How can I implement permission-based authorization in ASP.NET?
I'm working an a ASP.NET application (not using MVC) and need a User-Role-Permission based authorization scheeme, where pages and/or methods can demand the specific permission they require (instead of which role the user has). Is there a way to extend Forms Authentication (or building something) to solve this?
If possible I would like to be able to use attributes:
[RequirePermission("UserEdit")]
public partial class EditUser : System.Web.UI.Page
{
}
Perhaps even for methods:
public class MyClass
{
...
[RequirePermission("UserEdit")]
public void Save()
{
...
}
}
Is this possible?
I found this page, that suggested using Roles for permissions:
[Authorize(Roles = "UserEdit")]
public partial class EditUser : System.Web.UI.Page
{
}
I am not very fond of this solution, but that would also be a possible way to solve things,开发者_Python百科 but what do I need to do to get it working?
Microsoft's authorization model sucks...and it's widely acknowledged http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/).
That said. It's nice to have cross compatibility by fitting into their IPrincipal.IsInRole
API (and thus being able to leverage the Authorize
attribute)
So...what I do to compromise is have a full permission model in the DB with Users, Roles, and Permissions...but when my code sets the CurrentPrincipal
I flatten the User's Roles and Permissions into the Roles collection of the IPrincipal
. It's far from ideal...but IMHO it's a decent compromise. Others (Rockford Lhotka) have also taken this approach: http://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx
精彩评论