堆栈内存溢出
  简体   繁体   English

使用Windows身份验证的MVC 5自定义逻辑授权

[英]MVC 5 custom logic authorization using windows authentication

 原文  2015-03-12 12:47:10       c#/ asp.net-mvc-5/ authorization/ rbac/ abac

问题描述

I have a MVC 5 project with Windows authentication. 我有一个带有Windows身份验证的MVC 5项目。

I am using the default WindowsTokenRoleProvider as my role provider and it works for the following situation: 我使用默认的WindowsTokenRoleProvider作为角色提供程序,它适用于以下情况: 

[CustomAuthorization(Roles = "DOMAIN\example_group")]
public ActionResult Action()...

It works great. 效果很好。 The problem starts when I want to use custom role, for example: "Approver". 当我要使用自定义角色(例如:“批准者”)时,问题就开始了。 In order to check who is a real approver, I have to query a special table and use custom logic to decide if the current person is an Approver. 为了检查谁是真正的批准人,我必须查询一个特殊的表并使用自定义逻辑来确定当前人员是否是批准人。

In order to do this, I have overridden the AuthorizeCore of CustomAuthorize , and wrote something like this: 为了做到这一点,我重写了CustomAuthorizeAuthorizeCore ,并编写了如下代码: 

protected override bool AuthorizeCore(HttpContextBase httpContext)
{
    if(CheckIfCurrentUserIsAnApprover()){
        return true;
    }
    ...........
}

But what will happen when I will add another role, lets say Managers , I will have to add: 但是,当我添加另一个角色(例如Managers ,将会发生什么,我将不得不添加: 

if(CheckIfCurrentUserIsManager()){
        return true;
}

How can I make it more generic? 如何使它更通用?

1 个解决方案

解决方案1
 0  2015-03-13 08:14:20

This is a clear cut case for attribute based access control (ABAC). 这是基于属性的访问控制(ABAC)的明确案例。

ABAC extends role based access control with attributes so that you can make decisions based on things like a user's approval limit. ABAC扩展了具有属性的基于角色的访问控制,因此您可以根据用户的批准限制之类的内容来制定决策。

In ABAC, you get to write access control policies such as: 在ABAC中,您可以编写访问控制策略,例如:

  • a user with the role==approver can do the action==view on an object of type==transaction if the user.location==object.location. 如果user.location == object.location,则具有角色==批准者的用户可以对type == transaction的对象执行action == view。

The language used to write the policies is XACML (extensible access control markup language). 用于编写策略的语言是XACML(可扩展访问控制标记语言)。

XACML also defines an architecture with the notion of: XACML还定义了一种具有以下概念的体系结构:

  • policy enforcement point: the interceptor in front of your app 政策执行点:应用程序前面的拦截器
  • policy decision point: the engine that reaches decisions 政策决策点:决策的引擎

You can read more here: http://developers.axiomatics.com/blog/index/entry/xacml-reference-architecture.html . 您可以在此处了解更多信息: http : //developers.axiomatics.com/blog/index/entry/xacml-reference-architecture.html Axiomatics provides a .net engine and a .net pep. 公理学提供.net引擎和.net pep。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在MVC 4中使用自定义授权 - Using custom authorization in MVC 4 MVC自定义身份验证,授权和角色实现 - MVC Custom Authentication, Authorization, and Roles Implementation 使用Second数据库在MVC中实现授权/身份验证 - Using Second database to implement Authorization/Authentication in MVC 表单身份验证和授权MVC 4 - Forms Authentication & authorization MVC 4 MVC中的身份验证和授权 - Authentication and Authorization in MVC MVC应用程序中的授权和身份验证 - Authorization and authentication in MVC application ASP.NET MVC5中的自定义身份验证和授权? - Custom authentication and authorization in ASP.NET MVC5? 用于授权的MVC自定义组 - MVC custom groups for authorization 在MVC中使用授权实施安全身份验证 - Implement secure authentication with authorization in MVC ASP.NET Core-使用Windows身份验证进行授权 - ASP.NET Core - Authorization Using Windows Authentication
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM