使用.Net 成员资格/角色支持自定义授权/访问规则
我正在编写一个支持可自定义用户和角色的应用程序。我所说的可定制是指将提供一个管理表单,允许添加用户、创建角色、将用户分配给角色,以及最重要将授权规则与角色关联起来的能力。例如,在查看角色时,管理员将看到一系列复选框,允许他们自行决定为程序功能区域授权角色。我需要能够在应用程序中编写代码,例如:
if (!currentUser.IsAuthorizedTo(AuthorizationRules.ADD_ORDER))
//Show not authorized message or prompt for elevation
其中 IsAuthorizedTo 将查看当前用户的角色并确定他们中的任何一个是否具有必要的授权。
我浏览了 API 文档,只找到了 web.config 授权部分,这不是最佳的。我猜我可能必须自己推出,但我想我首先要问:
是否有使用 .net 会员/角色 api 或其他建议系统(.net 会员 api 除外)的现有方法允许基于角色和访问规则的细粒度授权吗?
I'm writing an application that will support customizable Users and Roles. By customizable, I mean that an administration form will be provided allowing the addition of Users, the creation of Roles, the assignment of Users to Roles, and most importantly the ability to associate authorization rules with Roles. When viewing a Role, an administrator would be presented with a series of checkboxes, for example, allowing them to authorize a role for areas of program functionality at their discretion. I need to be able to write code in the application such as:
if (!currentUser.IsAuthorizedTo(AuthorizationRules.ADD_ORDER))
//Show not authorized message or prompt for elevation
Where the IsAuthorizedTo would look at the current user's roles and determine if any of them have the requisite authorization.
I've looked through the API docs and only found the web.config authorizations section, which is less than optimal. I'm guessing I may have to roll my own, but I thought I'd first ask:
Is there an existing method using the .net membership/roles api or another suggested system (other than .net membership api) to allow fine grained authorization based on roles and access rules?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
AuthorizeAttribute有一个可能有用的Roles属性。它将限制某些控制器或操作到指定的角色。更多信息请此处。
更新:
以下是 NerdDinner 项目的示例:
The
AuthorizeAttributehas aRolesproperty that may be useful. It would restrict certain controllers or actions to the specified roles.More here.
Update:
Here's an example from the NerdDinner project:
我认为你应该使用自定义授权 过滤器,然后 OnAuthorization 执行逻辑检查当前用户是否具有当前操作的访问权限。
I Think you should use Custom Authorization Filters, Then OnAuthorization do your logic to check if the current user has the access right to current action.