I'm developing an ASP.NET MVC intranet website which needs to have a few different user roles (admin, editor, writer, etc.) and the backend uses SQL Server. I read this post by scottgu about role-based security and used that as a starting point. The steps I followed were:
Configured a DB using the asp_regsql.exe application Set the authentication mode to windows
<authentication mode = "Window" />
Added a connection string entry to the Web.config,
<connectionStrings>
<add name="SqlRoleManagerConnection"
connectionString="Data Source=localhost; Initial Catalog=aspservicedb; Integrated Security=SSPI;" />
</connectionStrings>
Added a roleManager entry to the Web.config section,
<roleManager enabled="true" defaultProvider="sqlRoleManager">
<providers>
<clear />
<add name="sqlRoleManager" type="System.Web.Security.SqlRoleProvider"
connectionStringName="SqlRoleManagerConnection"
applicationName="MyApplication" />
</providers>
</roleManager>
Added some role code into the Application_Start() method of the Global.asax.cs file,
if (!Roles.RoleExists("Editor"))
{
Roles.CreateRole("Editor");
}
if (!Roles.RoleExists("Writer"))
{
Roles.CreateRole("Writer");
}
if (!Roles.RoleExists("SiteAdmin"))
{
Roles.CreateRole("SiteAdmin");
Roles.AddUserToRole("MYCOMPUTER\\Matt", "SiteAdmin");
}
Modified my controllers to use the roles:
[Authorize(Roles = "SiteAdmin")]
public class SiteAdminController : Controller
{
.
.
.
}
And this all seems to work at this point but I'm wondering if there is a better approach to handing roles or if there are problems with this approach. It's easy to convince oneself that the approach is a good one because it worked but I'd like to take a different approach now rather than later if this isn't the best approach to solving the problem. Elsewhere I'd read someone say this was "hack" but never really qualified why he wouldn't solve the problem this way. Your thoughts? Do you have a better what to solve this?
In some of my production MVC apps, I simply use the built in sql role provider. It works out of the box, your MVC3 templates will be configured to use it already. Simply open up the admin site from within Visual Studio and manage the security and add your roles, users, users to roles, etc and thats it. Do not use your web.config to manage what roles have access to what URIs, this has been recommended over and over to stay away from in MVC as more than one uri could potentially get to a single route, so you use (as you did) the Authorize attribute in conjunction with the automatic role management, and thats all you need. It's pretty simple.
Well there are two alternatives worth mentioning:
- Configure your role based security right in the web config. This centralizes your security configuration, though it must be updated to mirror your paths / routing, so there's a bit of manual maintenance involved
- Configure your role based security in the database and create custom Action Filter to read, cache, and apply these roles based on the logged in user. This is dynamic but a little more involved because you'll probably have to create an admin screen to edit the configuration.
Let me know if you need examples of these and I can link you.
来源:https://stackoverflow.com/questions/5874239/best-approach-to-user-roles-with-an-intranet-application