1. 技术文章
  2. Implementing Security in ASP.NET Web App as afterthought

Implementing Security in ASP.NET Web App as afterthought

故事扮演 提交于 2019-12-08 01:01:13

问题


As with many real world applications out there, the security (login/password) was just there to grant/deny access to the complete application. Now the client has asked for fine grained security like some web pages should only be viewable, some users can delete other cannot etc. basically the client is requesting the following.

Effective Permission:: Users--> Web page --> Type of Access (View,Create/Edit,Delete)

Details of Application

  • ASP.NET/C#
  • MSSQL Server 2008 for Biz data
  • SQLCE for users/passwords/profiles/logs
  • Ext.NET for main UI

We discussed that it is better to enhance the security.sdf file and have a table for screens (webpages) and a join table of user + screens + a number that denotes type of access i.e.

  • 1: Read
  • 2: Write
  • 4: Delete

These can be checked using bitwise operator. The application uses ASP.NET impersonation to gain access to MSSQL2008

The problem is how to implement it in the web application?

If anyone has better ideas please share!!!


回答1:


You can use the IsInRole function and categorize your users into roles. Each role can have some action that can be done only. So by asking in witch role is the user you can let him do or not thinks.

HttpContext.Current.User.IsInRole("Role")

Or you can do it reversely, ask if this action is available for this role, here is a simple object, with permissions and checks.

public enum csPermissions
{
    pActionDelete = 1,   
    pActionEdit = 2 , 
    // more names...
}

private int[] AdminPermission = { 
    (int)csPermissions.pActionEdit, 
    (int)csPermissions.pActionDelete, 
    // more permissions...
};

private int[] BackOfficePermission = { 
    (int)csPermissions.pActionEdit, 
    // more permissions...
}; 

public static bool IsThisAllowed(csPermissions AskPermitForThisAction)
{
    // questions here for all users roles...
    // here is only an example 
    if (HttpContext.Current.User.IsInRole("Administator")))
    {
        for (int i = 0; i < AdminPermission.Length; i++)
            if (AdminPermission[i] == (int)AskPermitForThisAction)
                return true;
    } 

    // no permission found  
    return false;
 }


来源:https://stackoverflow.com/questions/10880286/implementing-security-in-asp-net-web-app-as-afterthought

标签
ASP.NET
sql-server-2008
security
sql-server-ce
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!