问题描述

我期待到使用WCF内置功能，以帮助我实现了坐在WCF之上的授权服务。我已经有表，例如：

I am looking into using WCF built-in functionality to aid me in implementing an authorization service that sits on top of WCF. I already have tables such as:

用户，角色，权限（我也有复合的实体：UserRole和RolePermission）。

User, Role, Permission(I also have composite entities: UserRole and RolePermission).

许可对象具有自定义属性类似的CanRead（布尔），CanWrite（布尔）。角色可以包含多个权限。

The Permission objects have custom properties like CanRead (bool), CanWrite (bool). The roles can contain many permissions.

这是如何扎入WCF的授权现有框架？我想尽量不要重新发明轮子尽可能地。我如何使用自己的权限？我可以看到角色从.NET的例子是如何工作的，但不是我自己的自定义权限的实体。任何提示让我在正确的方向开始了吗？谢谢！

How does this tie into WCF's existing framework for authorization? I'd like try not to reinvent the wheel as much as possible. How do I use my own permissions? I can see how the roles work from the .NET examples but not my own custom Permission entities. Any hints to get me started in the right direction? Thanks!

推荐答案

的给出了这样做的正常方式的基本概况。基本上你构建一个包含有关在IAuthorizationPolicy用户的权限数据的自定义本金及附加自定义主体的WCF的OperationContext。这保证了无论怎样的线程管理，你可以随时通过访问Thread.CurrentPrincipal中此主体的。

This article gives a basic overview of the normal way of doing this. Basically you construct a custom principal that contains the data relevant to a user's permissions in an IAuthorizationPolicy and attach the custom principal to the WCF OperationContext. This guarantees that regardless of how the threads are managed you can always access this principal via Thread.CurrentPrincipal.

如果您的权限只是基于角色成员，你可以简单地使用像PrincipalPermission.Demand标准机制（）或包裹你的操作与PrincipalPermissionAttribute。

If your permissions are simply based on role membership you can simply use standard mechanisms like PrincipalPermission.Demand() or wrapping your operations with PrincipalPermissionAttribute.

另外，如果你有更复杂的权限（如创建|删除|更新等），一种方法是创建一个实现IPermission自定义权限。这种方法也适用于像基础的价值的权限（如批准订单高达$ 500）。在您的code则可以构建所需的权限，并调用它的需求（）来检查你当前的自定义主体是否是允许的。如果这些权限可序列化往往也是情理之中创造一个同伴属性支持使用每个权限的声明性安全。

Alternatively if you have more sophisticated permissions (e.g. Create | Delete | Update etc.), one approach would be to create a custom permission that implements IPermission. This approach also works well for things like value based permissions (e.g. approve orders up to $500). In your code you can then construct the required permission and have it call Demand() to check whether your current custom principal is permitted. If these permissions can be made serializable it often also makes sense to create a companion attribute to support declarative security that uses each permission.

以上方法很好地集成与WCF和.NET安全infrstructure，一旦你得到你的头左右IPermission提供一个优雅和维护的解决方案。

The above approaches integrate nicely with WCF and the .Net security infrstructure and once you get your head around IPermission provide an elegant and maintainable solution.

这篇关于WCF Web服务授权（定义IPrincipal等）。我如何使用自己的权限？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！