Claims authorization for specific resources
I am writing an example file storage system (example just for stackoverflow).
My current domain models look as such:
public class User
{
public i
-
I am not sure if claims are the right approach for what you are doing. What you really want to represent are permissions. A claim typically represent an identity attribute such as user name, email or roles it belong to, but not permissions. You could represent permissions with claims, but you might need tons of it depending on how big your application is. A typical approach is to map a role to a set of permissions (in your case, add files would be a permission). You can also create a custom Authorization filter deriving from the AuthorizeAttribute to check if the current principal has the right permissions to execute the action. That filter might receive the permissions required to execute the action as arguments.
讨论(0) -
Pablo is right - claims describe identity. You use that identity to come to an authorization decision though. There is a separate abstraction for that called ClaimsAuthorizationManager.
Have a look here: http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/
讨论(0)
加载中...
- 热议问题