服务层中的授权和用户信息(.NET应用程序)
[英]Authorization & User info in a Service Layer (.NET application)
问题描述
I am currently working with an enterprise application in a .NET environment (n-layered) and I would like to know the best way to manage authentication / authorization + data filtering in my BussinessLayer (BL). 
我目前正在.NET环境中使用企业应用程序(n-layered),我想知道在BussinessLayer(BL)中管理身份验证/授权+数据过滤的最佳方法。 We will use that BL from several interfaces (ASP.NET applications and WebServices) and I think that my ServiceLayer should do the job but I just can't find the best way. 我们将使用来自多个接口(ASP.NET应用程序和Web服务)的BL,我认为我的ServiceLayer应该完成这项工作,但我找不到最好的方法。
I suppose it could be something like this: (1) User gets authenticated (ASP.NET web client), perhaps using FormsAuthentication. 我想它可能是这样的:(1)用户可能使用FormsAuthentication进行身份验证(ASP.NET Web客户端)。 (2) ASP .NET code (Controller / CodeBehind) instanciate a Service to get some user case done, passing somehow the 'User'. (2)ASP .NET代码(Controller / CodeBehind)实现一个服务来完成一些用户案例,以某种方式传递'用户'。 (3) Service method checks if 'User' exists (authentication) and his roles (authorization) to verify that he can call that method. (3)服务方法检查“用户”是否存在(认证)和他的角色(授权)以验证他是否可以调用该方法。 If not authenticated or authorized an exception is thrown. 如果未经过身份验证或授权,则抛出异常。 (4) Service uses repositories + other services + whatever it needs to get the job done. (4)服务使用存储库+其他服务+完成工作所需的任何服务。 If some kind of fine-grain filtering is required (for example the User only has permissions over some projects) the service applies it automatically. 如果需要某种细粒度过滤(例如,用户仅对某些项目具有权限),则服务会自动应用它。
What I want is to get a ServiceLayer isolated from 'the web stuff' (not accesing session...) but who knows the User calling its methods to act correctly. 我想要的是将ServiceLayer与'web stuff'隔离(不访问会话...),但是谁知道User调用其方法才能正常运行。 Also I don't know how to match that work with ASP .NET authentication in a good manner... I am thinking in suministrating the 'User' in the Service ctor, so that its methods have the 'context' they need, could that work?... I would appreciate some indications or existing code snippets on that. 此外,我不知道如何以良好的方式将该工作与ASP .NET身份验证相匹配......我正在考虑将服务ctor中的“用户”总结,以便其方法具有所需的“上下文”,可以那工作?...我会感谢一些迹象或现有的代码片段。
Thank you for your help... 谢谢您的帮助...
2 个解决方案
解决方案1
12 已采纳 2010-01-18 11:26:42
First of all, Authentication and Authorization are two separate things. 首先,身份验证和授权是两个独立的事情。 Your question implies that you already know this, but I just wanted to be explicit about it. 你的问题意味着你已经知道这一点,但我只是想明确一下。
Authentication should happen at the application boundary (eg Forms Authentication in a web application). 身份验证应该在应用程序边界发生(例如,Web应用程序中的表单身份验证)。
The default approach is that the Authentication module sets Thread.CurrentPrincipal upon successful authentication. 默认方法是Authentication模块在成功验证后设置Thread.CurrentPrincipal 。
In general, IPrincipal is the standard basis for modeling user context in .NET. 通常, IPrincipal是在.NET中建模用户上下文的标准基础。 For example, HttpContext.User is an IPrincipal. 例如, HttpContext.User是一个IPrincipal。
In your Domain Model and Data Access modules, you can use Thread.CurrentPrincipal to implement Authorization logic. 在您的域模型和数据访问模块中,您可以使用Thread.CurrentPrincipal来实现授权逻辑。 This allows you to vary Authentication and Authorization independently of each other. 这允许您彼此独立地更改身份验证和授权。
解决方案2
2 2010-01-18 11:26:24
For me, I think it is both simpler, and more extensible if you let the client layers (your website/services) do the authentication and leave the BL to contain just the business logic. 对我来说,如果你让客户层(你的网站/服务)进行身份验证并让BL只包含业务逻辑,我认为它既简单又可扩展。
If you need a reference to the current user in the BL, you could consider an interface to 'wrap' some of the user identity information and this could be passed from the various UI layers. 如果您需要在BL中引用当前用户,您可以考虑使用“包装”某些用户身份信息的接口,这可以从各个UI层传递。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.