当前位置: 文江博客 话题详情

您使用哪些身份验证和授权方案 - 为什么?

发布于 2024-07-17 17:16:50 字数 629 浏览 6 评论 0 原文

我们开始设计一大堆要创建的新服务(WCF、ADO.NET 数据服务,可能在某个时候在云中),出现的一个问题是使用哪种身份验证和授权方案 - 有相当多的方案很少!

我们基本上需要能够识别各种协议(HTTP、HTTPS、TCP)上的用户(实际人员和“虚拟”应用程序/服务用户),并且我们需要为他们分配至少一堆角色/权限查看某些数据和/或执行某些操作。

我们绝对不能单独使用 Windows 组成员身份 - 我们的服务有大量外部消费者,我们不希望必须在我们的内部域中为他们中的每个人设置一个域帐户。

所以我认为主要有三个选项:

  1. 使用 ASP.NET 会员系统 - 创建用户并在那里分配角色
  2. 使用 AzMan(授权管理器),这似乎是一个更细粒度、更成熟、更复杂的系统(包含用户、任务、组) - 三个级别,不仅仅是用户+角色)
  3. 我们自己的

首先 - 您会推荐这三个级别中的哪一个? 有什么原因吗?

其次 - 我还缺少更多选择吗?

感谢您的任何提示、指示、意见!

Marc

PS:看到到目前为止的答案,我对投票支持选项#3 的人数量感到惊讶。 我本以为微软能够设计出一些可重复使用的东西来满足所有这些要求......

原文

We're beginning to design a whole bunch of new services to create (WCF, ADO.NET Data Services, possibly in the cloud at some point) and one question that pops up is what authentication and authorization scheme to use - there are quite a few!

We basically need to be able to identify users (actual people, and "virtual" application/service users) on a wide variety of protocols - HTTP, HTTPS, TCP - and we need to assign them at least a bunch of roles / permission to see certain data and/or do certain operations.

We definitely can't use Windows group membership alone - we have plenty of external consumers of our services and we don't want to have to set up a domain account in our internal domain for everyone of them.

So there's mainly three options, I think:

  1. Using the ASP.NET membership system - create users and assign roles there
  2. Use AzMan (Authorization manager) which seems to be a more granular, more mature, more elaborate system (with users, tasks, groups - three levels, not just user + roles)
  3. Roll our own

First of all - which of these three would you recommend? Any why?

Secondly - are there more options that I'm missing?

Thanks for any hints, pointers, opinions!

Marc

PS: seeing the answers so far, I'm amazed at the amount of folks voting for option #3. I would have thought that MS would be able to design something reusable that could handle all of these requirements....

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(8

对你再特殊 2024-07-24 17:16:51

我们使用(3)。 同步

  1. 实际上,这帮助我们在集成环境中使帐户与业务流程
  2. 其他系统(并非全部位于同一技术堆栈(ASP.NET)上)

We use (3). Actually that helped us in an integration scenery to have accounts in sync with

  1. business processes
  2. Other systems (not all on the same technology stack (ASP.NET))
回复 原文
李白 2024-07-24 17:16:51

在最近的一个项目中,我们扩展了 ASP.NET 成员资格提供程序(编写了自定义提供程序),旨在使用一些基于角色的控件来管理权限。 现在该项目已经足够成熟,我们发现控件对于我们的要求来说不够灵活,并且在某种程度上,我们对选择 MS 会员资格感到遗憾。 如果您有时间正确构建自己的身份验证,那么滚动您自己的身份验证将是最好的选择。

听起来您的应用程序有点混合,因为您正在为内部和外部客户提供服务,但也许也考虑集成 OpenID 供您的外部客户使用。 有一些很棒的 ASP.NET OpenID 控件,确实可以轻松地为外部客户处理新帐户。 这当然取决于您的应用程序的“公开”程度。

On a recent project we extended the ASP.NET membership provider (wrote a custom provider) with the intent of using some of the role based controls for managing permissions. Now that the project has matured sufficiently, we're finding that the controls are not flexible enough for our requirements, and to some extent we're regretting going down the MS membership path. Rolling your own authentication if you have the time to architect it correctly is going to be the best option.

It sounds like your app is a bit of a hybrid in that you're serving internal and external customers, but perhaps also give some consideration to integrating OpenID for your external customers. There are some great ASP.NET OpenID controls that really makes handling new accounts for external customers a no brainer. This of course depends on how 'public' your application is.

回复 原文
与君绝 2024-07-24 17:16:51

Ldap 有人吗? 它是免费的、跨平台的、易于使用和远程管理、具有与其他身份验证方案的桥梁,并且绑定了您所知道的更多语言......

Ldap anyone? It's free, cross-plaftorm, easy to use and administer remotely, has bridges to other auth schemes, and bindings in more languages that you knew existed...

回复 原文
掌心的温暖 2024-07-24 17:16:51

AZMan不是2003年的吗?

我会推荐 1 或 3。就我个人而言,我总是选择 3。1 有很多功能我不使用或不关心使用。

Isn't AZMan from 2003?

I would recommend 1 or 3. Personally I've always gone for 3. There's a lot of functionality that 1 has that I don't use or care to use.

回复 原文
悲歌长辞 2024-07-24 17:16:51

我会远离阿兹曼。 我们曾经走过那条路,但不喜欢我们闯入的那片城镇。我们总是使用基于 AD 的登录,使用当前用户的 SID 链接到数据库中的用户,然后获取权限从那里。 鉴于您的设置,这可能是不可能的(或不实际的),但无论如何我都会远离 AzMan。

I would stay away from AzMan. We went down that road once and didn't like the section of town we broke down in. We've always done AD-based logins that use the SID of the current user to link to a user in the database, then taken the permissions from there. Given your setup this may not be possible (or practical), but I'd stay away from AzMan in any event.

回复 原文
怎会甘心 2024-07-24 17:16:51

我不是 ASP 或 .NET 开发人员,但我的直觉是 (3)。 您确实不希望公用网络应用程序以任何形式访问您的公司网络,更不用说能够将身份验证凭据放在 AD 附近的任何地方。

I'm not an ASP or .NET developer, but my gut says (3). You really don't want a public-use web-app to have any sort of access to your corporate network, much less be able to put auth credentials anywhere near AD.

回复 原文
小红帽 2024-07-24 17:16:51

您似乎提供了太多且太可扩展的内容,以至于无法坚持一种技术解决方案

解决方案 3。

我将围绕 User 类构建整个应用程序
您只需对其进行建模,以便它为您提供所需的灵活性和可扩展性,

例如:

    [ClassAttribute ( "Yordan Georgiev", "1.0.2", "20090302", "20090415" , false )]
public class User
{
    #region DomainName
    private string _DomainName;
    public string DomainName
    {
        get { return _DomainName; }
        set { _DomainName = value; }
    } //eof property DomainName 


    #endregion DomainName

    #region Status
    private int _Status;
    public int Status
    {
        get { return _Status; }
        set { _Status = value; }
    } //eof property Status 


    #endregion Status

#region Password
    private string _Password = Resources.GV.Pass; 
    public string Password
    {
        get { return _Password; }
        set {
            _Password = GenApp.Utils.Security.Encryptor.Encrypt ( value,
                GenApp.Conf.GenAppSettings.Instance.EncryptionAlgorithm );
            //debug_Password = value; //unencrypted 
        }
    } //eof property Password 


    #endregion Password 

#region ListUserRoles
        private List<UserRole> _ListUserRoles;
        public List<UserRole> ListUserRoles { get { return _ListUserRoles; } set     { _ListUserRoles = value; } }
        #endregion ListUserRoles


    #region UserSettings
    private GenApp.Conf.UserSettings _UserSettings;
    public GenApp.Conf.UserSettings UserSettings
    {
        get {
            if (_UserSettings == null)
                _UserSettings = (GenApp.Conf.UserSettings)GenApp.Conf.GenAppSettings.Instance;

            return _UserSettings; 
        }
        set { _UserSettings = value; }
    } //eof property UserSettings

}

You seem to provide too much and too extensible to stick to one technological solution

Solution 3.

I would base the whole application around a User class
You would just simply have to model it so that it will provide you with the needed flexibility and extensibility

Something like: 

    [ClassAttribute ( "Yordan Georgiev", "1.0.2", "20090302", "20090415" , false )]
public class User
{
    #region DomainName
    private string _DomainName;
    public string DomainName
    {
        get { return _DomainName; }
        set { _DomainName = value; }
    } //eof property DomainName 


    #endregion DomainName

    #region Status
    private int _Status;
    public int Status
    {
        get { return _Status; }
        set { _Status = value; }
    } //eof property Status 


    #endregion Status

#region Password
    private string _Password = Resources.GV.Pass; 
    public string Password
    {
        get { return _Password; }
        set {
            _Password = GenApp.Utils.Security.Encryptor.Encrypt ( value,
                GenApp.Conf.GenAppSettings.Instance.EncryptionAlgorithm );
            //debug_Password = value; //unencrypted 
        }
    } //eof property Password 


    #endregion Password 

#region ListUserRoles
        private List<UserRole> _ListUserRoles;
        public List<UserRole> ListUserRoles { get { return _ListUserRoles; } set     { _ListUserRoles = value; } }
        #endregion ListUserRoles


    #region UserSettings
    private GenApp.Conf.UserSettings _UserSettings;
    public GenApp.Conf.UserSettings UserSettings
    {
        get {
            if (_UserSettings == null)
                _UserSettings = (GenApp.Conf.UserSettings)GenApp.Conf.GenAppSettings.Instance;

            return _UserSettings; 
        }
        set { _UserSettings = value; }
    } //eof property UserSettings

}

回复 原文
日暮斜阳 2024-07-24 17:16:50

实际上,答案可能是 1 和 3 的组合。

您可以通过编写 会员身份角色个人资料提供商(如果默认选项不存在)并没有完全达到你想要的程度。

我们已经在许多客户端站点上做到了这一点 - 例如,我们的一个客户将其大部分用户存储为 Commerce Server 用户,并使用 Commerce Server 配置文件系统,因此我们编写了一个会员资格和配置文件提供程序来与这些用户交谈数据存储——一个相当简单的练习。

大多数人可能会选择 3,因为需要通过原始 TCP 进行身份验证 - 这引入了标准 ASP.NET 成员资格提供程序之外的一层。

MS 生产的大多数产品都是“不错”或“足够好”,但总会有一些边缘情况,您想做一些“不太标准”的事情,这意味着您最终会推出自己的产品。 我想除了“基本身份验证”或“Windows 身份验证”之外,还有一些对于普通开发人员来说很容易理解的东西,他们采取了明智的选择“让我们为网络构建这个”。

如果您查看了针对 WCF 服务进行身份验证的多种方法,您就会明白我的意思 - 这些方法旨在处理不同的传输机制,因此要复杂得多。

也就是说,默认角色和配置文件提供程序相当有限(角色:没有层次结构,因此您需要检查每个可能的角色,或者显式地将每个角色分配给用户;配置文件:所有内容都作为逗号分隔值存储在一个字段中 - 不是轻松找到所有已设置值的用户)。

Actually, the answer is probably a combination of 1 and 3.

You can take advantage of a lot of the tools and features that the framework provides for you by writing a membership, role or profile provider if the default options don't quite go as far as you'd like.

We've done just that on a number of client sites - for example one of our clients has most of their users stored as Commerce Server users, and use the Commerce Server profile system, so we wrote a membership and profile provider to talk to those datastores - a fairly simple excercise.

Most people are probably going for 3 because of the need to authenticate over raw TCP - this introduces a layer beyond that of the standard ASP.NET membership providers.

Most of what MS produce is "ok" or "good enough", but there will always be edge cases where you want to do something "not quite standard" that mean you end up rolling your own. I guess to have something beyond "Basic Auth" or "Windows Auth" that was simple for your average developer to understand, they took the sensible option of "lets just build this for the web".

If you take a look at the numerous ways you can authenticate against a WCF service, you'll see what I mean - these are designed to handle different transport mechanisms, and are therefore much more complex.

That said, the default roles and profile providers are fairly limited (roles: no hierarchy, so you need to check for each possible role, or explicitly assign each role to the user; profiles: all stored in one field as comma seperated values - not easy to find all users who've got a value set).

回复 原文
~没有更多了~

关于作者

神魇的王

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

游缘惊梦

文章 0 评论 0

小兔几

文章 0 评论 0

Glik

文章 0 评论 0

生生漫

文章 0 评论 0

Luxian

文章 0 评论 0

Champion-Ming

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文