ASP.NET MVC 中的授权

发布于 2024-10-03 03:41:50 字数 1016 浏览 4 评论 0原文

我面临一个案例，我已经研究了很多，但仍然找不到解决方案。我的任务是完成 ASP.NET MVC 1 应用程序中的角色实现。这里的情况与应用程序中权限的通常做法相反。让我们想象一下，在一个 5 页的网站中，我们有两个角色：操作员和经理。拥有继承这两个角色的用户，我想根据以下模式允许和拒绝查看页面的权限：

对于页面 1，操作员角色允许用户查看，但管理员角色拒绝；在这种情况下，我想让具有这两个角色的用户查看页面；

对于第 2 页，操作员角色拒绝用户查看，管理员角色也拒绝；当两个角色都拒绝用户查看页面时，这是我真正想要拒绝角色的唯一情况。

因此，每当用户继承多个角色时，应该确定他无法查看页面的是完全拒绝（他的所有角色都被拒绝），并且每当他有一个允许的角色时，即使他的所有其他角色都拒绝，他仍然可以查看该页面。

有谁知道如何实现这一点？

编辑：

除了站点地图中使用的内容之外，下面只是我们的应用程序中如何完成授权的一瞥。您可以看到下面的规则使用了多个配置文件。我上面描述的情况需要与下面所说的实现一起工作。

<Rules xmlns="urn:artemis.runtime.web.security">
    <!-- RUNTIME -->
    <Rule roles="*" resource="^Artemis\.Runtime\.Web\.FilesController\..*" permission="Allow" />

    <!-- ABERTURA GERAL -->
    <Rule roles="*" resource="^Tagus\.Logistics\.Web\.Controllers\..*" permission="Allow" />

<Rule roles="Gestor Cliente,DUN" resource="^Tagus\.Logistics\.Web\.Controllers\.PlanningVsEffectiveController\..*" permission="Deny" />
</Rules>

原文

I'm facing a case for which I've researched a lot and I still couldn't find a solution for.
I've been given the task of finishing the implementation of roles in an ASP.NET MVC 1 application.
The case here is against what is generally done when it comes to permissions in applications.
Let's imagine that we have two roles, Operator and Manager, in a 5 pages website. Having an user which inherits the two roles, I want to allow and deny permission to view pages according to the following pattern:

For page 1, the Operator role allows the user to view but the Manager role denies; in this case I want to let the user having these 2 roles view the page;

For page 2, the Operator role denies the user to view and the Manager role denies as well; this is the only situation where I really want to deny a role, when both roles have denied the user from viewing the page.

So, whenever a user inherits multiple roles, what should determine that he can't view a page is a Full Deny (being denied for all his roles), and whenever he has a role that allows, even if all his other roles deny, he will still be able to view the page.

Does anyone know how is it possible to implement this?

EDIT:

Below is just a glimpse of how Authorization is done in our application, besides what's used in the sitemap.
You can see the Rule below is using more than one profile. The situation I described above needs to work with the said implementation below.

<Rules xmlns="urn:artemis.runtime.web.security">
    <!-- RUNTIME -->
    <Rule roles="*" resource="^Artemis\.Runtime\.Web\.FilesController\..*" permission="Allow" />

    <!-- ABERTURA GERAL -->
    <Rule roles="*" resource="^Tagus\.Logistics\.Web\.Controllers\..*" permission="Allow" />

<Rule roles="Gestor Cliente,DUN" resource="^Tagus\.Logistics\.Web\.Controllers\.PlanningVsEffectiveController\..*" permission="Deny" />
</Rules>

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

一瞬间的火花 2024-10-10 03:41:50

[Authorize(Roles = "Operator")]
public ViewResult PageOne(){
    return View();
}

[Authorize(Roles = "SomeOneElse")]
public ViewResult PageTwo(){
    return View();
}

如果我理解正确的话，您不会看到任何一个角色查看第二页？

[Authorize(Roles = "Operator")]
public ViewResult PageOne(){
    return View();
}

[Authorize(Roles = "SomeOneElse")]
public ViewResult PageTwo(){
    return View();
}

If I understand correctly you dont wont either of the roles to view the second page?

回复收藏 0 原文

别挽留 2024-10-10 03:41:50

授权用于决定允许而不是拒绝谁。如果您想添加拒绝功能，我想您可以创建自定义授权属性。比如：

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited=true, AllowMultiple=true)]
public class DenyRolesAttribute : AuthorizeAttribute    
{
    public DenyRolesAttribute(string roles) : base()
    {
        Roles = roles;
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext == null)
        {
            throw new ArgumentNullException("httpContext");
        }
        IPrincipal user = httpContext.User;

        if (!string.IsNullOrEmpty(Roles) && Enumerable.Any<string>(Roles.Split(','), new Func<string, bool>(user, (IntPtr) user.IsInRole)))
        {
            return false;
        }
        return true;
     }
 }

我当场做了这个，所以一定要测试并整理它。或者添加一个AllowRoles 和一个DenyRoles 属性，这样您就可以在重写的AuthorizeCore 方法中执行这两个操作。你明白了

Authorize is used to decide who to ALLOW not deny. If you wanted to add deny functionality I guess you could make a custom Authorize attribute. Something like:

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited=true, AllowMultiple=true)]
public class DenyRolesAttribute : AuthorizeAttribute    
{
    public DenyRolesAttribute(string roles) : base()
    {
        Roles = roles;
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext == null)
        {
            throw new ArgumentNullException("httpContext");
        }
        IPrincipal user = httpContext.User;

        if (!string.IsNullOrEmpty(Roles) && Enumerable.Any<string>(Roles.Split(','), new Func<string, bool>(user, (IntPtr) user.IsInRole)))
        {
            return false;
        }
        return true;
     }
 }

I made this up on the spot so make sure you test and tidy it up. Or maybe add an AllowRoles and a DenyRoles property so you can do a bit of both in the overridden AuthorizeCore method. You get the idea though

回复收藏 0 原文

~没有更多了~