小贝子编程

使用ADFS声明的ASP.NET Web应用程序授权



我已经使用ASP.NET构建了一个动态数据web应用程序。我还为AuthorizationManager构建了一些类。我不确定的一件事是,如何将其插入网络应用程序中,以便只有根据ADFS的声明担任特定角色的用户才能访问该应用程序。为了安全起见,我提取了一些小代码。以下是到目前为止我拥有的文件:

AuthorizationHelper:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security;
using System.Web;
namespace ApplicationManager.Authorization
{
public class AuthorizationHelper
{
    /// <summary>
    /// Checks the access.
    /// </summary>
    /// <param name="resource">The resource.</param>
    /// <param name="action">The action.</param>
    /// <returns></returns>
    public static bool CheckAccess(string resource, string action)
    {
        AuthorizationContext context = new AuthorizationContext(HttpContext.Current.User as IClaimsPrincipal, resource, action);
        return FederatedAuthentication.ServiceConfiguration.ClaimsAuthorizationManager.CheckAccess(context);
    }
    /// <summary>
    /// Checks the access for an action based on user context.
    /// </summary>
    /// <param name="resource">The resource.</param>
    /// <param name="action">The action.</param>
    /// <param name="user">The user.</param>
    /// <returns></returns>
    public static bool CheckAccess(string resource, string action, UserInfo user)
    {
        AuthorizationContext context = new AuthorizationContext(HttpContext.Current.User as IClaimsPrincipal, resource, action);
        AuthorizationManager authManager = (AuthorizationManager)FederatedAuthentication.ServiceConfiguration.ClaimsAuthorizationManager;
        return authManager.CheckAccess(context, user);
    }
    /// <summary>
    /// Confirmes the logged in user has access to perform the specified action on the user.
    /// </summary>
    /// <param name="resource">The resource.</param>
    /// <param name="action">The action.</param>
    /// <param name="user">The user.</param>
    /// <exception cref="System.Security.SecurityException"></exception>
    public static void ConfirmAccess(string resource, string action, UserInfo user)
    {
        if (!CheckAccess(resource, action, user))
        {
            throw new SecurityException(string.Format("{0} does not have rights to manage {1}.  Please contact the idm security administrator.", HttpContext.Current.User.Identity.Name, user.UserId));
        }
    }
}
}

授权经理:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using Microsoft.IdentityModel.Claims;
using ApplicationManager.Models;
namespace ApplicationManager.Authorization
{
public class AuthorizationManager : ClaimsAuthorizationManager
{
    private const string HelpDeskRole = @"****_Helpdesk";
    private const string UsersRole = @"****_ADMIN_USERS";
    private const string SupportRole = @"****_Admin_Support";
    private const string SuperUsersRole = @"****_ADMIN_SUPERUSERS";
    private const string ReportingRole = @"****_ADMIN__Reporting";
    private const string AdminRole = @"****_Admin_Administrator";
    private const string PersonalUserManagmentRole = @"****_PERSONAL_USER_MANAGEMENT";
    private const string ProfessionalUserManagmentRole = @"****_PROF_USER_MANAGEMENT";
    private static readonly string[] AllRoles = new string[] { HelpDeskRole, UsersRole, SupportRole, SuperUsersRole, ReportingRole, AdminRole };
    private static readonly string[] CustomRoles = new string[] { SuperUsersRole, AdminRole };
    public bool CheckAccess(AuthorizationContext context, UserInfo user)
    {
        if (!context.Principal.Identity.IsAuthenticated)
        {
            return false;
        }
        string resource = context.Resource.First().Value;
        string action = null;
        if (context.Action.Count > 0)
        {
            action = context.Action.First().Value;
        }
        switch (resource)
        { 
            case Resources.ApplicationManager:
                return IsAuthorizedForApplications(context.Principal, action);
        }
        return false;
    }
    private bool IsAuthorizedForApplications(IClaimsPrincipal claimsPrincipal, string action)
    {
        switch (action)
        { 
            case Operations.ApplicationManager:
                return IsInAnyRole(claimsPrincipal, CustomRoles);
        }
        return false;
    }
    public bool IsInAnyRole(IClaimsPrincipal principal, string[] roles)
    {
        foreach (string role in roles)
        {
            if (principal.IsInRole(role))
            {
                return true;
            }
        }
        return false;
    }
}
}

操作:

namespace ApplicationManager.Authorization
{
public class Operations
{
    public const string ApplicationManager = "Applications";
}
}

资源:

namespace ApplicationManager.Authorization
{
public class Resources
{
    public const string ApplicationManager = "Applications";
}
}

我想把这一切都插进去,并根据用户的角色拒绝使用该应用程序。我确实有一些模型可以获得userid和userrole。我需要知道在哪里以及如何对其进行编码,以根据用户角色阻止对完整应用程序的访问。

您需要在管道中注册您的声明身份验证管理器。它会根据每一个请求启动:

http://www.brainthud.com/cards/5218/5016/explain-the-usage-of-the-claimsauthorizationmanager-class/

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium