堆栈内存溢出
  简体   繁体   English

C#基于角色的安全性

[英]C# Role-based security

 原文  2010-11-19 13:34:01       c#/ .net/ security

问题描述

I have a class library which contains my data base access layer, and i use it in all my projects which works with this DB, now i want to integrate security in this library so i can return different data for different security roles. 我有一个包含我的数据库访问层的类库,我在所有与这个数据库一起工作的项目中使用它,现在我想在这个库中集成安全性,这样我就可以为不同的安全角色返回不同的数据。 What is the best way to achieve this with .NET build-in security? 使用.NET内置安全性实现此目的的最佳方法是什么? I was thinking about using System.Security.Permissions.PrincipalPermission but i can't see how it can help me out, because anyone using my library can write client application like this 我正在考虑使用System.Security.Permissions.PrincipalPermission但我看不出它如何帮助我,因为任何使用我的库的人都可以编写像这样的客户端应用程序 

GenericIdentity genericIdentity = new GenericIdentity("User");
GenericPrincipal genericPrincipal = new GenericPrincipal(genericIdentity, new[] { "Administrator" });
Thread.CurrentPrincipal = genericPrincipal;

And they will pass all my principal permission demands 他们将通过我所有的主要许可要求 

PrincipalPermission principalPermission = new PrincipalPermission(null, "Administrator");
principalPermission.Demand();

without even authenticating. 甚至没有验证。 Either i don't understand this security model, or it just doesn't secure anything. 要么我不理解这个安全模型,要么它只是不保护任何东西。

2 个解决方案

解决方案1
 5 已采纳  2010-11-19 13:38:23

Role-based security is intended as a way for library code to consume the client's chosen security model without needing to know the implementation; 基于角色的安全性旨在使库代码能够使用客户端选择的安全模型,而无需了解实现; the key here being that you are already at a point where it is reasonably to trust the client's security model, and you just want to offer appropriate options based on decisions made by the client (for example as part of a login process). 关键在于您已经处于合理地信任客户端安全模型的位置,并且您只是想根据客户端做出的决策提供适当的选项(例如,作为登录过程的一部分)。

If you don't trust the client, all bets are off anyway , as they could just use reflection to rip your internals to shreds. 如果你信任客户端,所有的赌注都关闭, 无论如何 ,因为他们可以只使用反射来撕裂你的内部撕成碎片。 In that scenario, it would be better to keep that implementation code private, for example via a web-service that accepts the user's credentials in some fashion. 在这种情况下,最好将该实现代码保密,例如通过以某种方式接受用户凭据的Web服务。 Then they can only be accounts that they have the credentials for. 然后,他们只能是他们拥有凭据的帐户。

解决方案2
 0  2010-11-19 13:59:28

public class Example
{

  // Will enforce that the user have the administrator role
  [PrincipalPermission(XXXX, Role="Administrator")]
  public void Remove(int userId)
  {
  }

  public void Add(int userId)
  {
     if (!Thread.CurrentPrincipal.IsInRole("User"))
        throw new UnauthorizedAccessException("Only registered users may add users");
  }

}

How the actual principal/identity configuration is setup is up to the user of your library. 如何设置实际的主体/身份配置取决于您的库的用户。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用C#的系统中基于角色的访问控制 - Role-based accesses control in a system using c# 示例.NET C#MVC项目使用实体框架与数据库优先,多领域架构和基于角色的安全性? - Sample .NET C# MVC project using Entity Framework with Database First, Multi-Tie architeture and Role-based security? 使用Identity 2.0的Web froms中基于角色的安全授权 - Role-based Security Authorization in web froms using Identity 2.0 Asp.Net使用Active Directory中的安全组进行基于角色的身份验证 - Asp.Net Role-based authentication using Security groups in Active Directory 有关为丰富的用户界面构建基于角色的安全模块的技巧(使用广泛的Javascript / JQuery)? - Tip on building a role-based security module for rich user interfaces (Using Extensive Javascript/JQuery)? WCF REST服务的基于角色的身份验证 - Role-based authentification for the WCF REST service 基于身份角色的授权不起作用 - Identity Role-based Authorization is not working 对用户的基于角色的访问控制 - Role-Based Access Control to a User 基于角色的基本身份验证失败 - Role-based basic authentication failing 从C#应用程序启动C ++可执行文件并保持基于角色的安全上下文 - Launching a C++ executable from a C# app and keeping role based security context
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM