堆栈内存溢出
  简体   繁体   English

需要帮助来保护ASP.NET Web应用程序

[英]Need help to Secure an ASP.NET Web Application

 原文  2010-09-17 14:53:13       c#/ asp.net/ security/ permissions

问题描述

I'm working on a internal web application (only employees can log in) and need some help figuring out a good approach to handling an individual users permissions to the system. 我正在开发一个内部Web应用程序(只有员工可以登录)并需要一些帮助来找出处理单个用户对系统权限的好方法。

The system itself is in C# / ASP.NET (4.0 / Webforms / Forms Authentication) / SQL Server 2008 and has several different areas which will have varying sets of permissions. 系统本身位于C#/ ASP.NET(4.0 / Webforms / Forms Authentication)/ SQL Server 2008中,并且具有几个不同的区域,这些区域具有不同的权限集。 You can think of it in a basic crud scenario (create, view, update, delete) though those would apply to different aspects of the system. 您可以在基本的crud场景(创建,查看,更新,删除)中考虑它,尽管这些场景适用于系统的不同方面。

(I do want to mention this isn't a type of CMS system, so I can't pick an Open Source Project like DotNetNuke or anything. This is being developed from scratch. I can use open source libraries if they are available though.) (我想提一下这不是一种CMS系统,所以我不能选择像DotNetNuke这样的开源项目。这是从零开始开发的。如果它们可用,我可以使用开源库。 )

What would be a good approach to designing the User Permission system for a complex system with probably 5-6 different sections that have a good 10-15 different view/update/deletes contained in each section? 为复杂系统设计用户权限系统的好方法是什么,可能有5-6个不同的部分,每个部分包含10-15个不同的视图/更新/删除?

The goal here is to make it: 这里的目标是:

  1. Understandable for Users (Admins) to use / set up. 用户(管理员)可以理解使用/设置。
  2. Easy to Maintain Code Wise. 易于维护代码明智。
  3. Easy to adapt as new permissions are needed (different types or in different spots). 易于适应,因为需要新的权限(不同类型或不同的位置)。

There are two approaches that come to mind: 有两种方法可以想到:

Approach 1: 方法1:

Try to use the built in ASP.NET Roles system to define the different permissions and manage it from there. 尝试使用内置的ASP.NET Roles系统来定义不同的权限并从那里进行管理。 I could build custom pages to handle the different areas and assign permission sets to users. 我可以构建自定义页面来处理不同的区域并为用户分配权限集。 I believe that would also allow me to use the current session object by default to contain all of the permissions in the system for a user. 我相信这也允许我默认使用当前会话对象来包含系统中用户的所有权限。 (HttpContext.User.IsInRole() etc...). (HttpContext.User.IsInRole()等...)。

Now, while I think that method would work, I'm not sure it's going to be easy to maintain or adapt to future needs. 现在,虽然我认为这种方法可行,但我不确定它是否易于维护或适应未来的需求。 It seems like it'd be the quicker way to get it up off the ground and working but not the best long term. 看起来它是更快速的方式来实现它并且工作但不是最好的长期。

Approach 2: 方法2:

Roll my own. 滚我自己。 In this scenerio, I'd set up database tables to store true/false style permissions for each section of the application. 在这个场景中,我设置了数据库表来存储应用程序每个部分的真/假样式权限。 Then I'd retrieve that information and place it in the session and basically access it anytime I need to check if someone has permissions to do something. 然后,我将检索该信息并将其放入会话中,并在我需要检查某人是否有权执行某些操作时随时访问它。 I'd then build the custom pages to manage the lists, etc.. 然后我会构建自定义页面来管理列表等。

It seems this approach might be the more maintainable long term solution. 看来这种方法可能是更易维护的长期解决方案。 It gives me more power in the set up and how it is handled. 它为我提供了更多的功能以及如何处理它。 However, I'm basically still doing the work that the Roles system abstracts away for me in approach 1. I favor this over approach 1 still however. 但是,我基本上还在做着Roles系统在方法1中为我抽象的工作。不过我赞成这种方法。

In the end, I'm not sure if either approach is the best way to handle this. 最后,我不确定这两种方法是否是处理此问题的最佳方法。 Can anyone help explain to me why either of the above would be good / bad? 任何人都可以帮我解释为什么上述任何一种都是好/坏? Or even to suggest a different alternative as to the "best" way to handle it in general would actually be. 或者甚至建议一个不同的替代方案来处理它的“最佳”方式实际上是。 This is my first major undertaking in this area, so I don't have a great deal of experience in trying to "secure" an application like this by permissions. 这是我在这方面的第一个主要任务,所以我没有太多的经验来尝试通过权限来“保护”这样的应用程序。 Any and all help is appreciated! 任何和所有的帮助表示赞赏!

2 个解决方案

解决方案1
 2 已采纳  2010-09-17 14:59:36

Use the built in approach, unless you've a specific architectural need not to. 使用内置方法,除非您有特定的架构需要。 If you don't use the built in one, you can choose to roll your own provider implementations, but you should follow the same templates as the build in system, as it covers a lot of the security caveats that you should think about. 如果您不使用内置的实现,您可以选择推出自己的提供程序实现,但是您应该遵循与内置系统相同的模板,因为它涵盖了您应该考虑的许多安全警告。

There's even the built in configuration page for quick and dirty user maintenance. 甚至还有内置的配置页面,用于快速和脏的用户维护。

解决方案2
 0  2010-09-17 16:50:51

我会坚持使用内置方法,您可以随时编写自定义RoleProvider以匹配您的用户群所需的角色和权限( 实现RoleProvider

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 当ASP.NET Web应用程序设置Cookie时,它的安全性如何? - How secure are Cookies when set by an ASP.NET web application? 需要帮助在ASP.NET Web窗体中使用jQuery遍历元素 - Need help traversing elements with jQuery in ASP.NET Web Forms 需要有关ASP.NET初学者登录应用程序的帮助 - Need help with ASP.NET beginner login application 安全的Web服务器asp.net - secure web server asp.net 设计安全的Intranet(ASP.NET)应用程序 - designing secure intranet (ASP.NET) application 在asp.net文件夹浏览中需要帮助 - need help in asp.net folder browsing 需要帮助了解ASP.NET中的锁定 - Need help understanding locking in ASP.NET 在treeview asp.net中需要帮助 - Need help in treeview asp.net 我应该如何保护我的 Web 应用程序(ASP.Net Core 3.1 MVC)? - How should i secure my Web Application(ASP.Net Core 3.1 MVC)? 是否可以针对多个身份验证提供程序保护ASP.NET Web API 2应用程序? - Is it possible to secure an ASP.NET Web API 2 application against more than one authentication provider?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM