Where should we put ACL in our application?
We have an existing ASP.NET MVC application with the following structure (simplified):
It's currently using a Role Provider model, but we've been asked to provide row level permissions and functionality. From the reading I've done, this tends to be called ACL - Access Control Lists, as it moves away from the role provider model - a user may have different functionality for each instance of an entity.
As I see it there are two parts to the requirement - the ability for a user to retrieve an entity subset based on the access granted, and then the functionality that they are able to carry out on the accessed entity.
The data access probably needs to be done as close to the data layer as possible - it would be more secure and have less impact on performance. I guess though that we don't want to check the level of functionality a user has at this point. Should we do this in the BL layer or within the controller actions, similar to the way we currently decorate action methods with roles.
Is there an existing framework or product that would help with this? We're looking at Azman and SQLAzman - are there any others, for a SQL Server / Entity Framework stack?
You probably want to look into Spring ACL. I've not used but it looks like provides level of scrutiny you need.
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/domain-acls.html
http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.