我们的CMS实现对内容管理自己的基于角色的访问控制，什么不可以，就像所有其他CMS在那里;）我最近在玩弄试图实​​现这种访问控制扩展到点子我们的Web服务API，与选择的最终想法哪些用户可以访问哪些方法。

Our CMS implements its own role based access control for content management and what not, much like all the other CMSs out there ;) I've recently been playing around with the idea of trying to implement an extension of this access control into our web service api, with the eventual idea of choosing which users have access to what methods.

有没有人实现这样的事情，或知道任何好的资源，我也许可以寻找到它来让球滚动。

Has anyone implemented something like this, or know of any good resources I might be able to look into to get the ball rolling on it.

我们的发展完全是在.NET 2.0做的，但是如果一个原则存在于另一种语言，我对此表示欢迎:)

Our development is done entirely in .NET 2.0, however if a principle exists in another language, I welcome it :)

推荐答案

在实施基于角色的安全性，我发现，你首先要确定的操作，一个特定的用户可能执行。一旦你拥有了这些，你可以把它们组合成的作用;并且，随意更改。

When implementing Role Based security, I found that you first have to identify the operations that a particular user might perform. Once you have those, you can tie them together into roles; and, change them at will.

想想每个Web方法调用为需要一个或多个操作的。每个方法都应该接受的用户名/密码或令牌。该方法将打一个电话到你的数据库或其他存储机制，以确定所识别用户是否确实有分配给他们所需要的操作。然后，如果一切都是美好的，执行该方法的其余部分。

Think of each web method call as requiring one or more operations. Each method should accept the users name / password or token. The method will make one call to your database or other storage mechanism to determine whether the identified user does indeed have the required operations assigned to them. Then, if everything is good, execute the rest of the method.

这其实并不复杂，非常灵活。

It's actually not that complicated and extremely flexible.