We understand how to implement authentication and authorization in ASP.NET identity with the WebApi. For instance, we can log a user in and then retrieve both his secure token and role.
我们了解如何使用WebApi在ASP.NET标识中实现身份验证和授权。例如,我们可以登录用户,然后检索他的安全令牌和角色。
We now want to add permissions. For instance, user steve may be in the admin role. Now we want to assign read, edit, and delete permissions to the admin role. How do we do that in ASP.NET Identity? Is there existing permissions infrastructure in ASP.NET Identity?
我们现在想要添加权限。例如,用户steve可能处于admin角色。现在我们要为管理角色分配读取,编辑和删除权限。我们如何在ASP.NET身份中做到这一点? ASP.NET身份中是否存在现有权限基础结构?
3 个解决方案
#1
10
I extended ASP.NET Identity to allow for permissions as you describe it. I did it to decouple the security model from your application model. The problem with the traditional approach of putting roles in an AuthorizeAttribute is you have to design your security model the same time as you design your application, and if you make any changes you have to recompile and redeploy your application. With the approach I came up with you define resources and operations in a custom AuthorizeAttribute, where operations are analogous to permissions. Now you decorate methods like this:
我扩展了ASP.NET Identity,以便在描述时允许权限。我这样做是为了将安全模型与应用程序模型分离。将角色放入AuthorizeAttribute的传统方法的问题是您必须在设计应用程序的同时设计安全模型,如果进行任何更改,则必须重新编译和重新部署应用程序。通过我提出的方法,您可以在自定义AuthorizeAttribute中定义资源和操作,其中操作类似于权限。现在你装饰这样的方法:
[SimpleAuthorize(Resource = "UserProfile", Operation = "modify")]
public ActionResult ModifyUserProfile()
{
ViewBag.Message = "Modify Your Profile";
return View();
}
Then you can assign a resource/operation to a role in the database, configuring your security model during deployment and can modify it without redeployment. I wrote about this approach using SimpleMembership here. And later ported it to ASP.NET Identity here. The articles have links to the full source code with reference applications.
然后,您可以将资源/操作分配给数据库中的角色,在部署期间配置安全模型,并且可以在不重新部署的情况下对其进行修改。我在这里使用SimpleMembership写了这个方法。然后将其移植到ASP.NET身份。这些文章链接到完整的源代码和参考应用程序。
#2
1
You should extend the Identity classes and add this functionality to that. roles and permissions have a many-to-many relation together so you should change the IdentityRole class as something like this:
您应该扩展Identity类并将此功能添加到该类。角色和权限具有多对多关系,因此您应该将IdentityRole类更改为:
public class IdentityRole<TKey, TRolePermission>
{
public string Title { get; set; }
public virtual ICollection<TRolePermission> Permissions { get; set; }
}
As you can see you want a intermediate object and table named RolePermission. And the Permission class can look like something like this:
如您所见,您需要一个名为RolePermission的中间对象和表。 Permission类看起来像这样:
public class IdentityPermission<TKey, TRolePermission>
{
public virtual TKey Id { get; set; }
public virtual string Name { get; set; }
public virtual string Description { get; set; }
public virtual ICollection<TRolePermission> Roles { get; set; }
}
Then you should create custom AuthorizeAttribute to execute authentication check on the controllers and actions. that could be somthing like this:
然后,您应该创建自定义AuthorizeAttribute以对控制器和操作执行身份验证检查。这可能是这样的事情:
public class AuthorizePermissionAttribute : AuthorizeAttribute
{
public string Name { get; set; }
public string Description { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return base.AuthorizeCore(httpContext)
&& Task.Run(() => httpContext.AuthorizePermission(Name, Description, IsGlobal)).Result;
}
}
You can override the AuthorizeCore method to add the permission authentication to the normal Role-based authentication. Although you can do this easily, i implemented it as an open source Permission-based Identity extension here and you can use it direclty or get inspired from that to do it on your own.
您可以覆盖AuthorizeCore方法,将权限身份验证添加到正常的基于角色的身份验证。虽然您可以轻松地执行此操作,但我在此处将其实现为基于Permission的开源标识扩展,您可以使用它直接或从中获取灵感来自行完成。
#3
0
We can use Role-based Authorization like
我们可以使用基于角色的授权
[Authorize(Roles = "Administrator")]
public class StoreManagerController : Controller
{
// Controller code here
}
We can create enum for permission Item like :
我们可以为权限创建枚举项目如:
public enum PermissionItems
{
[Group("Users")]
[Description("Can edit Users")]
EditUser,
[Group("Users")]
[Description("Can view Users")]
ViewUser,
}
Then we can add this enum values in database according to role.
然后我们可以根据角色在数据库中添加这个枚举值。
and check in method by attribute
并按属性检查方法
RequirePermissions(PermissionItems.EditUser)
public ActionResult Edit(int id)
{
}
#1
10
I extended ASP.NET Identity to allow for permissions as you describe it. I did it to decouple the security model from your application model. The problem with the traditional approach of putting roles in an AuthorizeAttribute is you have to design your security model the same time as you design your application, and if you make any changes you have to recompile and redeploy your application. With the approach I came up with you define resources and operations in a custom AuthorizeAttribute, where operations are analogous to permissions. Now you decorate methods like this:
我扩展了ASP.NET Identity,以便在描述时允许权限。我这样做是为了将安全模型与应用程序模型分离。将角色放入AuthorizeAttribute的传统方法的问题是您必须在设计应用程序的同时设计安全模型,如果进行任何更改,则必须重新编译和重新部署应用程序。通过我提出的方法,您可以在自定义AuthorizeAttribute中定义资源和操作,其中操作类似于权限。现在你装饰这样的方法:
[SimpleAuthorize(Resource = "UserProfile", Operation = "modify")]
public ActionResult ModifyUserProfile()
{
ViewBag.Message = "Modify Your Profile";
return View();
}
Then you can assign a resource/operation to a role in the database, configuring your security model during deployment and can modify it without redeployment. I wrote about this approach using SimpleMembership here. And later ported it to ASP.NET Identity here. The articles have links to the full source code with reference applications.
然后,您可以将资源/操作分配给数据库中的角色,在部署期间配置安全模型,并且可以在不重新部署的情况下对其进行修改。我在这里使用SimpleMembership写了这个方法。然后将其移植到ASP.NET身份。这些文章链接到完整的源代码和参考应用程序。
#2
1
You should extend the Identity classes and add this functionality to that. roles and permissions have a many-to-many relation together so you should change the IdentityRole class as something like this:
您应该扩展Identity类并将此功能添加到该类。角色和权限具有多对多关系,因此您应该将IdentityRole类更改为:
public class IdentityRole<TKey, TRolePermission>
{
public string Title { get; set; }
public virtual ICollection<TRolePermission> Permissions { get; set; }
}
As you can see you want a intermediate object and table named RolePermission. And the Permission class can look like something like this:
如您所见,您需要一个名为RolePermission的中间对象和表。 Permission类看起来像这样:
public class IdentityPermission<TKey, TRolePermission>
{
public virtual TKey Id { get; set; }
public virtual string Name { get; set; }
public virtual string Description { get; set; }
public virtual ICollection<TRolePermission> Roles { get; set; }
}
Then you should create custom AuthorizeAttribute to execute authentication check on the controllers and actions. that could be somthing like this:
然后,您应该创建自定义AuthorizeAttribute以对控制器和操作执行身份验证检查。这可能是这样的事情:
public class AuthorizePermissionAttribute : AuthorizeAttribute
{
public string Name { get; set; }
public string Description { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
return base.AuthorizeCore(httpContext)
&& Task.Run(() => httpContext.AuthorizePermission(Name, Description, IsGlobal)).Result;
}
}
You can override the AuthorizeCore method to add the permission authentication to the normal Role-based authentication. Although you can do this easily, i implemented it as an open source Permission-based Identity extension here and you can use it direclty or get inspired from that to do it on your own.
您可以覆盖AuthorizeCore方法,将权限身份验证添加到正常的基于角色的身份验证。虽然您可以轻松地执行此操作,但我在此处将其实现为基于Permission的开源标识扩展,您可以使用它直接或从中获取灵感来自行完成。
#3
0
We can use Role-based Authorization like
我们可以使用基于角色的授权
[Authorize(Roles = "Administrator")]
public class StoreManagerController : Controller
{
// Controller code here
}
We can create enum for permission Item like :
我们可以为权限创建枚举项目如:
public enum PermissionItems
{
[Group("Users")]
[Description("Can edit Users")]
EditUser,
[Group("Users")]
[Description("Can view Users")]
ViewUser,
}
Then we can add this enum values in database according to role.
然后我们可以根据角色在数据库中添加这个枚举值。
and check in method by attribute
并按属性检查方法
RequirePermissions(PermissionItems.EditUser)
public ActionResult Edit(int id)
{
}