开发者

How do I handle application security? using ActionFilterAttribute and/or SiteMap authorization..?

i created the following ActionFilterAttribute to check if a user is granted access to a page. I also created two custom Exceptions to handle different scenarios: NotLoggedInException and InsufficientPrivilegeException.

ActionFilterAttribute

Public Class ValidateAuthentication : Inherits ActionFilterAttribute
    Private _page As BLL.Page

    Public Sub New(ByVal Page As BLL.Page)
        Me._page = Page
    End Sub
    Public Overrides Sub OnActionExecuting(ByVal filterContext As System.Web.Mvc.ActionExecutingContext)
        Select Case Me._page.IsAccessibleToUser(filterContext.HttpContext.User)
            Case -1
                Throw New NotLoggedInException()
            Case 0
                Throw New InsufficientPrivilegeException()
            Case 1
                //access granted
        End Select
    End Sub
End Class

I also have a custom SiteMapProvider where I implemented my own IsAccessibleToUser() function. So I also have securityTrimming.

SiteMapProvider

Public Overrides F开发者_如何转开发unction IsAccessibleToUser(ByVal context As System.Web.HttpContext, ByVal node As System.Web.SiteMapNode) As Boolean
    Dim p As New BLL.Page
    p.LoadFromSiteMapNode(node)


    Select case p.IsAccessibleToUser(context.User)
        Case 1
            Return true
        Case else
            Return false
    End Select
End Function

The questions:

  1. Where do I catch the exceptions to for instance redirect users if not authorized?
  2. Should I perhaps use the SiteMap authorization somewhere else instead of using the ActionFilterAttribute and throwing Exceptions..?

note: as you can see I'm using a custom class for BLL.Page. This is a ORM page which has Role based security stored in the database. SiteMap is also populated based on this data


Do not reinvent AuthoriazeAttribute. Your version won't handle cached actions; the built in AuthorizeAttribute will. If you need to customize your authentication, then customize the membership provider or subtype AuthorizeAttribute, rather than reinventing MVC security.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜