POCO +具有存储库模式的实体框架 - 权限处理
我有一个由 3 层组成的应用程序:
UI:在 ASP.NET MVC 中实现
业务:掌握业务逻辑和资源访问控制
存储库(DAL):使用 POCO 对象和 EF 实现,使用存储库模式。我的 POCO 对象与上层共享。
我对 POCO 应该具备哪些信息/方法有疑问? 即:如果我有一个 User 表,其中包含用户的用户名和密码,我的 POCO 应该有什么?我应该如何验证密码?我的 POCO 是否应该有一个方法来请求存储库进行验证?
另外,我应该如何控制对我的资源的访问?我的存储库是否应该控制谁可以访问资源,谁不能访问资源?这仍然允许我的 POCO 通过导航属性公开信息。我是否应该检查 POCO propoertise 当前用户是否也可以使用它们?
提前致谢。
I have an application that consists of 3 layers:
UI: to be implemented in ASP.NET MVC
Business: Holds the business logic and resource access control
Repository (DAL): Implemented with POCO objects and EF, using the repository pattern. My POCO objects are shared with the upper layers.
I have questions about what information/methods should POCOs have?
i.e: if i have a User table that holds a username and password for a user, what should my POCO have? How should i validate the password? Should my POCOs have a method that asks the repository for validation?
Also, how should i control access to my resources? Should my repositories have control over who can and cannot access a resource? This still lets my POCOs expose information with navigation properties. Should i check in the POCO propoertise if the current user can use them too?
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我有一个类似的项目,我可以向您提供一些有关我如何执行类似操作的详细信息。我假设您的整个解决方案是基于 .Net 的。
POCO(普通旧 CLR 对象)就是没有业务逻辑的对象。因此,密码验证不应直接在该类中进行,而应在业务层中进行。例如,UI会调用控制器操作将数据提交到业务层(BL),BL将通过调用存储库来执行用户密码验证以获取当前存储/加密的密码,BL将比较密码并返回将结果发送到您的 UI 或采取其他操作。当然,所有数据都应该经过验证,以防止 SQL 注入或跨站点脚本攻击等情况。
您的 POCO 可以具有 Uid/Pwd 属性。您应该在应用程序层之间传递此 POCO 对象。因此,MVC UI 将绑定到您的用户对象,并且在提交时控制器将调用 BL 中的某些方法并在该用户对象上执行业务规则(密码有效)。为了在实际层之间传递这些内容,您需要从主 DAL 中提取这些 POCO 并将它们放置在单独的程序集中。这些对象通常称为域对象,您可以通过谷歌搜索域驱动开发来获取有关该方法的更多信息。
安全性可以在应用程序中以多种不同的方式实现,这完全取决于您想要涵盖的项目的深度。 MVC 中最基本的是在控制器类上使用 Authorize 属性(google:保护您的控制器操作)。当您的用户通过身份验证后,可以为他们分配某种类型的应用程序角色,您可以使用以下格式验证用户是否具有这些角色之一:
I have a similar project and I can give you some details on how I performed similar operations. I am assuming your entire solution is .Net based.
POCO (Plain Old CLR Objects) are just that objects with no business logic. So, the password validations should not be directly in that class but in your business layer. For example, UI would call a controller action to submit the data to the Business Layer (BL), the BL would perform the user password validation by calling the repository to get the currently stored/encrypted password, BL will compare the passwords and return a result to your UI or take some other action. Of course all data should be validated as well to prevent things like SQL injection or Cross Site Scripting attacks as well.
Your POCO can have a Uid/Pwd properties. You should be passing around this POCO object betweeen your application layers. So, the MVC UI would be bound to your user object and when submitted the controller would call some method in your BL and perform and business rules (password is valid) on that user object. In order to pass these around between actual layers you need to extract those POCO's out of the main DAL and place them in a separate assembly. These objects are commonly referred to as Domain Objects and you can google Domain Driven development to get more information on that methodology.
Security can be implemented in several different ways within an application, it all depends on the depth of items that you want to cover. The most basic in MVC is to use the Authorize attribute on your controllers classes (google: Securing Your Controller Actions). When your user is authenticated they can be assigned some type of application roles and you can verify if the user has one of these roles using the following format:
如果您的上下文返回用户对象,则选择将“验证”密码:
应该由您的业务层决定如何加密密码以及如何处理失败的登录(方法返回 null)。
就我个人而言,我认为 DAL 中不应该包含任何业务逻辑。确定谁有权访问什么功能最好由业务层执行,但您可以禁用延迟加载并仅包含基于用户的导航属性,或者您可以在需要时对这些属性发出额外请求。返回的数据量和类型(出于性能原因)将推动该决策。
If your context is returning the user object, the select would "validate" the password:
It should be up to your business layer how to encrypt the password and how to handle a failed login (method returns null).
Personally, I don't think any business logic should be in your DAL. Determining who has access to what is a function best performed by the business layer but you could disable lazy loading and only include navigation properties based on the user OR you could make an additional request for those properties when they're needed. The amount and type of data being returned (for performance reasons) would drive that decision.
我认为并不总是需要通过层传递你的 POCO 对象(域对象),例如在你的情况下,视图层只需要一个简单的视图模型,只有用户名和密码属性并将其传递给 BL,它是您的 BL 将通过存储库获取用户域对象,并根据从视图层收到的内容验证密码。
I think that it is not always necessary to pass your POCO object (domain object) through layers, for example in your situation, the View layer only need a simple View Model with just user name and password properties and passes it to BL, it is your BL who will get the User domain object via repository and validate the password against what it has received from View layer.