基于声明的授权 - 如何管理声明

Question

the last few days I have struggled to understand Claims-Based Authorization, and I have a erious problem to apply theoretical knowledge to a real world MVC website. Tutorials like http://www.codeproject.com/Articles/639458/Claims-Based-Authentication-and-Authorization are describing the process of installation and the very basics, but are sparse on how to manage the Claims.

Suppose a simple MVC Website which is used to save pictures of funny reindeers. It is using Thinktecture.IdentityModel, but probably every other Identitymodel would do. Suppose that Authentication is in place and working.

 public class ReindeerController : Controller
    {
        //should be accesible to whole world
        public ActionResult AboutReindeers()
        {}
        //should be accessible to users which are supposed to add Reindeers, e.g. an "Admin" (which is a role, I know)
        public ActionResult AddReindeer()
        {}
        //Only for the Site-owner
        public ActionResult DeleteReindeer()
        {}
        //should be accesible to registred users
        public ActionResult Index()
        {}
    }

So I have a UserClaims Table which stores a User-ID, the type of the claim as URL and the value of the claim. But this is only the technical foundation of claims - I would like to understand if there is a good schema to create claims and to define what claims a user has / needs.

Answer 1

Have a look at this (old) post about claims authorization to get an overview.

Then you find some more details here , there are also many other nice posts at thinktecture.

The WIF API description should help you fill inn the blanks.

Answer 2

I have a UserClaims Table which stores a User-ID, the type of the claim as URL and the value of the claim.

Sounds like a perfectly fine way to store claims. Your approach is correct, and probably what I would do. My advice is not to overthink this problem, you already have a great solution. :)