有人能指出我如何为WCF数据服务定义XACML拦截器的信息吗?
答案 0 :(得分:1)
对于您的数据源(more about interceptors)中的每个实体,WCF数据服务的拦截器本质上是Expression<Func<T, bool>>类型的lambda表达式,这限制了您非常简单且几乎静态的授权规则。另一方面,XACML是非常灵活和动态的授权解决方案。我想不出可能的通用集成方式。同时,非通用集成非常简单:
[QueryInterceptor ("Customers")]
public Expression<Func<Customer, bool>> FilterCustomers()
{
// First of all you need to get all request attributes
// information could come from session, from cookies
// from request, in this example I will only use subjectId
// In XACML subjectId could be user name
var subjectId = GetSubjectId();
// After you have all data, build XACML request
// this code is specific to our XACML implementation
var xacmlRequest = new XacmlDecisionRequestContext()
.AddRequest(r => r
.AddResource(a => a.Add(XacmlConstants.ResourceAttributes.ResourceId, new Uri("Customer", UriKind.RelativeOrAbsolute)))
.AddSubject(a => a.Add(XacmlConstants.SubjectAttributes.SubjectId, subjectId ))
);
// Evaluate request
var result = PolicyDecisionPoint.Evaluate(xacmlRequest);
// Based on XACML decision result you can construct expression
// this example is simple true or false, but based on
// XACML Advices or XACML Attributes you can build much more
// sophisticated expression
if (result.Decisions.Single().Decision == XacmlDecision.Permit)
{
return () => true;
}
return () => false;
}
此示例假定您拦截对Customer实体的访问。它只适用于查询。您应该将此方法放在DataService类中。
示例基于Axiomatics PEP SDK for .NET(我正在使用此产品),但想法将适用于任何XACML实现。