[英]How can I ensure that IsInRole checks are not using cached credentials
I have a WPF client that connects to a WCF service, and I want to lock down some of the functionality so that only certain users can perform certain actions.我有一个连接到 WCF 服务的 WPF 客户端,我想锁定一些功能,以便只有某些用户可以执行某些操作。 The WCF service impersonates the client user when executing service methods. WCF 服务在执行服务方法时模拟客户端用户。 The OS is Windows XP.操作系统是 Windows XP。
I was reading this question as part of my investigation into the best way to apply user roles to features in my application (I want to assign users to AD security groups, and then check IsInRole), and am worried that cached permissions will allow users who have had their permissions reduced to access functionality they no longer have permission to.我正在阅读这个问题,作为调查将用户角色应用于我的应用程序功能的最佳方式的一部分(我想将用户分配到 AD 安全组,然后检查 IsInRole),并且担心缓存的权限将允许用户已将他们的权限减少为访问他们不再有权访问的功能。 Conversely, I am also worried that users who have had their permissions upgraded will need to log out of their windows account, or even that the WCF service might have to be restarted (worst case scenario) before they can access the new functionality.相反,我也担心已经升级权限的用户需要注销他们的 windows 帐户,甚至可能需要重新启动 WCF 服务(最坏的情况)才能访问新功能。
What is the simplest way to ensure that both client and server can immediately see changes to the AD security groups?确保客户端和服务器都能立即看到对 AD 安全组的更改的最简单方法是什么?
You can always implement your own membership provider that queries the AD.您始终可以实现自己的查询 AD 的成员资格提供程序。 It's pretty easy and you'll be sure that all permission evaluations are accurate, or at least exactly as you want them to be.这非常简单,您可以确保所有权限评估都是准确的,或者至少完全符合您的要求。
If you find querying the AD server on each evaluation to be "expensive" on performance you can create your own cache on the client which you can force to refresh periodically or on demand.如果您发现在每次评估时查询 AD 服务器的性能“昂贵”,您可以在客户端上创建自己的缓存,您可以强制定期或按需刷新。 This cache can be as simple as an indexed list (like a Dictionary) of permissions that you can query pretty fast.此缓存可以像权限索引列表(如字典)一样简单,您可以快速查询。
Here's a good article on how to interact with AD: http://www.codeproject.com/KB/system/everythingInAD.aspx这是一篇关于如何与 AD 交互的好文章: http://www.codeproject.com/KB/system/everythingInAD.aspx
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.