[英]Help me decide whether to use ASP.NET default membership/roles providers or write custom providers
I spent a good part of yesterday reading up on the subject and still feel like I am uncertain which way to go. 昨天我花了大量时间阅读这个主题,但仍然觉得我不知道该走哪条路。 I come from a "roll your own" background when it comes to authentication and authorization. 在身份验证和授权方面,我来自“自己动手”的背景。 We never used Forms authentication, let alone the Membership API. 我们从未使用过Forms身份验证,更不用说Membership API了。 Looking at our old code we would use session variables to capture/control whether a user is logged in etc. With this new project I am about to undertake I want to put us back on track with what we should have done to begin with, which is use the tools provided by the framework. 看看我们的旧代码,我们将使用会话变量来捕获/控制用户是否已登录等。通过这个新项目,我即将承诺,我想让我们回到正轨,我们应该开始做什么,哪个是使用框架提供的工具。
I already have a database schema that I'll be working with, however it's not set in stone; 我已经有了一个我将要使用的数据库模式,但它并不是一成不变的; I am able to make changes to it if necessary. 如有必要,我可以对其进行更改。 In this schema there is already a Users table, utilizing an integer as the primary key. 在此模式中,已有一个Users表,使用整数作为主键。 This table also has other information such as First and Last names. 此表还包含其他信息,如名字和姓氏。 I also have foreign keys based on the UserId to other tables such as Phone and Address. 我还有基于UserId的外键到其他表,如电话和地址。 Below I outline some of the pros/cons that come to mind. 下面我概述一些想到的优点/缺点。
Default Provider 默认提供商
Pros 优点
Cons 缺点
Custom Provider 定制提供商
Pros 优点
Cons 缺点
There might be other things I have not yet considered, being that I never used this before which makes me a little uncomfortable as well. 可能还有其他我还没有考虑过的事情,因为我之前从未使用过这个,这让我有点不舒服。
Thank you. 谢谢。
I recently had to make the same choice and decided to go with creating a custom provider. 我最近不得不做出同样的选择,并决定创建一个自定义提供商。
My biggest reason to do this came down to the default db schema. 我这样做的最大原因归结为默认的db模式。 All of the default db objects are created in the dbo schema and are prefixed with 'aspnet_' or 'vw_aspnet', etc. For me it was a real turnoff. 所有默认的db对象都是在dbo架构中创建的,并以'aspnet_'或'vw_aspnet'等为前缀。对我而言,这是一次真正的岔路。 If you haven't seen them yet, run aspnet_regsql.exe to create them. 如果还没有看到它们,请运行aspnet_regsql.exe来创建它们。
In addition, Steven Sanderson says this in Pro ASP.NET MVC 2 Framework: 此外,Steven Sanderson在Pro ASP.NET MVC 2框架中说这个:
...SqlProfileProvider uses an especially disgusting database schema, in which profile entries are stored as colon-separated name/value pairs, so it's basically impossible to query. ... SqlProfileProvider使用特别恶心的数据库模式,其中配置文件条目存储为冒号分隔的名称/值对,因此基本上无法查询。
Overall, it's worth following the API because of the clear separation of concerns, reuse across projects, and integration with the rest of ASP.NET, but you'll only want to use the built-in SQL storage providers for small or throwaway projects. 总的来说,由于关注点明确分离,项目间重用以及与ASP.NET的其余部分集成,因此值得关注API,但是您只希望将内置SQL存储提供程序用于小型或一次性项目。
I haven't gone through the entire process of creating the custom providers yet (I did do a partial implementation when I was playing with Azure Table storage), but I plan to use these providers over multiple projects in the future, so I feel the effort will be well worth it. 我还没有完成创建自定义提供程序的整个过程(我在使用Azure Table存储时做了部分实现),但我计划将来在多个项目中使用这些提供程序,所以我觉得努力将是值得的。
If you are building a new application I would not hesitate to use the asp.net default provider. 如果您正在构建一个新的应用程序,我会毫不犹豫地使用asp.net默认提供程序。 you can always decide not to use the default controls and programatically create your own. 您始终可以决定不使用默认控件并以编程方式创建自己的控件。 you can also save a lot of time by using any opensource pre created user management tool. 您还可以使用任何开源预先创建的用户管理工具来节省大量时间。 At the same time you can always extend the information contained into the default tables. 同时,您始终可以将包含的信息扩展到默认表中。
Personally, I use the SqlMembershipProvider as a standalone entity while the rest of my database is in Oracle. 就个人而言,我使用SqlMembershipProvider作为独立实体,而我的数据库的其余部分在Oracle中。 I never look at the database, so the names and GUIDs don't bother me (out of sight, out of mind). 我从不看数据库,因此名字和GUID不会打扰我(看不见,不在乎)。 It just works out of the box, which is great! 它只是开箱即用,这太棒了!
In my scenario, I've got a user table in the Oracle database that I insert/delete when membership users are created/deleted (no GUIDs). 在我的场景中,我在Oracle数据库中有一个用户表,我在创建/删除成员资格用户时没有插入/删除(没有GUID)。 I consider the membership database to be the "master" record and the Oracle table to be there basically for referential integrity of supporting tables. 我认为成员资格数据库是“主”记录,而Oracle表基本上是支持表的参照完整性。 It's not really done in an official transaction, but I use try/catch to keep them synchronized well enough. 在官方交易中并没有真正完成,但我使用try / catch来保持它们的同步性。
The Role Provider is really limited and if you want any sort of hierarchical or dynamic roles, you're toasted. 角色提供者是非常有限的,如果你想要任何类型的分层或动态角色,你就会被烘烤。 But it's a separate system completely isolated from membership and you don't have to use it. 但它是一个完全独立于会员资格的独立系统,您不必使用它。
The controls aren't bad. 控制还不错。 A lot of them support templates, so that you can add your own controls to them, and have plenty of events to hook into them. 它们中的很多都支持模板,因此您可以向它们添加自己的控件,并有大量事件可以挂钩。 Don't be afraid to roll your own controls, but give the default controls a chance first. 不要害怕滚动自己的控件,但首先给出默认控件。 The ease of use of the Membership API really facilitate creating those controls. Membership API的易用性确实有助于创建这些控件。
Personally, I'd go with what the framework provides. 就个人而言,我会选择框架提供的内容。 There's no reason to roll your own authentication in this case. 在这种情况下,没有理由推出自己的身份验证。
In the past, you might have wanted to do things on your own, but nowadays there is no reason to. 在过去,你可能想要自己做事,但现在没有理由这样做。
I think if you tried to write this on your own, you'd be re-creating the wheel and it would take way too much time and resources to get it right. 我想如果你试图自己写这个,你就会重新创建轮子,这需要花费太多的时间和资源才能做到正确。 Especially, when dealing with security. 特别是在处理安全问题时。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.