在我的申请里的角色有几个权限。我希望用户能够访问取决于权限,而不是角色的动作。
In my application a role has several permissions. And I want users to have access to actions dependent on permission, not the role.
因此,假设:
- 管理员拥有perm1,perm2,perm3,
- 超级管理员具有所有的管理员有权+ perm4和perm5的任何权限。
- 此外,也有一些小家伙还谁拥有perm1,perm3,perm6,perm7。
我要做到以下几点:我要行动要由人谁也想perm3或perm4访问。这两个权限是从两个不同的角色。但旁边perm3管理员拥有perm1和perm2,这一行动将是也谁拥有perm3(它不是强制性是管理员或超级管理员)未成年人访问。
I want to do the following: I want action to be accessible by guy who has suppose perm3 or perm4. those two permissions are from two different roles. but beside perm3 Admin has perm1 and perm2, this action will be also accessible by minor guys who have perm3 (its not obligatory to be admin or superadmin).
所以,你明白我的意思吧?我想在ASP.NET MVC实现这一4.所以,我想我需要让我自己 AuthorizeAttribute ,我自己的的IIdentity ,写在Global.asax的一些方法。还有在ASP.NET中的成员是否需要触摸它?我不知道如何让所有的东西放在一起。谁能帮我?
So you understand what I mean right ? I want to realise this in ASP.NET MVC 4. So I suppose I will need to make my own AuthorizeAttribute, My own IIdentity and write some methods in global.asax. There's also a Membership in ASP.NET Will I need to touch it ? I don't know how to get all things together. Can anyone help me out?
推荐答案基本上,你必须创建自己的AuthorizeAttribute,但是从.NET中使用的IIdentity。你在这里描述什么是认证和授权的声明基于系统。
Basically you have to create your own AuthorizeAttribute, but use IIdentity from .NET. What you have described here is a Claim based system for authentication and authorization.
最有可能的,你将不得不从ASP.NET扔掉成员或只使用其中的一部分。据我所知,它不是内置在考虑索赔。
Most likely you will have to throw away the Membership from ASP.NET or use just part of it. As far as I know, it is not built with claims in mind.
在.NET 4.5的家伙加入类:ClaimsPrincipal,它实现了接口的IPrincipal。这个类可用于实现基于声明的定制身份验证和授权。
In .NET 4.5 the guys added the class: ClaimsPrincipal, which implements the interface IPrincipal. This class can be used to implement custom authentication and authorization based on claims.
所以,当用户通过验证后,就可以在线程上添加声明:
So, when the user is authenticated, you can add the claims on the thread:
var id = new ClaimsIdentity(claims, "Dummy"); var principal = new ClaimsPrincipal(new[] { id }); Thread.CurrentPrincipal = principal;再后来就只使用您在找Thread.CurrentPrincipal中的说法。
and then later on just use the claims you find on the Thread.CurrentPrincipal.
在ASP.NET MVC中,你可以做以下步骤:
In ASP.NET MVC, you can do the following steps:
创建一个委托处理程序用来验证用户。如果用户通过验证,那么权利要求加入到螺纹主体。理想情况下,让你有执行链中随处可得的索赔委托该处理程序应作为高达链成为可能。还记得来设置HttpContext.Current.User具有相同的主要
create a Delegating Handler which authenticates the user. If the user is authenticated, then claims are added to the thread principal. Ideally, this delegating handler should be as high up the chain as possible so that you have the claims available everywhere in the execution chain. Also remember to set the HttpContext.Current.User with the same principal
公共类AuthHandler:DelegatingHandler {
public class AuthHandler : DelegatingHandler{
protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { //authenticate user //get claims //create principal var newPrincipal = CreatePrincipal(claims); Thread.CurrentPrincipal = newPrincipal; if (HttpContext.Current != null) HttpContext.Current.User = newPrincipal; return await base.SendAsync(request, cancellationToken); }}
创建该授权的基础上加入线程校长索赔的过滤器。在这里,你可以这样做比较在权利要求中的信息当前路由。
Create a filter which authorizes based on the claims added to the Thread Principal. Here you can do something like compare the current route with the information found in the claims.
更多推荐
自定义授权(许可)ASP.NET MVC
发布评论