[英]Which approach should i use database or directory services (AD LDS(ldap)) for role management a windows application (.net)?And Why?
I have a windows service, and want to define two roles (administrator and reader) for all the users whoever tries to access my service. 我有一个Windows服务,并且想为所有尝试访问我的服务的用户定义两个角色(管理员和读者)。 So that whoever is assigned with administrator role can have full control over my system, whereas reader can only do readonly operations.
这样,无论是谁分配了管理员角色,都可以完全控制我的系统,而读者只能执行只读操作。
So, looks like I have two options. 因此,看起来我有两个选择。
Approach using Database 使用数据库的方法
I can simply use database to maintain and their corresponding roles. 我可以简单地使用数据库来维护它们的相应角色。 so, whenever I get a request based on user context, I can validate by querying the db and validate it.
因此,只要我收到基于用户上下文的请求,就可以通过查询数据库进行验证并对其进行验证。
It sounds simple option, but how to make it safe? 听起来很简单,但是如何使其安全呢?
Approach using Directory Services (AD LDS - LDAP) 使用目录服务的方法(AD LDS-LDAP)
Looks like Microsoft defined Active Directory lightweight Directory Service particularly for this purposes. 看起来像Microsoft为此定义的Active Directory轻型目录服务。 I can probably define my own roles and probably add windows security principals to them so that only the AD LDS administrators can manipulate - looks like better approach.
我可能可以定义自己的角色,并可能向他们添加Windows安全性主体,以便只有AD LDS管理员才能进行操作-看起来是更好的方法。
But, I am not sure how to do this programmatically in c# - can any one give me pointers so that I can have a quick start? 但是,我不确定如何在C#中以编程方式执行此操作 -任何人都可以给我指点以便我快速入门吗?
Finally, which option is better/recommended and why? 最后,哪个选项更好/推荐,为什么?
Update: 更新:
Looks like these two User Group and Role Management in .NET with Active Directory , What does "active directory integration" mean in your .NET app? 看起来像是带有Active Directory的.NET中的这两个用户组和角色管理, .NET应用程序中的“活动目录集成”是什么意思? gives me some detail in what I am looking for, and it looks like its probably take some time before I consolidate these to define approach for my app :)
给了我一些我想要的东西的细节,看来我可能需要一些时间才能合并它们以定义应用程序的方法:)
Best Regards! 最好的祝福!
This will get you the SID of the groups 这将使您获得组的SID
You just need to determine the SID of the group you determine to be admin 您只需要确定要确定为管理员的组的SID
System.Security.Principal.WindowsIdentity identity = System.Security.Principal.WindowsIdentity.GetCurrent();
Debug.WriteLine(identity.Name);
foreach (System.Security.Principal.IdentityReference ir in identity.Groups) Debug.WriteLine(ir.Value);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.