How can I implement permission-based authorization in ASP.NET?

旧城冷巷雨未停 提交于 2020-01-11 19:55:06

问题


I'm working an a ASP.NET application (not using MVC) and need a User-Role-Permission based authorization scheeme, where pages and/or methods can demand the specific permission they require (instead of which role the user has). Is there a way to extend Forms Authentication (or building something) to solve this?

If possible I would like to be able to use attributes:

[RequirePermission("UserEdit")]
public partial class EditUser : System.Web.UI.Page
{
}

Perhaps even for methods:

public class MyClass
{
    ...
    [RequirePermission("UserEdit")]
    public void Save()
    {
        ...
    }
}

Is this possible?

I found this page, that suggested using Roles for permissions:

[Authorize(Roles = "UserEdit")]
public partial class EditUser : System.Web.UI.Page
{
}

I am not very fond of this solution, but that would also be a possible way to solve things, but what do I need to do to get it working?


回答1:


Microsoft's authorization model sucks...and it's widely acknowledged http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/).

That said. It's nice to have cross compatibility by fitting into their IPrincipal.IsInRole API (and thus being able to leverage the Authorize attribute)

So...what I do to compromise is have a full permission model in the DB with Users, Roles, and Permissions...but when my code sets the CurrentPrincipal I flatten the User's Roles and Permissions into the Roles collection of the IPrincipal. It's far from ideal...but IMHO it's a decent compromise. Others (Rockford Lhotka) have also taken this approach: http://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx



来源:https://stackoverflow.com/questions/7258512/how-can-i-implement-permission-based-authorization-in-asp-net

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!