然，您可以确保在会话中为用户存储已记录的权限，以便每个用户。如果您在登录时加载权限，那么您不需要缓存它们，但是在具有许多权限的大型系统中，有时候最好只在需要时才获得它们。

< a href =http://www.infoq.com/news/2007/01/CSharp-memory =nofollow noreferrer> http://www.infoq.com/news/2007/01/CSharp-内存

We have a rather complicated system of permission handling in our (ASP.NET web) application. Users can have specific permissions on different kinds of objects, some permissions are even packed into groups / roles that are assigned to users. All in all this ends up in a pretty complicated mess where for determining whether a user can do / see something you have to evaluate many different sources of permissions and this is done somehow on-demand and based on specific situations.

My question is (from a high level point of view) whether there are some suggestions / common design patterns to deal with permission concept in general and probably also what is your experience with handling them in your architecture.

解决方案

Users and Groups with the ability to test bool UserHasPermission( SOME_PERMISSION ) for an atomic permission associated with a Group is the standard approach for authorization, however things are changing to Claims-based:

http://msdn.microsoft.com/en-us/magazine/ee335707.aspx

http://msdn.microsoft.com/en-us/magazine/cc163366.aspx

http://www.infoq.com/news/2009/10/Guide-Claim-Based-Identity

It however, is not ideal for all situations.

For the old model, I find that performance can be gained by using memoization during permissions checks. That way I'm not going to the database n times per session to check access control. Memoization effectively stores in a cache the result of a call with the same parameters, so all calls by a particular user to check XYZ permission would return the same result. Of course, you'd make sure you stored the memoized permissions for the user in the Session so it's per-user. If you load the permissions at login then you don't need to cache them, but in large systems with many permissions sometimes it's best to get them only when needed.

http://www.infoq.com/news/2007/01/CSharp-memory

这篇关于用于权限处理的模式/设计建议的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！