基于ASP.NET Web API角色的安全性
[英]ASP.NET Web API role based security
问题描述
I have created an asp.net odata web api project that uses an entity framework database. 
我创建了一个使用实体框架数据库的asp.net odata Web api项目。 This is nothing special, many tutorials take this approach. 这没什么特别的,许多教程都采用这种方法。 I have secured this api with users and roles so only administrators can actually save something using the web api. 我已经使用用户和角色保护了此api,因此只有管理员才能实际使用Web api保存某些内容。
My next step would be to make some information only accessible for specific roles. 我的下一步将是使某些信息仅可用于特定角色。 If I, for example, would have an entity Employee with a Salary property. 例如,如果我将拥有一个具有Salary属性的实体Employee。 Then how would I restrict (read) access to this property only to Administrators? 那么,我将如何限制(读取)对此属性的访问权限仅限于管理员?
Edit 编辑
I'll try to specify my question. 我将尝试说明我的问题。 Given the following controller: 给定以下控制器:
public class EmployeeController : ApiController
{
public IQueryable<Employee> Get()
{
return _Db.Employees;
}
}
Now I'm able to write odata querys aqainst this eg http://api.com/employee?$select=FirstName,LastName,Salary&$orderby=Salary 现在,我可以在此附近编写odata查询,例如http://api.com/employee?$select=FirstName,LastName,Salary&$orderby=Salary
If I don't want certain people (or roles) to order by salary I can implement an OrderByQueryValidator . 如果我不希望某些人(或角色)按薪水排序,则可以实现OrderByQueryValidator 。 But how can I completely hide the Salary property for normal users while still allowing administrators to select it? 但是,如何在仍然允许管理员选择的情况下为普通用户完全隐藏Salary属性呢?
So, given the controller above, I want the administrators to be able execute both these: 因此,鉴于上述控制器,我希望管理员能够执行以下两项操作:
http://api.com/employee?$select=FirstName,LastName,Salary&$orderby=Salary
http://api.com/employee?$select=FirstName,LastName&$orderby=FirstName
while normal users will only be able execute this: 而普通用户只能执行以下操作:
http://api.com/employee?$select=FirstName,LastName&$orderby=FirstName
and get an error when trying to select the Salary property. 并在尝试选择Salary属性时收到错误消息。
2 个解决方案
解决方案1
1 2014-05-14 15:31:05
Use a ViewModel approach. 使用ViewModel方法。 Instead of giving the Employee object, creating a new class named EmployeeViewModel and create the properties you would like to share. 创建一个名为EmployeeViewModel的新类并创建您要共享的属性,而不是给Employee对象。 I recommend also creating a static method to create a ViewModel from the Model and vice-versa. 我建议还创建一个静态方法,以从Model创建ViewModel,反之亦然。
解决方案2
0 2014-05-14 15:49:18
Creating custom authorization is always an interesting part of projects. 创建自定义授权始终是项目中一个有趣的部分。 The most flexible/cleanest way I have implemented it was with aspects. 我实现它的最灵活/最简洁的方法是使用方面。 We used PostSharp , and we simply created a RequirePermission attribute, that could be applied to any methods. 我们使用了PostSharp ,我们只是创建了RequirePermission属性,该属性可以应用于任何方法。 The attribute had a parameter that contained the permission, that was required to execute the method. 该属性具有一个包含权限的参数,该参数是执行该方法所必需的。 For example: RequirePermission(Permission="ReadSalary"). 例如:RequirePermission(Permission =“ ReadSalary”)。 You can decide it in the attribute what to do when the user doesn't have the required permission. 您可以在属性中决定用户没有所需权限时的处理方式。 Either throw an exception, or simply skip method execution. 要么抛出异常,要么直接跳过方法执行。
You could reach the same behaviour without aspects, but you will probably write more code, and I find it much cleaner to be solved with aspects. 没有方面,您可能会达到相同的行为,但是您可能会编写更多代码,而我发现使用方面可以解决问题。
A quicker and easier way might be to have different ViewModels for different roles, but I would only advice to use something like this if you are sure to keep the number of roles (like admin and user) low. 更快,更轻松的方法可能是为不同的角色使用不同的ViewModel,但是如果您确保将角色(例如admin和user)的数量保持在较低水平,我只建议使用类似的方法。 The you could have a EmployeeSummary and an EmployeeDetails view model, and simple give back the right one based on the current user's role. 您可以拥有一个EmployeeSummary和一个EmployeeDetails视图模型,并可以根据当前用户的角色简单地交出正确的视图模型。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.