问题
Using Windows Identity Foundation (WIF) in tandem with a Security Token Service (STS), is it possible to create complex claims that could satisfy a question such as:
For a user with a claim to a role "Support", that user:
- Can only view and use resource1
- CAN NOT update, create, or delete resource2
- CAN NOT create, or delete resource3
- Can only use and update resources with a "resource" tag.
It's a necessarily contrived example but is this possible? I'm thinking I want to authorize the authenticated user with basic claims and then add the relevant complex claims in the application (where those claims will be stored in a database and under control of application users).
Thanks, Richard
回答1:
You can definitely model it like that - they are just strings - whatever you can do to strings you can do to claims ;)
But it would be definitely an anti-pattern. Claims describe the identity of a user - which might include coarse grained authorization information. There's a fine line here.
But for your use case you would rather implement your authorization policy in a ClaimsAuthorizationManager and use the identity claims as input to "calculate" your fine grained authorization decisions.
来源:https://stackoverflow.com/questions/22317492/is-it-possible-to-model-complex-claims-hierarchical-nested-etc