如何处理应用程序安全性?使用 ActionFilterAttribute 和/或 SiteMap 授权..?
我创建了以下 ActionFilterAttribute 来检查用户是否被授予访问页面的权限。我还创建了两个自定义异常来处理不同的场景:NotLoggedInException 和 InsufficientPrivilegeException。
ActionFilterAttribute
Public Class ValidateAuthentication : Inherits ActionFilterAttribute
Private _page As BLL.Page
Public Sub New(ByVal Page As BLL.Page)
Me._page = Page
End Sub
Public Overrides Sub OnActionExecuting(ByVal filterContext As System.Web.Mvc.ActionExecutingContext)
Select Case Me._page.IsAccessibleToUser(filterContext.HttpContext.User)
Case -1
Throw New NotLoggedInException()
Case 0
Throw New InsufficientPrivilegeException()
Case 1
//access granted
End Select
End Sub
End Class
我还有一个自定义 SiteMapProvider,我在其中实现了自己的 IsAccessibleToUser() 函数。所以我也有 securityTrimming。
SiteMapProvider
Public Overrides Function IsAccessibleToUser(ByVal context As System.Web.HttpContext, ByVal node As System.Web.SiteMapNode) As Boolean
Dim p As New BLL.Page
p.LoadFromSiteMapNode(node)
Select case p.IsAccessibleToUser(context.User)
Case 1
Return true
Case else
Return false
End Select
End Function
问题:
- 我在哪里捕获异常,例如在未经授权的情况下重定向用户?
- 我是否应该在其他地方使用 SiteMap 授权而不是使用 ActionFilterAttribute 并抛出异常..?
注意:如您所见,我正在使用 BLL.Page 的自定义类。这是一个 ORM 页面,它在数据库中存储了基于角色的安全性。 SiteMap 也是基于此数据填充的
i created the following ActionFilterAttribute to check if a user is granted access to a page. I also created two custom Exceptions to handle different scenarios: NotLoggedInException and InsufficientPrivilegeException.
ActionFilterAttribute
Public Class ValidateAuthentication : Inherits ActionFilterAttribute
Private _page As BLL.Page
Public Sub New(ByVal Page As BLL.Page)
Me._page = Page
End Sub
Public Overrides Sub OnActionExecuting(ByVal filterContext As System.Web.Mvc.ActionExecutingContext)
Select Case Me._page.IsAccessibleToUser(filterContext.HttpContext.User)
Case -1
Throw New NotLoggedInException()
Case 0
Throw New InsufficientPrivilegeException()
Case 1
//access granted
End Select
End Sub
End Class
I also have a custom SiteMapProvider where I implemented my own IsAccessibleToUser() function. So I also have securityTrimming.
SiteMapProvider
Public Overrides Function IsAccessibleToUser(ByVal context As System.Web.HttpContext, ByVal node As System.Web.SiteMapNode) As Boolean
Dim p As New BLL.Page
p.LoadFromSiteMapNode(node)
Select case p.IsAccessibleToUser(context.User)
Case 1
Return true
Case else
Return false
End Select
End Function
The questions:
- Where do I catch the exceptions to for instance redirect users if not authorized?
- Should I perhaps use the SiteMap authorization somewhere else instead of using the ActionFilterAttribute and throwing Exceptions..?
note: as you can see I'm using a custom class for BLL.Page. This is a ORM page which has Role based security stored in the database. SiteMap is also populated based on this data
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
不要重新发明
AuthoriazeAttribute。您的版本不会处理缓存的操作;内置的AuthorizeAttribute将会。 如果您需要自定义身份验证,请自定义会员提供程序或子类型AuthorizeAttribute,而不是重新发明 MVC 安全性。Do not reinvent
AuthoriazeAttribute. Your version won't handle cached actions; the built inAuthorizeAttributewill. If you need to customize your authentication, then customize the membership provider or subtypeAuthorizeAttribute, rather than reinventing MVC security.