将声明式的 PrimaryPermission 转换为编程式的 .Demand
我目前有两个角色:
[PrincipalPermission(SecurityAction.Demand, 角色=“域\管理员”)] [PrincipalPermission(SecurityAction.Demand, 角色=“域\另一个角色”)]
问题是这个继承的代码是特定于域的,我希望最终从 web.config 文件中获取角色,这样我就可以在不在域中的虚拟机上工作。
我见过这样的例子:
PrincipalPermission permCheck = 新的PrincipalPermission( 无效的, @“域\管理员”); permCheck.Demand();
由于如果用户不在角色中,这会引发异常,因此我如何更改此示例以允许这两个角色中的任何一个?我可以使用多个 IPrincipal.IsInRole(),然后抛出我自己的异常,但似乎可能有一种方法可以将 .Demand 方法与多个角色一起使用。
12/21 更新:基于来自 Ladislav 答案的 Union 链接的示例代码:
PrincipalPermission ppAdmin = new PrincipalPermission(null, @"Domain\Admin");
PrincipalPermission ppAnother = new PrincipalPermission(null, @"Domain\AnotherRole");
(ppAdmin.Union(ppAnother)).Demand();
但是 AzMan(Ladislav 建议的看起来是一个更好但更复杂的解决方案)。
I currently have two roles like this:
[PrincipalPermission(SecurityAction.Demand,
Role="Domain\Admin")]
[PrincipalPermission(SecurityAction.Demand,
Role="Domain\AnotherRole")]
The problem is that this inherited code is specific to the domain, and I want to eventually get the roles from the web.config file, so I can work on a VM not in the domain.
I have seen an example like this:
PrincipalPermission permCheck = new PrincipalPermission( null, @"Domain\Admin"); permCheck.Demand();
Since this throws an exception if user is not in role, how do I change this example to allow either of the two roles? I could use multiple IPrincipal.IsInRole() and then throw my own exception, but seems like there is probably a way to use the .Demand method with multiple roles.
Update 12/21: Sample Code based on Union link from Ladislav's answer below:
PrincipalPermission ppAdmin = new PrincipalPermission(null, @"Domain\Admin");
PrincipalPermission ppAnother = new PrincipalPermission(null, @"Domain\AnotherRole");
(ppAdmin.Union(ppAnother)).Demand();
But AzMan (suggested by Ladislav looks like a better but more involved solution).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
PrimaryPermission 有 Union 方法。此方法允许您在调用 Demand 之前组合多个 PrimaryPermissions。但是,您可以检查 授权管理器 (AzMan) 和相关角色提供程序 (AuthorizationStoreRoleProvider)。授权管理器允许您在应用程序中定义抽象角色,并通过 MMC 分配真实的用户组和角色。
PrincipalPermission has Union method. This method allows you combining several PrincipalPermissions before you call Demand. But instead of using imperative permissions you can check Authorization manager (AzMan) and related role provider (AuthorizationStoreRoleProvider). Authorization manager allows you defining abstract roles in your application and assign real user groups and roles through MMC.