简体繁体 English

在.NET中使用NHibernate时如何处理授权

[英]How to handle authorization when using NHibernate in .NET

原文 2008-11-19 23:45:46 0 2 .net/ nhibernate/ authorization

I'm using the repository pattern to query our database using NHibernate. 我正在使用存储库模式使用NHibernate查询我们的数据库。 It makes it really easy to do things like: 这样做很容易：

public T GetById(int id) {...} 公共T GetById（int id）{...}

But that doesn't help much when someone start mucking with the querystrings to see things they aren't allowed to. 但是，当有人开始使用查询字符串来查看不允许他们执行的操作时，这没有太大帮助。

To compound it, some objects are deeply nested children of the parent object which the authorization should be performed on. 更复杂的是，某些对象是父对象的深层嵌套子代，应该对其执行授权。

For instance blog --> author --> post --> comment. 例如博客->作者->帖子->评论。 In this contrived example we'd like to give authors the ability to edit their own posts and comments on those posts, but not see or edit those of other authors. 在这个人为的示例中，我们希望使作者能够编辑自己的帖子和对这些帖子的评论，但不能查看或编辑其他作者的帖子。 It's easy to check the post belongs to the author, it's a little more difficult to make sure the comment belongs to the author. 检查帖子属于作者很容易，要确保评论属于作者要困难一些。 We have some instances that go deeper. 我们有一些实例更深入。

So ... how do we do authorization (in the model or repository)? 那么...我们如何进行授权（在模型或存储库中）？

2 个解决方案

You could implement the Decorator Pattern - I presume you're using an DP/IoC Container to inject your IRepositories? 您可以实现装饰器模式-我想您正在使用DP / IoC容器注入您的IRepository？

You'd create an ISecureRepository that checks the calls made are valid for the specific user/request type, and then passed the call back onto the IRepository. 您将创建一个ISecureRepository，以检查对特定用户/请求类型的调用是否有效，然后将调用传递回IRepository。 This also give you the ability to call the method, and then check the return type... 这也使您能够调用方法，然后检查返回类型...

You'd then setup you're IoC to use an ISecureRepository wrapped around IRepository... 然后，您将设置自己为IoC，以使用环绕IRepository的ISecureRepository ...

Sounds so simple... 听起来很简单...

这可能是满足您需求的良好实现： http : //www.codeproject.com/KB/web-security/objectlevelsecurity.aspx ，它是基于ACL的模型。