使用 Windows 原则/角色以编程方式控制对控件/表单的访问 - C#
所讨论的应用程序相当广泛,具有许多不同类型的访问角色(阅读客户服务、人力资源、管理员等)。分层访问权限,因此每个角色都会继承其下级的访问权限,因此 HR 具有只读权限,CS 具有编辑能力,管理员具有完全控制权。菜单栏和按钮启用/可见属性由外部库控制,该外部库通过反射处理所有基于角色的访问。写这篇文章的人是一个邪恶的天才。
话虽这么说,我最终还是想删除它。关于它如何工作的知识库在几年前就留给了他,并且由于安全“套件”的文档很糟糕,因此该应用程序的开发开始停滞不前。一切都存储在数据库中,甚至每个标签的标签可见性。这有点过分了,而且不利于重构。
我花了很多时间研究 Windows 窗体安全性。我们正在为此应用程序运行我们自己的用户/角色,而不是 Active Directory。我想使用用户/主体,因为这看起来是最好的选择。如果还有其他选择,我愿意接受建议,我希望看到以正确的方式完成此操作,因为我们正在考虑完全重写(与此无关)。
我通过 MSDN 和其他网站进行的所有搜索使我相信我只能通过基于角色的方法和类来控制流程,而不是像“启用此按钮”或“隐藏此菜单栏”那样精细。
有没有比做以下事情更好的方法:
btnA.Visible = Thread.CurrentPrincipal.IsInRole("HR");
btnA.Enabled = Thread.CurrentPrincipal.IsInRole("CS") ||
Thread.CurrentPrincipal.IsInRole("ADMIN");
一般来说有更好的方法吗?处理这个问题的最佳方法是什么?
The application in question is a fairly extensive with many different types of access roles (read Customer Service, HR, Admins, etc etc). Tiered access, so each role inherits the access below it, so HR has Read Only, CS has edit abilities, Admins full control. Menu bars and buttons enable/visible attributes are controlled by an outside an outside library that handles all role-based access via reflection. The man who wrote this was an evil genius.
That being said, I'd like eventually to remove it. The knowledge base on how it works left with him years ago, and development on this application is starting to stagnate since the documentation on the security 'suite' is awful. Everything is stored within a database, down to label visibility for each label. It's a bit overboard and not refactor-friendly.
I've spent a solid amount of time looking into windows forms security. We're running our own user/roles for this app rather than Active Directory. I'd like to use User/Principal, since that looks like the best option. If there's another option, I'm open to advice, I'd like to see this done the right way since we're considering a full rewrite (unrelated to this).
All the searching I've done through MSDN and other websites has led me to believe that I can only control flow through methods and classes based on roles, not as granular as "enable this button" or "hide this menu bar."
Is there a better way than doing something along the lines of:
btnA.Visible = Thread.CurrentPrincipal.IsInRole("HR");
btnA.Enabled = Thread.CurrentPrincipal.IsInRole("CS") ||
Thread.CurrentPrincipal.IsInRole("ADMIN");
Is there a better way in general? What's the best way to handle this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这与我们在 WinForms 和 ASP.net 应用程序中的做法非常接近。一个区别是我们将角色名称存储在数据库中,以便它们比硬编码常量更容易维护和升级。
虽然它缺乏某种自动绑定的性感(这似乎是您正在寻找的),但它很坚固并且处理起来并不麻烦。然而,我们的应用程序在用户之间并没有巨大的差异。在大多数情况下,如果用户可以访问应用程序的部分内容,他们就可以执行大部分操作。
That's pretty close to the way that we do it, both in WinForms and in our ASP.net applications. The one difference is that we store the role names in a database so that they are easier to maintain and upgrade than hardcoded constants.
While it lacks the sexiness of some sort of automatic binding (which it seems that you are looking for), it's solid and has not been troublesome to deal with. However, our application does not have a tremendous variation between users. For the most part, if a user can get access to part of the application they can perform most of the actions.