问题描述
我目前正在 .NET 环境(n 层)中使用企业应用程序,我想知道在我的 BussinessLayer (BL) 中管理身份验证/授权 + 数据过滤的最佳方法.我们将从多个接口(ASP.NET 应用程序和 Web 服务)使用该 BL,我认为我的 ServiceLayer 应该可以完成这项工作,但我找不到最好的方法.
I am currently working with an enterprise application in a .NET environment (n-layered) and I would like to know the best way to manage authentication / authorization + data filtering in my BussinessLayer (BL). We will use that BL from several interfaces (ASP.NET applications and WebServices) and I think that my ServiceLayer should do the job but I just can't find the best way.
我想它可能是这样的:(1) 用户获得身份验证(ASP.NET Web 客户端),可能使用 FormsAuthentication.(2) ASP .NET 代码(Controller/CodeBehind)实例化一个服务来完成一些用户案例,以某种方式传递用户".(3) 服务方法检查用户"是否存在(身份验证)及其角色(授权)以验证他是否可以调用该方法.如果未经过身份验证或授权,则会引发异常.(4) 服务使用存储库 + 其他服务 + 完成工作所需的任何东西.如果需要某种细粒度过滤(例如用户仅对某些项目具有权限),该服务会自动应用它.
I suppose it could be something like this:(1) User gets authenticated (ASP.NET web client), perhaps using FormsAuthentication.(2) ASP .NET code (Controller / CodeBehind) instanciate a Service to get some user case done, passing somehow the 'User'.(3) Service method checks if 'User' exists (authentication) and his roles (authorization) to verify that he can call that method. If not authenticated or authorized an exception is thrown.(4) Service uses repositories + other services + whatever it needs to get the job done. If some kind of fine-grain filtering is required (for example the User only has permissions over some projects) the service applies it automatically.
我想要的是将 ServiceLayer 与网络内容"(不是访问会话...)隔离开来,但谁知道用户调用其方法以正确操作.此外,我不知道如何以良好的方式将该工作与 ASP .NET 身份验证相匹配......我正在考虑在 Service ctor 中总结用户",以便它的方法具有他们需要的上下文",这可行吗?...我希望能提供一些指示或现有的代码片段.
What I want is to get a ServiceLayer isolated from 'the web stuff' (not accesing session...) but who knows the User calling its methods to act correctly. Also I don't know how to match that work with ASP .NET authentication in a good manner...I am thinking in suministrating the 'User' in the Service ctor, so that its methods have the 'context' they need, could that work?... I would appreciate some indications or existing code snippets on that.
感谢您的帮助...
推荐答案
首先,Authentication 和 Authorization 是两个独立的东西.你的问题暗示你已经知道这一点,但我只是想明确说明这一点.
First of all, Authentication and Authorization are two separate things. Your question implies that you already know this, but I just wanted to be explicit about it.
身份验证应该发生在应用程序边界(例如 Web 应用程序中的表单身份验证).
Authentication should happen at the application boundary (e.g. Forms Authentication in a web application).
默认方法是身份验证模块设置 Thread.CurrentPrincipal 验证成功后.
The default approach is that the Authentication module sets Thread.CurrentPrincipal upon successful authentication.
一般来说,IPrincipal 是在 .NET 中建模用户上下文的标准基础.例如,HttpContext.User 是一个 IPrincipal.
In general, IPrincipal is the standard basis for modeling user context in .NET. For example, HttpContext.User is an IPrincipal.
在域模型和数据访问模块中,您可以使用 Thread.CurrentPrincipal 来实现授权逻辑.这使您可以独立地改变身份验证和授权.
In your Domain Model and Data Access modules, you can use Thread.CurrentPrincipal to implement Authorization logic. This allows you to vary Authentication and Authorization independently of each other.
这篇关于授权&服务层(.NET 应用程序)中的用户信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!