[英]MVC 5 custom logic authorization using windows authentication
I have a MVC 5 project with Windows authentication. 我有一个带有Windows身份验证的MVC 5项目。
I am using the default WindowsTokenRoleProvider as my role provider and it works for the following situation: 我使用默认的WindowsTokenRoleProvider作为角色提供程序,它适用于以下情况:
[CustomAuthorization(Roles = "DOMAIN\example_group")]
public ActionResult Action()...
It works great. 效果很好。 The problem starts when I want to use custom role, for example: "Approver". 当我要使用自定义角色(例如:“批准者”)时,问题就开始了。 In order to check who is a real approver, I have to query a special table and use custom logic to decide if the current person is an Approver. 为了检查谁是真正的批准人,我必须查询一个特殊的表并使用自定义逻辑来确定当前人员是否是批准人。
In order to do this, I have overridden the AuthorizeCore
of CustomAuthorize
, and wrote something like this: 为了做到这一点,我重写了CustomAuthorize
的AuthorizeCore
,并编写了如下代码:
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if(CheckIfCurrentUserIsAnApprover()){
return true;
}
...........
}
But what will happen when I will add another role, lets say Managers
, I will have to add: 但是,当我添加另一个角色(例如Managers
,将会发生什么,我将不得不添加:
if(CheckIfCurrentUserIsManager()){
return true;
}
How can I make it more generic? 如何使它更通用?
This is a clear cut case for attribute based access control (ABAC). 这是基于属性的访问控制(ABAC)的明确案例。
ABAC extends role based access control with attributes so that you can make decisions based on things like a user's approval limit. ABAC扩展了具有属性的基于角色的访问控制,因此您可以根据用户的批准限制之类的内容来制定决策。
In ABAC, you get to write access control policies such as: 在ABAC中,您可以编写访问控制策略,例如:
The language used to write the policies is XACML (extensible access control markup language). 用于编写策略的语言是XACML(可扩展访问控制标记语言)。
XACML also defines an architecture with the notion of: XACML还定义了一种具有以下概念的体系结构:
You can read more here: http://developers.axiomatics.com/blog/index/entry/xacml-reference-architecture.html . 您可以在此处了解更多信息: http : //developers.axiomatics.com/blog/index/entry/xacml-reference-architecture.html 。 Axiomatics provides a .net engine and a .net pep. 公理学提供.net引擎和.net pep。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.