I can check user in active directory, if he exist then I give him permission to open app window, but what if an application has many levels of permission? Do I create special groups of permission in active direcotry and check if user belongs to one of them? . Can application log in automaticaly, or there is always need to enter password?
我可以检查活动目录中的用户,如果他存在,那么我允许他打开应用程序窗口,但是如果应用程序有多级权限怎么办?我是否在活动目录中创建特殊的权限组,并检查用户是否属于其中一个? 。应用程序可以自动登录,还是总是需要输入密码?
1 个解决方案
#1
Active Directory can fulfill two related but seperate functions for an application: Authorization and Authentication.
Active Directory可以为应用程序实现两个相关但独立的功能:授权和身份验证。
Authentication is validating that the person using your application is a valid user. If you have the user's credentials (i.e. the application prompts the user for their username and password), you can authenticate them against AD by attempting a connection using their username/password.
身份验证验证使用您的应用程序的人是有效用户。如果您拥有用户的凭据(即应用程序提示用户输入其用户名和密码),则可以通过使用其用户名/密码尝试连接来针对AD对其进行身份验证。
Authorization is what lets you determine the level of permissions a particular user has in your application. Active Directory groups are a relatively straightforward and flexible way to implement the various permissions levels. Typically, I will create very fine-grained permissions groups that represent each securable action users can perform in the application (i.e. CanDeleteWidgets, CanAddWidgets, CanEditWidgets ). Then create functional or role groups where you place the users for that role (i.e. Managers, Coordinators, Technicians, etc). Finally, you just nest the role groups into the permissions groups so if, for example, the business requirement is that Managers can delete widgets, you would add the Managers group as a member of the CanDeleteWidgets group. While this may seem more complex, it makes it extremely simple to respond to changing business security requirements (i.e. "Technicians need to be able to delete widgets" - Piece of cake. Add the Technicians role group to the CanDeleteWidgets permissions group and you're done).
授权可以让您确定特定用户在您的应用程序中拥有的权限级别。 Active Directory组是实现各种权限级别的相对简单且灵活的方式。通常,我将创建非常细粒度的权限组,表示用户可以在应用程序中执行的每个安全操作(即CanDeleteWidgets,CanAddWidgets,CanEditWidgets)。然后创建功能或角色组,您可以在其中放置该角色的用户(即经理,协调员,技术人员等)。最后,您只需将角色组嵌套到权限组中,因此,例如,如果业务要求是Managers可以删除窗口小部件,则应将Managers组添加为CanDeleteWidgets组的成员。虽然这可能看起来更复杂,但它可以非常简单地响应不断变化的业务安全要求(即“技术人员需要能够删除小部件” - 一块蛋糕。将技术人员角色组添加到CanDeleteWidgets权限组,你就是完成)。
As far as logging in automatically, yes, there are a number of ways you can automatically log in a user. For winforms apps, you should just be able to grab the currently logged in user and use that. For web apps, if you can use integrated authentication, you end up with the same thing. Your web server will handle the authentication piece and send over the DOMAIN\USERNAME of the user in a server header variable.
至于自动登录,是的,您可以通过多种方式自动登录用户。对于winforms应用程序,您应该能够获取当前登录的用户并使用它。对于Web应用程序,如果您可以使用集成身份验证,则最终会得到相同的结果。您的Web服务器将处理身份验证部分,并通过服务器标头变量发送用户的DOMAIN \ USERNAME。
#1
Active Directory can fulfill two related but seperate functions for an application: Authorization and Authentication.
Active Directory可以为应用程序实现两个相关但独立的功能:授权和身份验证。
Authentication is validating that the person using your application is a valid user. If you have the user's credentials (i.e. the application prompts the user for their username and password), you can authenticate them against AD by attempting a connection using their username/password.
身份验证验证使用您的应用程序的人是有效用户。如果您拥有用户的凭据(即应用程序提示用户输入其用户名和密码),则可以通过使用其用户名/密码尝试连接来针对AD对其进行身份验证。
Authorization is what lets you determine the level of permissions a particular user has in your application. Active Directory groups are a relatively straightforward and flexible way to implement the various permissions levels. Typically, I will create very fine-grained permissions groups that represent each securable action users can perform in the application (i.e. CanDeleteWidgets, CanAddWidgets, CanEditWidgets ). Then create functional or role groups where you place the users for that role (i.e. Managers, Coordinators, Technicians, etc). Finally, you just nest the role groups into the permissions groups so if, for example, the business requirement is that Managers can delete widgets, you would add the Managers group as a member of the CanDeleteWidgets group. While this may seem more complex, it makes it extremely simple to respond to changing business security requirements (i.e. "Technicians need to be able to delete widgets" - Piece of cake. Add the Technicians role group to the CanDeleteWidgets permissions group and you're done).
授权可以让您确定特定用户在您的应用程序中拥有的权限级别。 Active Directory组是实现各种权限级别的相对简单且灵活的方式。通常,我将创建非常细粒度的权限组,表示用户可以在应用程序中执行的每个安全操作(即CanDeleteWidgets,CanAddWidgets,CanEditWidgets)。然后创建功能或角色组,您可以在其中放置该角色的用户(即经理,协调员,技术人员等)。最后,您只需将角色组嵌套到权限组中,因此,例如,如果业务要求是Managers可以删除窗口小部件,则应将Managers组添加为CanDeleteWidgets组的成员。虽然这可能看起来更复杂,但它可以非常简单地响应不断变化的业务安全要求(即“技术人员需要能够删除小部件” - 一块蛋糕。将技术人员角色组添加到CanDeleteWidgets权限组,你就是完成)。
As far as logging in automatically, yes, there are a number of ways you can automatically log in a user. For winforms apps, you should just be able to grab the currently logged in user and use that. For web apps, if you can use integrated authentication, you end up with the same thing. Your web server will handle the authentication piece and send over the DOMAIN\USERNAME of the user in a server header variable.
至于自动登录,是的,您可以通过多种方式自动登录用户。对于winforms应用程序,您应该能够获取当前登录的用户并使用它。对于Web应用程序,如果您可以使用集成身份验证,则最终会得到相同的结果。您的Web服务器将处理身份验证部分,并通过服务器标头变量发送用户的DOMAIN \ USERNAME。