简体繁体 English

后台和前端分离

[英]Back office and front end separation

原文 2015-04-20 16:27:28 7 1 c#/ .net/ security/ roles/ asp.net-identity-2

We are implementing identity 2.0 with an admin CMS and a login area for front end users. 我们正在通过管理员CMS和前端用户的登录区域来实现Identity 2.0。

Should they be separated by Role alone? 是否应该仅通过角色分开？ So admins have their own roles and front end users have their own roles? 那么管理员有自己的角色，前端用户也有自己的角色吗？ Then just redirect after login and authenticate by role depending on if you are in /userarea/ (front end users) and /cms/ (back office)? 然后只是在登录后重定向并根据角色进行身份验证，具体取决于您是否在/ userarea /（前端用户）和/ cms /（后台）中？

On that note since it's cookie based do you have to redirect before you can check the signed in user against their roles? 关于这一点，由于它是基于cookie的，因此您是否必须重定向才能检查登录用户的角色？

1 个解决方案

Separation by Role would be the most common way of doing this. 按角色分离将是最常见的方式。 That said, these Roles can be assigned with much more granularity then top-level objects (folders) on your site. 也就是说，与您网站上的顶级对象（文件夹）相比，可以为这些角色分配更多的粒度。 For example, there could be a /userarea/admins/ with the Admin Role. 例如，可能有一个具有管理员角色的/ userarea / admins /。

There are also security levels being assigned to the individual Roles. 还为各个角色分配了安全级别。 Where the entire path of the object is checked, and the highest (or most restrictive) 'level' of security assigned to any part the path, would be selected, and the user would have to be a member of that Role to be allowed access. 将检查对象的整个路径，并选择分配给路径任何部分的最高（或最具限制性）安全性“级别”，并且用户必须是该角色的成员才能被允许访问。

The redirection is redirecting the user to the authentication service, which is often a different system from the ones providing the sites pages. 重定向将用户重定向到身份验证服务，该服务通常与提供站点页面的系统不同。 After the user has been authenticated, he or she is provided with an cookie containing a unique identifier that would tell your security proxy server which objects said user had access to. 用户通过身份验证后，将为他或她提供一个包含唯一标识符的cookie，该标识符将告诉您的安全代理服务器该用户有权访问哪些对象。