问题
I have the following web service:
[DataContract]
public class Project
{
public long Id { get; set; }
public string Name { get; set; }
}
[OperationContract]
public Project GetProject(long Id);
Now I want to add a SecretData property that should only be exposed to certain users. I've come up with several ideas, but none of them sit quite well with me:
- Add a nullable
SecretDataproperty toProject. If the user doesn't have permission to view it, set it tonull. This seems like the simplest approach, but how would a consumer tell the difference between a "no permission"nulland a legitimatenullvalue? - Solution 1, but also add a boolean
CanViewSecretDataproperty. This addresses the legitimatenullproblem, but seems cumbersome. - Provide a separate operation
SecretDataType GetSecretData(long projectId)to retrieve the secret data, and return an error if the user does not have permission to call it. This keeps the data contract clean, but I see us ending up with lots of separate operations that need to be called in order to construct a full object.
Is there a better approach out there?
回答1:
I've got no idea what framework you are using, but from a general web services perspective here is what I suggest. In the XSD for Project, add an optional SecretData element to Project. When the user is not permitted to read SecretData, do not include the element in the response. Otherwise, include the element and when SecretData is null set the xsi:nil attribute to true.
来源:https://stackoverflow.com/questions/9526476/how-to-restrict-web-service-data-contract-properties-based-on-user-role