在ASP.NET中,使用什么来管理角色和分配给角色的权限?
我正在开发 ASP.NET Web 应用程序。我有一个众所周知的问题:每个用户可以属于一个或多个角色(管理员、公共用户),每个角色可以拥有一个或多个权限(可以编辑、可以删除、可以上传等),反之亦然。我想做这样的事情: [http://demo .sitefinity.com/Sitefinity/Admin/Modules.aspx?route=GenericControlPanel.PermissionsView`1]。
我找到了这些选项来实现这一点:
- 使用 NetSqlAzMan (但我不确定它是否适用于我们的应用程序,因为我们的用户与应用程序不存储在同一个数据库中,并且我们使用表单身份验证)
- 实现我自己的类,这使我能够执行以下操作:User.HasPermission / AddPermissionToUser / 等。
- 使用 2 个角色提供程序:一个用于管理角色,一种管理权限的方法,知道这些提供者将被“链接”,因为角色和权限之间是 m:n 关系。
- 我现在正在使用自定义角色提供程序,因此另一个选择是添加管理此提供程序权限的方法。
我还想缓存给定用户的角色和权限。我想我自己做这件事需要一些时间,所以你对我有什么建议?
先感谢您
I am working on a ASP.NET web application. I have this well known issue: each user can belong to one or several roles (admin, public users), and each role can have one or several permissions (can edit, can delete, can upload, etc.) and vice versa. I want to do smth like this: [http://demo.sitefinity.com/Sitefinity/Admin/Modules.aspx?route=GenericControlPanel.PermissionsView`1].
I found these options to implement this:
- using NetSqlAzMan (but I am not sure it will work with our application, as our users are not stored in the same db than the application, and as we are using forms authentication)
- implementing my own classes which enable me to do: User.HasPermission / AddPermissionToUser / etc.
- using 2 role providers: one to manage the roles, one to manage permissions, knowing that these providers will be "linked", because of the m:n relationship between roles and permissions.
- I am using right now a custom role provider, so another option would be to add the methods to manage permissions to this provider.
I want also to cache roles and permissions for a given user. I think it will take me some time to do this on my own, so what do you suggest me?
Thank you in advance
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您找到了一个很好的权限模块打包解决方案,我希望看到它:)
一般来说,内置安全提供程序在“识别”和“授权”部分之后停止。一旦识别并被授权访问应用程序,更具体的页面或功能级别权限将由您自行编码和管理。
您描述的权限级别实际上是一个相当高级的实现级别。它镜像 Windows 中的访问控制列表 (ACL)。虽然看起来相当简单,但实际上编码起来相当困难。一旦开始设计,您就会发现必须实现“拒绝”覆盖权限,必须处理多级组权限合并,然后必须处理“特殊”权限等。然后你会遇到诸如“编辑权限是否也意味着查看,如果他们没有查看但有添加我该怎么办”?
这可能真的是一团糟。
在您以这种复杂程度实施权限之前,我强烈建议您退后一步,看看是否可以稍微扁平化您的权限和角色/组模型。难道你不能让你的角色成为权限吗?例如,可以编辑的人员的角色、可以添加的人员的角色、可以查看的人员的角色等。
在大多数应用程序中,您实际上并不需要像权限系统中的完整 ACL 那样的粒度。
一旦定义了应用程序真正需要的适当权限级别,通常最好滚动一组自定义对象来管理这些权限。我不得不说,我以前从未考虑过使用第二个链接角色提供程序作为权限管理器......这实际上是一个很棒的主意。但我仍然建议不要这样做。角色提供程序并不是为您想要执行的操作而设计的,您可能必须大量扩展和覆盖默认行为,以至于从头开始使用自定义实现会更简单且更易于维护。
If you find a good packaged solution for a permissions module out there, I'd like to see it :)
Generally speaking, the built-in security providers stop after the "identification" and "authorization" part. Once identified, and authorized to access the application, more specific page or function level permissions are up to you to code and manage yourself.
The level of permissions you describe is actually quite an advanced one to implement. It mirrors access control lists (ACLs) in windows. While it seems fairly straight forward, it is actually quite difficult to code. Once you get into designing it you discover that you are having to implement a "deny" override permission, having to handle multi-level group permission merges, and then having to deal with "special" permissions and such. Then you run into the stuff like "does edit permissions imply view too, and what do I do if they don't have view but do have add"?
It can be a real mess.
Before you go implementing permissions at that level of complexity, I'd highly advise you to step back and see if you can flatten your permissions and role/group model a bit. Can you not just get away with having your roles BE the permissions? For example, a role for people who can edit, a role for people who can add, a role for people that can view... etc.
In most applications, you don't really need full ACL like granularity in the permissions system.
Once you've defined the appropriate level of permissions your application really needs, you are usually best off rolling a set of custom objects to manage those permissions. I have to say I've never considered using a second linked role provider as a permissions manager before... that's a kinda brilliant idea actually. But I'd still advise against it. The role provider wasn't designed for what you are trying to do and you'd likely have to extend and override the default behavior so much that it would be simpler and more maintainable just to have used a custom implementation from the ground up.
这是一个结合了身份验证+权限和角色+日志记录和审计的工具
http://visual-guard.com/
身份验证可以是 Windows,在本例中它实现了单点登录在
或用户名/密码组合
2 个控制台可用于管理用户和权限
- 一种更面向开发人员,提供向导来定义权限,无需编码(针对.Net)、部署和版本控制功能。
- 另一种是基于网络、面向非技术用户管理员的,重点关注用户帐户、组并将它们映射到角色。
在某些条件下,权限可以非常细粒度(这种形式对于“医生”角色从早上 8 点到 11 点可见,因为它与只必须在早上服用的药物有关)
它最初只是面向 .Net 的,现在他们支持其他技术,如 Java、Delphi C++,基本上任何能够调用 Web 服务的技术。
Here is a tool that combines authentication + permissions and roles + logging and auditing
http://visual-guard.com/
Authentication can be Windows, in this case it implements single sign-on
or a user name/password combination
2 consoles are available to manage users and permissions
- One is more developer-oriented and provides a wizard to define permission without coding (for .Net), deployment and versioning features.
- The other one is web based, non tech user adminitrators oriented, and focuses on user accounts, groups and mapping them to roles.
Permissions can be extremely fine grained with some kind of conditions (this form is visible to the role "doctors" from 8am to 11 am because it is related to medicines that have to be given only in the morning)
It was originally only .Net oriented, and now they support other technologies like Java, Delphi C++, basically any technology able to call web services.