扩展 ASP.NET 角色提供程序

发布于 2024-08-26 21:22:56 字数 906 浏览 11 评论 0原文

因为 RoleProvider 接口似乎将角色视为只不过是简单的字符串,所以我想知道是否有任何非 hacky 的方法可以为每个用户的角色应用可选值。

我们当前的登录管理系统将角色实现为键值对,其中值部分是可选的,通常用于明确或限制角色授予的权限。

例如,角色“编辑”可能包含用户“巴里”,但对于“巴里”,它将有一个可选值“猛禽”,系统会将其解释为意味着巴里只能编辑在“猛禽”下提交的文章类别。

我在其他地方看到过一个建议,即简单地创建额外的分隔角色,例如“editor.raptors”或类似的角色。这并不是真正理想的,因为它会大大增加角色的数量,而且我可以说,要取代我们当前的实现(这也不太理想,但具有自定义的优点)将是一个非常困难的事情与我们的用户数据库一起使用)。

我已经可以看出,上面提到的连接方法将涉及大量繁琐的字符串分割和部分匹配。

有更好的办法吗?

编辑:我最初的目标是使用更多内置的 ASP.NET 功能。例如,通过 Web.config 中的 元素控制访问。据我所知,要做到这一点需要自己实现角色。除了这一限制之外,我们当前系统的身份验证概念似乎非常适合。

回答 mnemosyn 的问题

  1. 是的。我们有一个用于用户、应用程序及其授权的中央数据库。这是一个核心系统,没有什么可以绕过的。
  2. 目前我们的系统是没有层级的,维护起来其实需要花费相当多的精力。创建应用程序时,会定义一组授权(例如,“admin”、“user”、“poweruser”、“gatekeeper”、“keymaster”等)。然后,将用户与这些授权关联起来,并使用可选值来实现用户和(特定于应用程序的)授权的唯一组合。
  3. 您能详细说明一下您所说的这些“类别”吗?

Because the RoleProvider interface seems to treat roles as nothing more than simple strings, I'm wondering if there is any non-hacky way to apply an optional value for a role on a per-user basis.

Our current login management system implements roles as key-value pairs, where the value part is optional and usually used to clarify or limit the permissions granted by a role.

For example, a role 'editor' might contain a user 'barry', but for 'barry' it will have an optional value 'raptors', which the system would interpret to mean that Barry can only edit articles filed under the 'raptors' category.

I have seen elsewhere a suggestion to simply create additional delimited roles, such as 'editor.raptors' or somesuch. That's not really going to be ideal because it would bloat the number of roles greatly, and I can tell it's going to be a very hard sell to replace our current implementation (which is also very less than ideal, but has the advantage of being custom made to work with our user database).

I can tell already that the concatenation method mentioned above is going to involve a lot of tedious string-splitting and partial matching.

Is there a better way?

EDIT: My initial goal was to use more built-in ASP.NET functionality. For instance, control access via <authorization/> elements in the Web.config. Doing this, as far as I can see, requires implementing roles themselves. Our current system's concept of auths seemed to fit very well apart from that one limitation.

Answering mnemosyn's questions

  1. Yes. We have a central database for users, applications and their authorisations. It's a core system and there's no going around it.
  2. Currently our system is not hierarchical, and it actually takes quite a lot of effort to maintain. When an application is created, a set of authorisations are defined (e.g., 'admin', 'user', 'poweruser', 'gatekeeper', 'keymaster', etc.). Users are then associated with those authorisations with the optional value for a unique combination of user and (app-specific) authorisation.
  3. Can you elaborate on these 'categories' of which you speak?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

逆流 2024-09-02 21:22:56

对我来说,这确实听起来像是一个架构问题。

首先,您需要准确地确定您需要什么。第二步,将其映射到具体的实现。继续这一点:除了最简单的情况之外,我不会使用内置提供程序。另外,这个问题很快就会变得非常复杂,所以我会尽量保持简单。

为了详细说明您的需求,请尝试确定:

  • 您是否真的需要将角色概念映射到数据库,就像在 CMS 中那样?或者角色系统的改变是否意味着系统的修改。在这种情况下,您可以寻求更简单的解决方案并将枚举放入用户中。这将节省大量数据库访问,使连接变得简单选择等。
  • 您想通过您解释的多角色概念实现什么目的?这些角色真的是您所需要的吗?个人权限怎么样?例如,您是否具有分层结构,以便每个节点都可以拥有与其关联的一组特定权限,就像 Windows 的文件安全概念一样?
  • 如果只是类别,为什么不将类别映射到用户,即为每个用户在每个类别中赋予一定的角色。这将需要对默认类别等进行一些调整。

这里有一些提示:不要选择白名单,始终使用黑名单。控制白名单是一件痛苦的事情,尤其是。当很多规则聚集在一起时。例如,在 drupal 中,我认为这是主要缺陷之一(这就是为什么他们在版本 7 中重建它以使用黑名单)。允许用户做他们不应该做的事情通常比相反的问题要大得多。

Windows 文件访问概念非常复杂,因为它有黑名单和白名单,而且还可以继承 - 因此请尽量让您的解决方案比这简单得多。

字符串连接的事情对我来说听起来相当危险,无论如何我都会寻求更干净的解决方案。这种类型的元逻辑让人头疼。

This really sounds like an architectural issue to me.

First, you need to determine what you need, exactly. In a second step, map this to a concrete implementation. To jump ahead on that one: I wouldn't use the built-in providers for anything but the most simplistic cases. Also, this problem quickly gets very complicated, so I'd try to keep it as simple as possible.

To elaborate your needs, try to determine:

  • Do you really need to map the role concept to the database, as you would in a CMS? Or do changes to your role system imply a modification to the system. In that case, you could go for a much simpler solution and put an enum into the user. This will save a lot of database accesses, makes joins simple selects, etc.
  • What are you trying to achieve through the multi-role concept you explained? Is it really roles that you need? How about individual permissions? Do you, for instance, have a hierarchical structure so that every node can have a certain set of permissions associated with it, much like windows' file security concept?
  • If it's only categories, why not map categories to users, i.e. give each user a certain role in each category. This will require some tweaks for default category, etc.

A few tips there: Don't go for whitelists, always use blacklists. Controlling whitelists is a pain, esp. when a lot of rules come together. In drupal, for example, I think this is one of the major flaws (which is why they're rebuilding it to use blacklists in version 7). Allowing a user to do something they shouldn't is usually a much bigger issue than the other way around.

The windows file access concept is very complicated, because it has both black- and whitelisting, which additionally can be inherited - so try to keep your solution much simpler than that.

The string concatenation thingie sounds rather dangerous to me, I'd go for a cleaner solution in any case. This type of meta-logic gives headache.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文