I have an MVC 3 app that I'm building, and need to figure out a good solution for managing authentication and authorization. I've used Membership, and I don't want to use it in this case -- I prefer to use my own design and tables. However, I'm open to implementing my custom logic using the built-in interfaces, if that is appropriate.
我正在构建一个MVC 3应用程序,需要找到一个管理身份验证和授权的好解决方案。我使用过Membership,在这种情况下我不想使用它 - 我更喜欢使用自己的设计和表格。但是,如果合适的话,我愿意使用内置接口实现我的自定义逻辑。
Here are my requirements:
这是我的要求:
-
A user can be part of one or multiple roles.
用户可以是一个或多个角色的一部分。
-
Roles may be mapped to any number of "permissions" (many-to-many). A permission is something like "Can edit other users' posts".
角色可以映射到任意数量的“权限”(多对多)。权限类似于“可以编辑其他用户的帖子”。
-
Each controller action may allow access to one or more roles (or may have no authorization required, for public pages).
每个控制器动作可以允许访问一个或多个角色(或者对于公共页面可以不需要授权)。
-
I will also need "feature-level" control over which roles can see/update various elements on a view. May use permissions to drive these vs. roles.
我还需要“功能级别”控制哪些角色可以查看/更新视图上的各种元素。可以使用权限来驱动这些角色。
-
As a side note, I will probably also allow members to sign up using their Facebook and/or Twitter accounts. But this can be done independently of my custom membership implementation, if that is appropriate (i.e. create a custom user on signup, then tie it to FB/Twitter account).
作为附注,我可能还允许会员使用他们的Facebook和/或Twitter帐户进行注册。但这可以独立于我的自定义成员身份实现,如果这是合适的(即在注册时创建自定义用户,然后将其绑定到FB / Twitter帐户)。
I'm sure somebody has done something like this before. But based on the dozen or more blogs and SO posts I've seen on this topic, none of the solutions really fit this, it doesn't seem. But there's a good chance I'm just not able to fit the pieces together, and something appropriate is staring me right in the face.
我确定之前有人做过这样的事情。但基于我在这个主题上看到的十几个博客和SO帖子,没有一个解决方案真的适合这个,它似乎并不存在。但是我很有可能无法将各个部分组合在一起,而且恰到好处的是正确地盯着我。
For example, I've read some about "claim based" authentication vs. "role based", but not sure I understand the differences enough to make a call, nor weather or not they require ASP.NET Membership. I've also read about building custom membership by implementing IPrincipal and IIdentity and using action filters to drive controller access, but I'm not finding any comprehensive guides to doing this, and I'm still fairly green with action filters.
例如,我已经阅读了一些关于“基于声明”的身份验证与“基于角色”的身份验证,但不确定我是否了解足以进行呼叫的差异,也不确定天气是否需要ASP.NET成员身份。我还读到了通过实现IPrincipal和IIdentity并使用动作过滤器来驱动控制器访问来构建自定义成员资格,但我没有找到任何全面的指南来实现这一点,而且我仍然相当绿色的动作过滤器。
I'm also not sure whether I should be using some of .NET's built-in controls for signup, authentication, forgot password, etc. My instinct is not to, as I usually like building these myself, and I'm also not sure if they would work in a custom setup. But if I'm wrong, let me know.
我也不确定是否应该使用一些.NET的内置控件进行注册,身份验证,忘记密码等等。我的本能不是,因为我通常喜欢自己构建这些,我也不确定如果他们可以在自定义设置中工作。但如果我错了,请告诉我。
Thanks in advance.
提前致谢。
1 个解决方案
#1
4
Remember that there's 2 different parts to the ASP.NET Authentication / Authorization framework. The first is the front end with membership and role providers and then there's the back-end using the SqlMembershipProvider and SqlRoleProvider.
请记住,ASP.NET身份验证/授权框架有两个不同的部分。第一个是具有成员资格和角色提供者的前端,然后是使用SqlMembershipProvider和SqlRoleProvider的后端。
In my personal experience, I've found it easiest to write my own custom versions of MembershipProvider and RoleProvider. I think it will satisfy every one of your requirements.
根据我的个人经验,我发现编写自己的MembershipProvider和RoleProvider自定义版本最简单。我认为它将满足您的每一个要求。
Update: Jared asked me: "It seems implementing MembershipProvider and RoleProvider adds a lot of overhead (and fluff) that I will never need/use. Is this still the way to go? What do I benefit from doing this?"
更新:Jared问我:“似乎实现MembershipProvider和RoleProvider增加了许多我永远不需要/使用的开销(和绒毛)。这仍然是要走的路吗?这样做我有什么好处?”
I think if you use the Authentication / Authorization framework, you can take advantage of lots of built in stuff. For example you can decorate controllers their methods authorization based on roles such as [Authorize(Roles = "DefaultUser")]. Also you can put this sort of checking code directly in the views if needed like:
我认为如果您使用身份验证/授权框架,您可以利用许多内置的东西。例如,您可以根据[Authorize(Roles =“DefaultUser”)]等角色来设置控制器的方法授权。如果需要,您也可以直接在视图中放置这种检查代码,例如:
<% if (Request.IsAuthenticated) { %>
<p>Only authenticated users see this.</p>
<% } %>
In addition, Authentication / Authorization takes care of the dirty work of setting up role / user cookies and encrypting them. If you roll your own, then this is something you have to do yourself.
此外,身份验证/授权负责设置角色/用户cookie和加密它们的繁琐工作。如果你自己动手,那么这就是你必须自己做的事情。
Jared also wants, "A user can be part of one or multiple roles." and "Roles may be mapped to any number of "permissions" (many-to-many). A permission is something like "Can edit other users' posts".
Jared还希望,“用户可以成为一个或多个角色的一部分。”并且“角色可以映射到任意数量的”权限“(多对多)。权限类似于”可以编辑其他用户的帖子“。
I consider roles and permissions the same thing. So a single user could have multiple roles and permissions. Like "CanEditPosts" "Admin" etc.
我认为角色和权限是一回事。因此,单个用户可以拥有多个角色和权限。比如“CanEditPosts”“Admin”等。
#1
4
Remember that there's 2 different parts to the ASP.NET Authentication / Authorization framework. The first is the front end with membership and role providers and then there's the back-end using the SqlMembershipProvider and SqlRoleProvider.
请记住,ASP.NET身份验证/授权框架有两个不同的部分。第一个是具有成员资格和角色提供者的前端,然后是使用SqlMembershipProvider和SqlRoleProvider的后端。
In my personal experience, I've found it easiest to write my own custom versions of MembershipProvider and RoleProvider. I think it will satisfy every one of your requirements.
根据我的个人经验,我发现编写自己的MembershipProvider和RoleProvider自定义版本最简单。我认为它将满足您的每一个要求。
Update: Jared asked me: "It seems implementing MembershipProvider and RoleProvider adds a lot of overhead (and fluff) that I will never need/use. Is this still the way to go? What do I benefit from doing this?"
更新:Jared问我:“似乎实现MembershipProvider和RoleProvider增加了许多我永远不需要/使用的开销(和绒毛)。这仍然是要走的路吗?这样做我有什么好处?”
I think if you use the Authentication / Authorization framework, you can take advantage of lots of built in stuff. For example you can decorate controllers their methods authorization based on roles such as [Authorize(Roles = "DefaultUser")]. Also you can put this sort of checking code directly in the views if needed like:
我认为如果您使用身份验证/授权框架,您可以利用许多内置的东西。例如,您可以根据[Authorize(Roles =“DefaultUser”)]等角色来设置控制器的方法授权。如果需要,您也可以直接在视图中放置这种检查代码,例如:
<% if (Request.IsAuthenticated) { %>
<p>Only authenticated users see this.</p>
<% } %>
In addition, Authentication / Authorization takes care of the dirty work of setting up role / user cookies and encrypting them. If you roll your own, then this is something you have to do yourself.
此外,身份验证/授权负责设置角色/用户cookie和加密它们的繁琐工作。如果你自己动手,那么这就是你必须自己做的事情。
Jared also wants, "A user can be part of one or multiple roles." and "Roles may be mapped to any number of "permissions" (many-to-many). A permission is something like "Can edit other users' posts".
Jared还希望,“用户可以成为一个或多个角色的一部分。”并且“角色可以映射到任意数量的”权限“(多对多)。权限类似于”可以编辑其他用户的帖子“。
I consider roles and permissions the same thing. So a single user could have multiple roles and permissions. Like "CanEditPosts" "Admin" etc.
我认为角色和权限是一回事。因此,单个用户可以拥有多个角色和权限。比如“CanEditPosts”“Admin”等。