开发者

Where to locate custom membership, roles, profile providers in a 3-tier setup?

I have a 3 tier ASP.NET MVC开发者_Python百科 3 project that has a data layer, service layer then a presentation layer which calls upon the service layer to get data. I'm actually using the doFactory patterns in action solution.

I want to implement a custom membership, roles, profile provider but I'm not sure exactly where to put it. I was thinking of putting it in the service layer then have the provider call on the DAO objects to get the info.

Any other ideas?


You're thinking pretty well. Though the UI layer interacts with the client and takes their password, your service layer should process attempts the enter system.

  • Your action methods pass along the information to the service objects responsible for authorization.

  • Your service layer would have no idea whether it is in a web application or not.

  • The data layers is just the place where that information is stored, not where it is processed.

You might choose to keep the ID of the user in the UI layer, in session. On login the Service layer would take the username/password/whatever and return a UserID. Or, your action methods could pass in a session key into the service layer each time, to get the User information.

Edit due to comment: I'm doing this in my current project (couple $million scope). I have my security decisions in the action methods. (Though of course the tools for making this simple are objects from the Service Layer.) For example, if the current user doesn't have this role or that role, then redirect them to a rejection page, otherwise, do the thing. MyServiceLayerObject.DoThing() has no security inside it.

It's the simplest way for my app and many others. ("Simplest" means it will will be screwed up the least. When it comes to security, simple is good!) Since the Action method is the gateway to the functionality, having security in the service layer would just cause extra work and actually obscure what security was happening. Now, that's my app, where there is usually one place where each action takes place.

Your app may be different. The more different action methods and (especially) different components are using your Services Layer's functionality, the more you'd want your Service Layer functionality locked down with your authorization scheme. Many people feel that security should always be in the service layer, and that any additional security actions in the UI layer would be bonus redundancy. I don't agree with that.


Here is an existing implementation of Membership Providers in 3 tier world that I found when looking for the same thing...

http://elysianonline.com/programming/wcf-wrapper-for-asp-net-membership/

And here ...

http://elysianonline.com/programming/using-the-wcf-membership-provider/

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜