我和你的情况一样——我一直讨厌 RoleProviders。是的,如果您想花很少的钱就可以启动并运行它们,它们就很棒website,但它们不太现实。我一直发现的主要缺点是它们将您直接与 ASP.NET 联系在一起。
我最近的一个项目的方式是定义几个属于服务层一部分的接口(注意:我简化了这些接口 - 但您可以轻松添加到它们):
public interface IAuthenticationService
{
bool Login(string username, string password);
void Logout(User user);
}
public interface IAuthorizationService
{
bool Authorize(User user, Roles requiredRoles);
}
那么您的用户就可以拥有Roles
enum:
public enum Roles
{
Accounting = 1,
Scheduling = 2,
Prescriptions = 4
// What ever else you need to define here.
// Notice all powers of 2 so we can OR them to combine role permissions.
}
public class User
{
bool IsAdministrator { get; set; }
Roles Permissions { get; set; }
}
为您IAuthenticationService
,您可以有一个执行标准密码检查的基本实现,然后您可以有一个FormsAuthenticationService
这会做更多的事情,例如设置 cookie 等。AuthorizationService
,你需要这样的东西:
public class AuthorizationService : IAuthorizationService
{
public bool Authorize(User userSession, Roles requiredRoles)
{
if (userSession.IsAdministrator)
{
return true;
}
else
{
// Check if the roles enum has the specific role bit set.
return (requiredRoles & user.Roles) == requiredRoles;
}
}
}
在这些基本服务之上,您可以轻松添加重置密码等服务。
由于您使用的是 MVC,因此您可以使用ActionFilter
:
public class RequirePermissionFilter : IAuthorizationFilter
{
private readonly IAuthorizationService authorizationService;
private readonly Roles permissions;
public RequirePermissionFilter(IAuthorizationService authorizationService, Roles requiredRoles)
{
this.authorizationService = authorizationService;
this.permissions = requiredRoles;
this.isAdministrator = isAdministrator;
}
private IAuthorizationService CreateAuthorizationService(HttpContextBase httpContext)
{
return this.authorizationService ?? new FormsAuthorizationService(httpContext);
}
public void OnAuthorization(AuthorizationContext filterContext)
{
var authSvc = this.CreateAuthorizationService(filterContext.HttpContext);
// Get the current user... you could store in session or the HttpContext if you want too. It would be set inside the FormsAuthenticationService.
var userSession = (User)filterContext.HttpContext.Session["CurrentUser"];
var success = authSvc.Authorize(userSession, this.permissions);
if (success)
{
// Since authorization is performed at the action level, the authorization code runs
// after the output caching module. In the worst case this could allow an authorized user
// to cause the page to be cached, then an unauthorized user would later be served the
// cached page. We work around this by telling proxies not to cache the sensitive page,
// then we hook our custom authorization code into the caching mechanism so that we have
// the final say on whether or not a page should be served from the cache.
var cache = filterContext.HttpContext.Response.Cache;
cache.SetProxyMaxAge(new TimeSpan(0));
cache.AddValidationCallback((HttpContext context, object data, ref HttpValidationStatus validationStatus) =>
{
validationStatus = this.OnCacheAuthorization(new HttpContextWrapper(context));
}, null);
}
else
{
this.HandleUnauthorizedRequest(filterContext);
}
}
private void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
// Ajax requests will return status code 500 because we don't want to return the result of the
// redirect to the login page.
if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest())
{
filterContext.Result = new HttpStatusCodeResult(500);
}
else
{
filterContext.Result = new HttpUnauthorizedResult();
}
}
public HttpValidationStatus OnCacheAuthorization(HttpContextBase httpContext)
{
var authSvc = this.CreateAuthorizationService(httpContext);
var userSession = (User)httpContext.Session["CurrentUser"];
var success = authSvc.Authorize(userSession, this.permissions);
if (success)
{
return HttpValidationStatus.Valid;
}
else
{
return HttpValidationStatus.IgnoreThisRequest;
}
}
}
然后您可以在控制器操作上进行装饰:
[RequirePermission(Roles.Accounting)]
public ViewResult Index()
{
// ...
}
这种方法的优点是您还可以使用依赖项注入和 IoC 容器来连接事物。此外,您还可以在多个应用程序(不仅仅是 ASP.NET 应用程序)中使用它。您将使用 ORM 来定义适当的模式。
如果您需要有关的更多详细信息FormsAuthorization/Authentication
服务或从这里去哪里,请告诉我。
编辑:要添加“安全修剪”,您可以使用 HtmlHelper 来完成。这可能需要更多……但你明白了。
public static bool SecurityTrim<TModel>(this HtmlHelper<TModel> source, Roles requiredRoles)
{
var authorizationService = new FormsAuthorizationService();
var user = (User)HttpContext.Current.Session["CurrentUser"];
return authorizationService.Authorize(user, requiredRoles);
}
然后在您的视图中(此处使用 Razor 语法):
@if(Html.SecurityTrim(Roles.Accounting))
{
<span>Only for accounting</span>
}
编辑:UserSession
看起来像这样:
public class UserSession
{
public int UserId { get; set; }
public string UserName { get; set; }
public bool IsAdministrator { get; set; }
public Roles GetRoles()
{
// make the call to the database or whatever here.
// or just turn this into a property.
}
}
这样,我们就不会暴露当前用户会话中的密码哈希和所有其他详细信息,因为它们是really用户会话生命周期不需要。