问题描述
我一直想约的NetSqlAzMan项目原来的(和/或电流)动机字里行间。
是这样写的?
-
对于Windows授权管理器的适配器器(AzMan)。凡在NetSqlAzMan方法只是通过调用(Windows授权管理器(AzMan)),但也许有更好/更清洁的方法?
-
一个替代品(Windows授权管理器(AzMan))。凡(大部分或全部)中可用的功能(Windows授权管理器(AzMan))正在重建中NetSqlAzMan,但code的自主研发。(也许是为了提供DOTNET的4.0支持???)(也许是为了消除任何COM依赖)
-
要提供比(Windows授权管理器(AzMan)),提供了更多的功能。阿卡,一个聪明/更好的版本(Windows授权管理器(AzMan))。
-
要重写还留着一个半死的活的项目,通过开源。 (如,或许(Windows授权管理器(AzMan)))是Microsoft死或废弃项目)。
-
其他的?
...........
我喜欢NetSqlAzMan的对象模型。但我要捍卫用它来我的项目经理(S)和其他开发人员的任何决定。对象模型似乎恰到好处(认为金发和产床)至于什么我渴望安全。我不想做的基于角色的安全。我想正确的(或任务或许可)的安全性。
(请参见:http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/和<一href="http://granada$c$cr.word$p$pss.com/2010/12/01/rant-hard-$c$cd-security-roles/">http://granada$c$cr.word$p$pss.com/2010/12/01/rant-hard-$c$cd-security-roles/)
和基本上是想出的问题是:什么是使用的好处NetSqlAzMan,而不是(Windows授权管理器(AzMan))
和子的问题是是的Windows授权管理器(AzMan)死了吗?。 (和沿万岁NetSqlAzMan线的东西!)。
............
我在-总体要求是:
非活动目录用户。 (下山的路Active Directory和/或LDAP的支持将是很好的,但不是必须的)。密码没有存储为纯文本。能够处理的权利的安全检查。
集团下的任何角色的权限。向用户分配角色。 (但同样,code将执行行动时,检查的权利,而不是角色。)允许(有时)的权利要分配给用户。使用拒绝覆盖。 (阿卡,谁做的愚蠢的事(如删除员工单个用户)可以撤销的权利。)角色和权限可维持多个应用程序。
所以其他的想法是值得欢迎的。但是,Windows身份验证基础似乎有点矫枉过正。
感谢。
我终于找到了比较的文章最后一晚。
http://www.c-sharpcorner.com/uploadfile/a.ferendeles/netsqlazman12122006123316pm/netsqlazman.aspx
我要的相关部分粘贴在这里(下图)。 (以防万一,该网站不再在未来存在。小的机会,我知道,但我不喜欢的答案就在这里的链接,当你点击链接,它是一个死一个。)
这是我可以告诉。
NetSqlAzMan提供了(表)的用户定义函数,可以重载向用户提供的列表(要分配给角色/任务)。NetSqlAzMan不仅提供了是的,你可以在映射(格兰特),而且还拒绝和格兰特与 - 代表为好。NetSqlAzMan和阿兹曼允许用户(组),以角色映射。只有NetSqlAzMan允许用户任务的映射。
在看几样...... NetSqlAzMan的对象模型是非常干净的。
=============================================== ========
下面是另外一个疑难杂症。
阿兹曼样品code:<一href="http://channel9.msdn.com/forums/sandbox/252978-AzMan-in-the-Enterprise-Sample-$c$c">http://channel9.msdn.com/forums/sandbox/252978-AzMan-in-the-Enterprise-Sample-$c$chttp://channel9.msdn.com/forums/sandbox/252973-Programming-AzMan-Sample-$c$c
使用系统;
使用System.Security.Principal;
使用了System.Runtime.InteropServices;
使用AZROLESLib;
命名空间TREYRESEARCH {
公共类AzManHelper:IDisposable的{
AzAuthorizationStore店;
IAzApplication应用;
字符串的appName;
公共AzManHelper(字符串的connectionString,字符串的appName){
this.appName =的appName;
尝试 {
//加载和初始化AzMan的运行时间
店内=新AzAuthorizationStore();
store.Initialize(0,的connectionString,NULL);
//深入到我们的应用程序
应用= store.OpenApplication(的appName,NULL);
}
赶上(收到COMException X){
抛出新AzManException(无法initizlize AzManHelper,X);
}
赶上(System.IO.FileNotFoundException X){
抛出新AzManException(的String.Format( - ,的connectionString),X无法加载AzMan的政策从{0}确保您的连接字符串是正确的。);
}
}
公共无效的Dispose(){
如果(空==应用程序)的回报;
对Marshal.ReleaseComObject(应用程序);
对Marshal.ReleaseComObject(店);
应用= NULL;
店内= NULL;
}
公共BOOL的AccessCheck(字符串审核,业务操作,
的WindowsIdentity CLIENTIDENTITY){
尝试 {
//第一步是建立一个AzMan的上下文客户端
//此着眼于安全标识符(SID)在用户的
//访问令牌,并将它们映射到AzMan的角色,任务和操作
IAzClientContext CTX = app.InitializeClientContextFromToken(
(ULONG)clientIdentity.Token.ToInt64(),NULL);
//下一步就是看是否该用户被授权
//请求的操作。需要注意的是AccessCheck的允许
//你要检查多个操作一次,如果你的愿望
[对象]范围= {};
[对象]操作= {(INT)OP};
[对象]结果=(对象[])ctx.AccessCheck(审计,范围,操作,
NULL,NULL,NULL,NULL,NULL);
INT结果=(int)的结果[0];
返回0 ==结果;
}
赶上(收到COMException X){
抛出新AzManException(AccessCheck的失败,X);
}
}
公共BOOL AccessCheckWithArg(字符串审核,业务操作,
的WindowsIdentity CLIENTIDENTITY,
串argName,反对argValue){
尝试 {
//第一步是建立一个AzMan的上下文客户端
//此着眼于安全标识符(SID)在用户的
//访问令牌,并将它们映射到AzMan的角色,任务和操作
IAzClientContext CTX = app.InitializeClientContextFromToken(
(ULONG)clientIdentity.Token.ToInt64(),NULL);
//下一步就是看是否该用户被授权
//请求的操作。需要注意的是AccessCheck的允许
//你要检查多个操作一次,如果你的愿望
[对象]范围= {};
[对象]操作= {(INT)OP};
[对象] argNames = {argName};
[对象] argValues = {argValue};
[对象]结果=(对象[])ctx.AccessCheck(审计,范围,操作,
argNames,argValues,
NULL,NULL,NULL);
INT结果=(int)的结果[0];
返回0 ==结果;
}
赶上(收到COMException X){
抛出新AzManException(AccessCheckWithArg失败,X);
}
}
//使用这个更新运行的应用程序
你改变AzMan的政策//后
公共无效UpdateCache(){
尝试 {
store.UpdateCache(空);
对Marshal.ReleaseComObject(应用程序);
应用= store.OpenApplication(的appName,NULL);
}
赶上(收到COMException X){
抛出新AzManException(UpdateCache失败,X);
}
}
}
公共类AzManException:异常{
公共AzManException(字符串消息,异常的InnerException)
:基地(消息的InnerException)
{}
}
}
这是阿兹曼帮手code。这是丑陋的COM / Interopish的东西。 :其中;
现在检查NetSqlAzMan code样品:
<一个href="http://netsqlazman.$c$cplex.com/wikipage?title=Samples">http://netsqlazman.$c$cplex.com/wikipage?title=Samples
///&LT;总结&gt;
///通过创建.NET code一个完整的存储
///&LT; /总结&gt;
私人无效CreateFullStorage()
{
//用户必须是SQL数据库角色的成员:NetSqlAzMan_Administrators
//的Sql存储连接字符串
字符串sqlConnectionString =数据源=(本地);初始目录= NetSqlAzManStorage;用户ID = netsqlazmanuser;密码=密码;
//创建SqlAzManStorage类的一个实例
IAzManStorage存储=新SqlAzManStorage(sqlConnectionString);
//开放式存储连接
storage.OpenConnection();
//开始一个新的事务
storage.BeginTransaction(AzManIsolationLevel.ReadUncommitted);
//创建一个新的商店
IAzManStore newStore = storage.CreateStore(我的店,店铺介绍);
//创建一个新的基本StoreGroup
IAzManStoreGroup newStoreGroup = newStore.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(),我的存储组,存储组说明的String.Empty,GroupType.Basic);
//获得当前用户的SID
IAzManSid糠=新SqlAzManSID(WindowsIdentity.GetCurrent()用户。);
//添加自己为我的店集团的SID
IAzManStoreGroupMember storeGroupMember = newStoreGroup.CreateStoreGroupMember(糠,WhereDefined.Local,真正的);
//创建一个新的应用程序
IAzManApplication NEWAPP = newStore.CreateApplication(新应用,应用说明);
//创建一个新角色
IAzManItem newRole = newApp.CreateItem(新角色,角色介绍,ItemType.Role);
//创建一个新的任务
IAzManItem newTask = newApp.CreateItem(新任务,任务描述,ItemType.Task);
//创建一个新的操作
IAzManItem newOp = newApp.CreateItem(新工作,操作说明,ItemType.Operation);
//添加新经营为新任务一个SID
newTask.AddMember(newOp);
//添加新任务为新角色一个SID
newRole.AddMember(newTask);
//的新角色为自己创建一个授权
IAzManAuthorization AUTH = newRole.CreateAuthorization(糠,WhereDefined.Local,糠,WhereDefined.Local,AuthorizationType.AllowWithDelegation,NULL,NULL);
//创建一个自定义属性
IAzManAttribute&LT; IAzManAuthorization&GT; ATTR = auth.CreateAttribute(新钥匙,新价值);
//创建的新角色的授权数据库用户安德烈
IAzManAuthorization auth2 = newRole.CreateAuthorization(糠,WhereDefined.Local,storage.GetDBUser(安德烈)CustomSid,WhereDefined.Local,AuthorizationType.AllowWithDelegation,NULL,NULL);
//提交事务
storage.CommitTransaction();
//关闭连接
storage.CloseConnection();
}
这是讲述一个故事的本身。
I've been trying to "read between the lines" about the original (and/or current) motivation for the NetSqlAzMan project.
Was this written for?
An adapter for Windows Authorization Manager (AzMan). Where the methods in the NetSqlAzMan just passes calls to (Windows Authorization Manager (AzMan)), but perhaps with nicer/cleaner methods?
A replacement for (Windows Authorization Manager (AzMan)). Where (most or all of) the features available in (Windows Authorization Manager (AzMan)) are recreated in NetSqlAzMan, but the code was developed independently.(Perhaps to provide DotNet 4.0 support???) (Perhaps to remove any COM dependencies)
To provide more features than (Windows Authorization Manager (AzMan)) provided. Aka, a "smarter"/"better" version of (Windows Authorization Manager (AzMan)).
To rewrite but also keep a semi-dead project alive through open-source. (As in, perhaps (Windows Authorization Manager (AzMan))) is a dead or abandoned project by Microsoft).
Other?
................
I like the object model of NetSqlAzMan. But I need to defend any decision to use it to my project manager(s) and other developers.The object model seems "just right" (think goldilocks and the middle bed) as far as what I desire for security.I do NOT want to do role based security. I want right(or task or permission) based security.
(See:http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/andhttp://granadacoder.wordpress.com/2010/12/01/rant-hard-coded-security-roles/)
And basically the question that came up is: "What is the advantage of using NetSqlAzMan instead of (Windows Authorization Manager (AzMan))?"
And the sub question is "Is Windows Authorization Manager (AzMan) dead?". (And something along the lines of Long Live NetSqlAzMan!).
..................
My in-general requirements are:
Non Active-Directory users. (Down the road Active Directory and/or LDAP support would be nice, but not a requirement).Passwords not stored as plain text.Be able to handle RIGHTS for security checks.
Group the rights under any role.Assign roles to users. (But again, the code will check for the right, not the role when performing an action.)Allow (on occasion) rights to be assigned to users. With a Deny override. (Aka, a single user who does on stupid thing (like "Delete Employee") can have that right revoked.)Roles and Rights can be maintained for multiple applications.
So other ideas are welcome. But Windows Identity Foundation seems like a little overkill.
Thanks.
I finally found a "compare" article last night.
http://www.c-sharpcorner.com/uploadfile/a.ferendeles/netsqlazman12122006123316pm/netsqlazman.aspx
I am going to paste the relevant portion here (below). (Just in case that website ceases to exist in the future. Small chance, I know, but I hate "The answer is here" links, and when you hit the link, it is a dead one.)
From what I can tell.
NetSqlAzMan provides a (table) user-defined-function that you can overload to provide a list of users (to be assigned to roles/tasks).NetSqlAzMan provides not only "Yeah you can" mappings (Grant), but also Deny and Grant-With-Delegate as well.NetSqlAzMan and Azman allows users(groups) to role mappings. Only NetSqlAzMan allows users to Task mappings.
After looking at a few samples ... the object model of NetSqlAzMan is very clean.
=======================================================
Here's another gotcha.
Azman sample code:http://channel9.msdn.com/forums/sandbox/252978-AzMan-in-the-Enterprise-Sample-Codehttp://channel9.msdn.com/forums/sandbox/252973-Programming-AzMan-Sample-Code
using System;
using System.Security.Principal;
using System.Runtime.InteropServices;
using AZROLESLib;
namespace TreyResearch {
public class AzManHelper : IDisposable {
AzAuthorizationStore store;
IAzApplication app;
string appName;
public AzManHelper(string connectionString, string appName) {
this.appName = appName;
try {
// load and initialize the AzMan runtime
store = new AzAuthorizationStore();
store.Initialize(0, connectionString, null);
// drill down to our application
app = store.OpenApplication(appName, null);
}
catch (COMException x) {
throw new AzManException("Failed to initizlize AzManHelper", x);
}
catch (System.IO.FileNotFoundException x) {
throw new AzManException(string.Format("Failed to load AzMan policy from {0} - make sure your connection string is correct.", connectionString), x);
}
}
public void Dispose() {
if (null == app) return;
Marshal.ReleaseComObject(app);
Marshal.ReleaseComObject(store);
app = null;
store = null;
}
public bool AccessCheck(string audit, Operations op,
WindowsIdentity clientIdentity) {
try {
// first step is to create an AzMan context for the client
// this looks at the security identifiers (SIDs) in the user's
// access token and maps them onto AzMan roles, tasks, and operations
IAzClientContext ctx = app.InitializeClientContextFromToken(
(ulong)clientIdentity.Token.ToInt64(), null);
// next step is to see if this user is authorized for
// the requested operation. Note that AccessCheck allows
// you to check multiple operations at once if you desire
object[] scopes = { "" };
object[] operations = { (int)op };
object[] results = (object[])ctx.AccessCheck(audit, scopes, operations,
null, null, null, null, null);
int result = (int)results[0];
return 0 == result;
}
catch (COMException x) {
throw new AzManException("AccessCheck failed", x);
}
}
public bool AccessCheckWithArg(string audit, Operations op,
WindowsIdentity clientIdentity,
string argName, object argValue) {
try {
// first step is to create an AzMan context for the client
// this looks at the security identifiers (SIDs) in the user's
// access token and maps them onto AzMan roles, tasks, and operations
IAzClientContext ctx = app.InitializeClientContextFromToken(
(ulong)clientIdentity.Token.ToInt64(), null);
// next step is to see if this user is authorized for
// the requested operation. Note that AccessCheck allows
// you to check multiple operations at once if you desire
object[] scopes = { "" };
object[] operations = { (int)op };
object[] argNames = { argName };
object[] argValues = { argValue };
object[] results = (object[])ctx.AccessCheck(audit, scopes, operations,
argNames, argValues,
null, null, null);
int result = (int)results[0];
return 0 == result;
}
catch (COMException x) {
throw new AzManException("AccessCheckWithArg failed", x);
}
}
// use this to update a running app
// after you change the AzMan policy
public void UpdateCache() {
try {
store.UpdateCache(null);
Marshal.ReleaseComObject(app);
app = store.OpenApplication(appName, null);
}
catch (COMException x) {
throw new AzManException("UpdateCache failed", x);
}
}
}
public class AzManException : Exception {
public AzManException(string message, Exception innerException)
: base(message, innerException)
{}
}
}
That is Azman helper code. That is ugly COM/Interopish stuff. :<
Now check the NetSqlAzMan code samples:
http://netsqlazman.codeplex.com/wikipage?title=Samples
/// <summary>
/// Create a Full Storage through .NET code
/// </summary>
private void CreateFullStorage()
{
// USER MUST BE A MEMBER OF SQL DATABASE ROLE: NetSqlAzMan_Administrators
//Sql Storage connection string
string sqlConnectionString = "data source=(local);initial catalog=NetSqlAzManStorage;user id=netsqlazmanuser;password=password";
//Create an instance of SqlAzManStorage class
IAzManStorage storage = new SqlAzManStorage(sqlConnectionString);
//Open Storage Connection
storage.OpenConnection();
//Begin a new Transaction
storage.BeginTransaction(AzManIsolationLevel.ReadUncommitted);
//Create a new Store
IAzManStore newStore = storage.CreateStore("My Store", "Store description");
//Create a new Basic StoreGroup
IAzManStoreGroup newStoreGroup = newStore.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), "My Store Group", "Store Group Description", String.Empty, GroupType.Basic);
//Retrieve current user SID
IAzManSid mySid = new SqlAzManSID(WindowsIdentity.GetCurrent().User);
//Add myself as sid of "My Store Group"
IAzManStoreGroupMember storeGroupMember = newStoreGroup.CreateStoreGroupMember(mySid, WhereDefined.Local, true);
//Create a new Application
IAzManApplication newApp = newStore.CreateApplication("New Application", "Application description");
//Create a new Role
IAzManItem newRole = newApp.CreateItem("New Role", "Role description", ItemType.Role);
//Create a new Task
IAzManItem newTask = newApp.CreateItem("New Task", "Task description", ItemType.Task);
//Create a new Operation
IAzManItem newOp = newApp.CreateItem("New Operation", "Operation description", ItemType.Operation);
//Add "New Operation" as a sid of "New Task"
newTask.AddMember(newOp);
//Add "New Task" as a sid of "New Role"
newRole.AddMember(newTask);
//Create an authorization for myself on "New Role"
IAzManAuthorization auth = newRole.CreateAuthorization(mySid, WhereDefined.Local, mySid, WhereDefined.Local, AuthorizationType.AllowWithDelegation, null, null);
//Create a custom attribute
IAzManAttribute<IAzManAuthorization> attr = auth.CreateAttribute("New Key", "New Value");
//Create an authorization for DB User "Andrea" on "New Role"
IAzManAuthorization auth2 = newRole.CreateAuthorization(mySid, WhereDefined.Local, storage.GetDBUser("Andrea").CustomSid, WhereDefined.Local, AuthorizationType.AllowWithDelegation, null, null);
//Commit transaction
storage.CommitTransaction();
//Close connection
storage.CloseConnection();
}
That tells a story in and of itself.
这篇关于NetSqlAzMan VS AzMan的VS(?????)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!