简体繁体 English

n层架构中的身份验证和授权

[英]Authentication and authorisation in an n-tiered architecture

原文 2010-07-18 23:09:48 1 2 c#/ authentication/ architecture/ authorization/ business-logic-layer

I need to be able to tighten my business layer - access to particular data. 我需要能够加强我的业务层-访问特定数据。 The UI can make a call to the business layer and receive a userdetail. UI可以调用业务层并接收用户详细信息。 The UI can then call .Save() on a user and the business layer will call the data access layer to save the user. 然后，UI可以在用户上调用.Save（），而业务层将调用数据访问层以保存用户。

Although, the problem here is that I don't just want any user to be able to receive a userdetail and call save - only authenticated users with that role of "admin". 虽然，这里的问题是我不只是希望任何用户都能收到用户详细信息并进行呼叫保存-仅具有“ admin”角色的经过身份验证的用户。 How would I go about this authentication/authorisation in my business layer/UI so I can achieve this? 我将如何在我的业务层/ UI中进行身份验证/授权，以便实现此目标？

I am using ASP.NET for my UI, and I've read into membership/role providers, but this just seems to be for the actual UI. 我将ASP.NET用于我的UI，并且已经阅读了成员资格/角色提供程序，但这似乎仅用于实际的UI。 I need to secure it at my business layer because in the future there could be a couple of different UI's. 我需要在业务层对其进行保护，因为将来可能会有几个不同的UI。 eg windows forms and Asp.net. 例如Windows窗体和Asp.net。

Thoughts and suggestions are appreciated. 的想法和建议表示赞赏。

Thanks. 谢谢。

2 个解决方案

Another approach you might want to research (if developing in .NET 3.5 / 4.0) is using Windows Identity Foundation . 您可能想研究的另一种方法（如果在.NET 3.5 / 4.0中进行开发）是使用Windows Identity Foundation 。

If you are insterested in keeping your authorization logic outside your web site (which I assume you would if you are expecting to use your business layer from more than 1 front-end) I would definitely recommend yaking a look at WIF. 如果您不愿意将授权逻辑保留在网站之外（如果您希望从多个前端使用您的业务层，我会假设您会这么做），那么我绝对建议您看看WIF。 You can also integrate with Active Directory using ADFS v2.0 (which is a server role in Windows Server 2008 R2). 您还可以使用ADFS v2.0 （在Windows Server 2008 R2中为服务器角色）与Active Directory集成。

Patterns & Practices has released a guide which can be quite useful for digging into the subject. 模式与实践已经发布了一个指南，对于深入研究该主题可能非常有用。

The ASP.NET Role / Membership providers include storage and code level components you can re-use - they aren't just the UI. ASP.NET角色/成员资格提供程序包括可重复使用的存储和代码级组件-它们不仅仅是UI。

For fine-grained access control (for example to specific functionality on a page) you can use the Enterprise Libraries. 对于细粒度的访问控制（例如，对页面上的特定功能的访问），可以使用企业库。 You'll be able to re-use code to protect functionality both at the BL layer and in the UI layer. 您将能够在BL层和UI层重用代码来保护功能。

The link you most want is this one: Determining Whether a User Is Authorized to Perform a Task 您最需要的链接是以下链接：确定用户是否被授权执行任务

Also see: 另请参阅：

During earlier releases of the EntLibs, the Authorization Manager was a key component, but in more recent versions it's not a firm requirement, instead you can use an AuthorizationRuleProvider . 在EntLibs的早期版本中，授权管理器是一个关键组件，但是在较新的版本中，这并不是一个严格的要求，而是可以使用AuthorizationRuleProvider 。 see: Developing Applications Using Windows Authorization Manager . 请参阅：使用Windows授权管理器开发应用程序。

Filtering data is a bit more problematic depending on the complexity of your data, the amount of it and performance needs. 根据数据的复杂性，数据量和性能需求，过滤数据会遇到更多问题。

One strategy is to have a simple DAL that returns everything, and prune out data the current user isn't allowed to see in the BL. 一种策略是拥有一个简单的DAL，该DAL返回所有内容，并删除不允许当前用户在BL中看到的数据。
Design a DAL that has some knowlegde of the roles your application uses: DAL.GetCustomersForAdmin() and DAL.GetCustomersForMember() But this is a bit dangerous as you'll be tied to using those roles. 设计一个对应用程序使用的角色有一定了解的DAL： DAL.GetCustomersForAdmin()和DAL.GetCustomersForMember()但这有点危险，因为您将不得不使用这些角色。
Have a database / DAL that is security aware, and always returns only the data the user is permitted to see, via the same methods: DAL.GetCustomers() 具有安全意识的数据库/ DAL，并且始终通过相同的方法仅返回允许用户查看的数据： DAL.GetCustomers()