我想在我们创建的 Web 应用程序上实现角色和权限,并且我正在考虑使用 System.Web.Security.SqlRoleProvider 来实现此目的。
我的问题是每个客户端都希望能够配置谁可以和不能在系统中执行操作,并且没有两个客户端会想要相同的操作,因此创建基本的
涵盖所有管理员、用户、经理角色是不够的。
我建议为每个屏幕创建角色,如下
Screen1Create, Screen1Update, Screen1Delete, Screen1Read
Screen2Create, Screen2Update, Screen2Delete, Screen2Read
所示。
然后,我将允许客户端选择每个用户的角色,这些角色将在用户登录时存储在 cookie 中。
然后我可以读取 cookie 并使用 user.isinrole 来检查当前用户是否可以调用每个方法。
我意识到我需要注意 cookie 的大小限制。除此之外,这听起来可行吗,还有更好的方法吗?
非常感谢您的任何意见。
I want to implement roles and permissions on a web app we have created and I am looking at using System.Web.Security.SqlRoleProvider to implement this.
My problem is that each client will want to be able to configure who can and cannot perform actions in the system and no two clients will want the same, so creating basic
Admin, User, Manager roles to cover all won't suffice.
What I am proposing to do for each screen is create roles as follows
Screen1Create, Screen1Update, Screen1Delete, Screen1Read
Screen2Create, Screen2Update, Screen2Delete, Screen2Read
and so on.
I would then allow the client to select the roles per user, which would be stored in a cookie when the user logs in.
I could then read the cookie and use user.isinrole to check if each method can be called by the current user.
I realise there is a size constraint with cookies that I need to be aware of. Apart form that, does this sound feasable, is there as better way to do it?
Many thanks for any input.
发布评论
评论(2)
确实,如果您想自己将这一切编程到 cookie 级别,那么您就有打开安全漏洞的风险。实现此目的的方法是将表单身份验证与基于角色的授权相结合。 Asp.net会给用户一个防篡改的cookie。
如果您实现角色,则可以轻松标记方法:
或使用代码来查看某人是否处于特定角色。
很多信息:
http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx
Really if you want to program this all yourself to the cookie level you're risking opening security holes. The way to do this is with forms authentication combined with role based authorization. Asp.net will give the user a tamperproof cookie.
If you implement roles you can then easily mark methods:
or use code to see if someone is in a particular role.
Lots of info:
http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx
请记住,cookie 是用户提供的输入,因此如果您要将用户的权限存储在 cookie 中,则必须使用密钥哈希函数(例如 HMAC-SHA256)来确保用户不会授予自己额外的权限。
或者,如果您将所有权限存储在数据库中,它将在客户端计算机上保持不变,并且您无需每次使用它时都需要验证其完整性。
Remember that cookies are user-supplied inputs, so if you're going to store the privileges of users in cookies, you must use a keyed hash function (such as HMAC-SHA256) to make sure that users do not grant themselves additional permissions.
Or, if you store all the permissions in your database, it'll be persistent across client computers and you won't need to validate its integrity every time you wish to use it.