开发者

Authorising Web App users against User Information as well as Role

问答 作者:

I was wondering if anyone would be able to help me with the following?

I need some more complicated rules for authorisation in a webapp than just role, which I have working fine. Something along the lines of "Allow all Admins. Allow Buyers, provided they have the correct department ID and are allowed to see this customer's credentials".

I am using a custom identity and custom principal to store information such as whether a user is allowed to see all clients or which individual clients they may see. This information is retrieved from a database and added upon creation of the identity/principal.

I have created a custom permission that extends IPermission, ISecurityEncodable. Within this, I have modified the Demand() function to the following:

public  void Demand()
    {
        this._identity = (UserIdentity)Thread.CurrentPrincip开发者_开发技巧al.Identity;
        if (Thread.CurrentPrincipal.IsInRole("Admin")) { }
        else if ((Thread.CurrentPrincipal.IsInRole("Buyer")) && 
                 (this._identity.CanViewAllClients) &&
                 (this._identity.IsInDept(this._departmentID)) ) { }
        else if ((Thread.CurrentPrincipal.IsInRole("Buyer")) && 
                 (this._identity.CanViewClient(this._requestedClient)) &&
                 (this._identity.IsInDept(this._departmentID)) ) { }
        else { throw new SecurityException("Custom Permission Denied"); }  
    }

I then call this when I wish to authorise by using

CustomPermission custperm = new CustomPermission(requestedClient, reqClientDept);
custperm.Demand();

This works fine, but seems a messy, hacky way to do things. Especially since it would be nice to use my security roles as an attribute e.g.

[PrincipalPermission(SecurityAction.Demand, Authenticated = true)]
public class...

Perhaps there is a way to call [CustomPrincipalPermission(SecurityAction.Demand, Authorised = true)] with a custom IsAuthorised check? Is this possible? What would need to be implemented?

I apologise if there is a simple solution that I've missed online, but rest assured I have been checking for days now.

It seems like what you want is a declarative rather than a programmatic demand. In order to do so, you'll need to create a CustomPermissionAttribute based on your CustomPermission.

There's an example of a declarative demand of a custom permission here and details of creating a custom permission attribute here.

继续阅读:.netauthorizationpermissionssecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9