开发者

Best way to implement multiple roles and permissions in c# web app?

I want to implement roles and permissions on a web app we have created and I am looking at using System.Web.Security.SqlRoleProvider to implement this. My problem is that each client will want to be able to configure who can and cannot perform actions in the system and no two clients will want the same, so creating basic Admin, User, Manager roles to 开发者_开发技巧cover all won't suffice.

What I am proposing to do for each screen is create roles as follows

Screen1Create, Screen1Update, Screen1Delete, Screen1Read
Screen2Create, Screen2Update, Screen2Delete, Screen2Read

and so on.

I would then allow the client to select the roles per user, which would be stored in a cookie when the user logs in.

I could then read the cookie and use user.isinrole to check if each method can be called by the current user.

I realise there is a size constraint with cookies that I need to be aware of. Apart form that, does this sound feasable, is there as better way to do it?

Many thanks for any input.


Really if you want to program this all yourself to the cookie level you're risking opening security holes. The way to do this is with forms authentication combined with role based authorization. Asp.net will give the user a tamperproof cookie.

If you implement roles you can then easily mark methods:

 [PrincipalPermission(SecurityAction.Demand, Role="Screen1Create")]

or use code to see if someone is in a particular role.

Lots of info: http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx


Remember that cookies are user-supplied inputs, so if you're going to store the privileges of users in cookies, you must use a keyed hash function (such as HMAC-SHA256) to make sure that users do not grant themselves additional permissions.

Or, if you store all the permissions in your database, it'll be persistent across client computers and you won't need to validate its integrity every time you wish to use it.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜