处理嵌套组Permisions(ASP.NET角色提供)嵌套、角色、ASP、Permisions
我们有一个安全模块,其基于组/角色成员,控制在ASP.Net权限的资源。我已经建立了一个自定义的ASP.Net角色提供了用于查询组成员和这是由该模块的Active Directory。
We have a security module which, based on group/role membership, controls permissions to resources in ASP.Net. I've built a custom ASP.Net Role Provider that queries Active Directory for group membership and which is used by this module.
安全检查的工作原理如下的(在性能方面的原因的地方使用,但不在这个列表缓存)每个请求:
Security checking works as follows for each request (caching used in places for performance reasons but excluded from this list):
查询AD对用户组成员名单 为用户和组的列表的查询数据库以访问所请求的资源 与数据库中的结果进行比较,从公元结果。如果用户明确具有权限,或者如果一组该用户是在具有然后权利允许访问,否则不执行。当我们嵌套组的问题就出现了。比方说,我们有两个组: ParentGroup 和 ChildGroup 的,其中的 ChildGroup 的是成员的 ParentGroup 的Active Directory中和在那里我们的用户是的 ChildGroup 的一员。按照上述逻辑,如果我们给的 ChildGroup 的访问资源,那么则用户可以访问的资源了。
The problem arises when we have nested groups. Lets say we have two groups: ParentGroup and ChildGroup, where ChildGroup is a member of ParentGroup in Active Directory and where our user is a member of ChildGroup. According to the logic above if we give ChildGroup access to a resource then then the user can access the resource too.
现在逻辑(我反正),如果我们给的 ParentGroup 的对资源的访问它,则所有成员,以及所有子组及其成员取得的递归,也应该能够访问所述资源。由于的方式,而是,我的逻辑工作,他们无法访问资源。第1步从上面的列表中没有看到的 ParentGroup 的只看到的 ChildGroup 的,而第2步只看到的 ParentGroup 的,不看的 ChildGroup 的。
Now logically (to me anyways) if we give ParentGroup access to a resource then all members of it, and any sub groups and their members acquired recursively, should also be able to access said resource. But instead, because of the way my logic works they can't access the resource. Step 1 from the above list does not see ParentGroup it only see's ChildGroup, and Step 2 only see's ParentGroup and does not see ChildGroup.
所以现在的问题是,使之工作,我怎么形容它从逻辑上应该,我应该在哪里解决问题,而且是有一些方法,将工作的好的再另一个?
So the question is, to make it work how I described it "Logically" should, where should I fix the problem, and is there some method that would work better then another?
推荐答案
尝试使用的 WindowsPrincipal.IsInRole()方法,而不是直接查询AD。我张贴一些示例code over这里这可能会有帮助。
Try using the WindowsPrincipal.IsInRole() method instead of querying AD directly. I posted some sample code over here which might help.
