1
我已經將使用ASP.NET的動態數據Web應用程序放在一起。我也爲AuthorizationManager組裝了一些類。我不確定的一件事是如何將其插入到Web應用程序中,以便只有基於ADFS聲明的特定角色的用戶才能訪問該應用程序。爲了安全起見,我抽取了小部分代碼。這裏有文件,我到目前爲止有:使用ADFS的ASP.NET Web應用程序授權聲明
AuthorizationHelper:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security;
using System.Web;
namespace ApplicationManager.Authorization
{
public class AuthorizationHelper
{
/// <summary>
/// Checks the access.
/// </summary>
/// <param name="resource">The resource.</param>
/// <param name="action">The action.</param>
/// <returns></returns>
public static bool CheckAccess(string resource, string action)
{
AuthorizationContext context = new AuthorizationContext(HttpContext.Current.User as IClaimsPrincipal, resource, action);
return FederatedAuthentication.ServiceConfiguration.ClaimsAuthorizationManager.CheckAccess(context);
}
/// <summary>
/// Checks the access for an action based on user context.
/// </summary>
/// <param name="resource">The resource.</param>
/// <param name="action">The action.</param>
/// <param name="user">The user.</param>
/// <returns></returns>
public static bool CheckAccess(string resource, string action, UserInfo user)
{
AuthorizationContext context = new AuthorizationContext(HttpContext.Current.User as IClaimsPrincipal, resource, action);
AuthorizationManager authManager = (AuthorizationManager)FederatedAuthentication.ServiceConfiguration.ClaimsAuthorizationManager;
return authManager.CheckAccess(context, user);
}
/// <summary>
/// Confirmes the logged in user has access to perform the specified action on the user.
/// </summary>
/// <param name="resource">The resource.</param>
/// <param name="action">The action.</param>
/// <param name="user">The user.</param>
/// <exception cref="System.Security.SecurityException"></exception>
public static void ConfirmAccess(string resource, string action, UserInfo user)
{
if (!CheckAccess(resource, action, user))
{
throw new SecurityException(string.Format("{0} does not have rights to manage {1}. Please contact the idm security administrator.", HttpContext.Current.User.Identity.Name, user.UserId));
}
}
}
}
AuthorizationManager:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using Microsoft.IdentityModel.Claims;
using ApplicationManager.Models;
namespace ApplicationManager.Authorization
{
public class AuthorizationManager : ClaimsAuthorizationManager
{
private const string HelpDeskRole = @"****_Helpdesk";
private const string UsersRole = @"****_ADMIN_USERS";
private const string SupportRole = @"****_Admin_Support";
private const string SuperUsersRole = @"****_ADMIN_SUPERUSERS";
private const string ReportingRole = @"****_ADMIN__Reporting";
private const string AdminRole = @"****_Admin_Administrator";
private const string PersonalUserManagmentRole = @"****_PERSONAL_USER_MANAGEMENT";
private const string ProfessionalUserManagmentRole = @"****_PROF_USER_MANAGEMENT";
private static readonly string[] AllRoles = new string[] { HelpDeskRole, UsersRole, SupportRole, SuperUsersRole, ReportingRole, AdminRole };
private static readonly string[] CustomRoles = new string[] { SuperUsersRole, AdminRole };
public bool CheckAccess(AuthorizationContext context, UserInfo user)
{
if (!context.Principal.Identity.IsAuthenticated)
{
return false;
}
string resource = context.Resource.First().Value;
string action = null;
if (context.Action.Count > 0)
{
action = context.Action.First().Value;
}
switch (resource)
{
case Resources.ApplicationManager:
return IsAuthorizedForApplications(context.Principal, action);
}
return false;
}
private bool IsAuthorizedForApplications(IClaimsPrincipal claimsPrincipal, string action)
{
switch (action)
{
case Operations.ApplicationManager:
return IsInAnyRole(claimsPrincipal, CustomRoles);
}
return false;
}
public bool IsInAnyRole(IClaimsPrincipal principal, string[] roles)
{
foreach (string role in roles)
{
if (principal.IsInRole(role))
{
return true;
}
}
return false;
}
}
}
操作:
namespace ApplicationManager.Authorization
{
public class Operations
{
public const string ApplicationManager = "Applications";
}
}
資源:
namespace ApplicationManager.Authorization
{
public class Resources
{
public const string ApplicationManager = "Applications";
}
}
我想插入這一切,並拒絕使用基於用戶角色的應用程序。我確實有模型,以獲得用戶ID和userrole。我需要知道在何處以及如何對其進行編碼以基於用戶角色阻止對完整應用程序的訪問。
聽起來像是你可以寫一個HttpModule和插件這到你的web.config http://msdn.microsoft.com/en-us/library/zec9k340%28v=vs .85%29.aspx – geedubb
我讀過那篇文章,對我來說這沒有意義。儘管如此,還是有點新鮮。 – Skrubb