发表新帖
发表新帖

How to handle authorization with Breeze JS?

后端 未结
关注
3 1134
情书的邮戳
情书的邮戳 2021-01-20 04:18

Currently my app looks at router parameter and logged in user (Principal.Identity) to authorize access to certain resources (e.g: Add student to your class [identity + class

相关标签:
3条回答
  • 暖寄归人
    2021-01-20 04:32

    The proper way to do this IMHO is to separate the endpoint authorization and the database actions authorization.

    First, create an entity that manages the grands per controller/method and role. For each method you have a value allowed - not allowed for the specific role. You create a special attribute (subclass of Authorize) that you apply to your controllers (breeze or plain web api) that reads the data and decides whether the specific endpoint can be called for the user/role. Otherwise it throws the Unauthorized exception.

    On the breeze side (client) you extend the default adapter settings with a method that adds the authentication headers from identity that you received at login, something like this :

    var origAjaxCtor = breeze.config.getAdapterInstance('ajax');

    $.extend(true, origAjaxCtor.defaultSettings, Security.getAuthenticationHeaders());

    On the server, add a second entity that manages the authorization for the CRUD operations. You need a table like (EntityName, AllowInsert, AllowUpdate, AllowDelete). Add a BeforeSave event on the Context Manager or on the ORM (EF or something else) that loops all entities and applies the policy specified on the table above. This way you have a clear separation of the endpoint logic from the backend CRUD logic.

    In all cases the authorization logic should first be implemented server side and if needed should be pushed to the clients.

    The way breeze is implemented and with the above design you should not need more than 1 save endpoint.

    Hope it helps.

    0 讨论(0)
  • 别那么骄傲
    2021-01-20 04:42

    However, If I'm not wrong, breeze js support just one bulk save.

    That is entirely wrong. You have free reign to create your own save methods. Read the docs, it's all there.

    0 讨论(0)
  • 抹茶落季
    2021-01-20 04:51

    Breeze can have as many 'save' endpoints as you want. For example, a hypothetical server implementation might be 

    [BreezeController]
public class MyController : ApiController {

  [HttpPost]
  [Authorize(...)]
  public SaveResult SaveCustomersAndOrders(JObject saveBundle) {
    // CheckCustomersAndOrders would be a custom method that validates your data 
    ContextProvider.BeforeSaveEntitiesDelegate = CheckCustomerAndOrders;
    return ContextProvider.SaveChanges(saveBundle);
  }

  [HttpPost]
  [Authorize]
  public SaveResult SaveSuppliersAndProducts(JObject saveBundle) {
     ...
  }

    You would call these endpoints like this

    var so = new SaveOptions({ resourceName: "SaveWithFreight2", tag: "freight update" });

       myEntityManager.saveChanges(customerAndOrderEntities, { 
     resourceName: "SaveCustomersAndOrder" }
   ).then(...)

    or 

       myEntityManager.saveChanges(supplierAndProductEntities, { 
     resourceName: "SaveSuppliersAndProducts" }
   ).then(...)

    Authorization is mediated via the [Authorize] attribute on each of the [HttpPost] methods. You can read more about the [Authorize] attribute here: http://sixgun.wordpress.com/2012/02/29/asp-net-web-api-basic-authentication/

    0 讨论(0)
 看不清?
提交回复
热议问题