Asp.net MVC 会员设计
一些背景开始:
我已经实现了一个自定义的 MembershipProvider ,它从名为“WebMemberShipProvider”的服务层验证用户
当前我有一个名为“MembershipService”的服务,该服务在该服务上实现了 IMembershipService 接口层。 此 MemberShipService 查询 dal,并根据用户名/密码验证用户
我还创建了一个名为“AuthorizeOwnerAttribute”的自定义 AuthorizeAttribute,这就是我遇到设计问题的地方。
对于每个控制器,我都依赖于一个服务。例如。 UsersController 在其构造函数中采用 IUserService。
如何在当前登录用户和正在编辑的用户具有相同的“StudioId”的 ActionResult 上调用 AuthorizeAttribute。注意:我想将 AuthorizeAttribute 与多个控制器一起使用,而不仅仅是“UserController”
所以我对你的问题是:
- 我应该做什么来存储 当前经过身份验证的用户的 “StudioId”,因为这将被使用 跨多个控制器。
- 我应该如何将身份验证传递到服务层,因为我想验证请求在服务和数据访问层中是否有效,而不仅仅是在客户端上。 (如果这是可取的,我只是假设如果我想稍后在独立应用程序中重用 BLL 和 DAL,则仅在客户端上进行验证就足够了)
使用的技术: - LINQ to SQL 通过 存储库模式 - ASP.NET MVC Preview 2
任何建议或代码示例都将非常受欢迎。
Some Background to begin:
I've implemented a custom MembershipProvider that validates a user from my service layer called "WebMemberShipProvider"
Currently I have a service called "MembershipService", this service implements the interface IMembershipService on the service layer.
this MemberShipService queries the dal, and validates a user based on username/password
I've also created a custom AuthorizeAttribute named "AuthorizeOwnerAttribute" and this is where I'm having design issues.
For each controller I have a dependency on a Service. eg. UsersController takes a IUserService in it's constructor.
How can I call AuthorizeAttribute on an ActionResult where the current logged in user and the user being edited have the same "StudioId". Note: I want to use AuthorizeAttribute with multiple controllers, not just "UserController"
So my questions to you are:
- What should I do to store the
current authenticated user's
"StudioId", as this will be used
across multiple controllers. - How should I pass authentication down to the service layer, because I want to validate that the requests are valid in the service and data access layers, not just on the client. (If this is advisable, I'm just assuming that validation on the client only is enough if I want to re-use the BLL and DAL later on in a stand-alone application)
Technologies used:
- LINQ to SQL via the
Repository pattern
- ASP.NET MVC Preview 2
Any recommendations or code examples would be very welcomed.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
对于这样的事情,我基本上主要在控制器级别进行安全保护。我决定不将事情传递到链条上太远的地方,以便查明某人是否有权访问它,或者如果我这样做了,我只会确保 IPrincipal.IsInRole() 足以满足它。
现在我做了一些感觉有点黑客的事情。我需要确保注册并分配了该作品的人是唯一能够从该部分访问它的人。
因此,我创建了一个属性过滤器,其工作原理与此类似:
现在,在此实现中感觉有些hacky的是,我在控制器方法上执行了此操作:
实际的参数分配发生在模型绑定程序中。安全性是通过过滤器检查传递给方法的参数来实现的。然后我在很多地方重复使用了这个过滤器。
我用模型绑定器对 Scott Hanselman 的帖子做了类似的操作: http://www.hanselman .com/blog/IPrincipalUserModelBinderInASPNETMVCForEasierTesting.aspx 以便传递用户正在调用的方法。
我想您可以使用上面的示例博客文章,以便将用户对象获取到控制器方法,以便将其传递到服务层。
I basically did my security mostly at the controller level for something like this. I made a decision not to pass things down too far down the chain in order to find out whether or not a person had access to it or if I did I would just make sure IPrincipal.IsInRole() would be enough to satisfy it.
Now I did something else that feels somewhat hackier. I needed to make sure that people that were registered and had this piece assigned to them were the only ones able to access it from this section.
So I created an attribute filter that works much like this:
Now the thing that felt somewhat hacky in this implementation is that I did this on my controller method:
The actual parameter assignments occurred in the model binder. The security happens through the filter which checks the parameters passed to the method. I then reused this filter in a lot of places.
I did something similar with a model binder to a Scott Hanselman post here: http://www.hanselman.com/blog/IPrincipalUserModelBinderInASPNETMVCForEasierTesting.aspx in order to pass what user is calling a method.
I suppose you can use the example blog post above in order to get your user object to your controller method in order to pass it to your service layer.