使用ADFS声明的ASP.NET Web应用程序授权

时间:2013-11-22 16:37:32

标签: asp.net authorization roles asp.net-dynamic-data

我已经使用ASP.NET整理了一个动态数据Web应用程序。我还为AuthorizationManager组建了一些类。我不确定的一件事是如何将其插入到Web应用程序中,以便只有基于ADFS声明的特定角色的用户才能访问该应用程序。出于安全考虑,我抽象了一小段代码。这是我到目前为止的文件:

AuthorizationHelper:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security;
using System.Web;

namespace ApplicationManager.Authorization
{
public class AuthorizationHelper
{
    /// <summary>
    /// Checks the access.
    /// </summary>
    /// <param name="resource">The resource.</param>
    /// <param name="action">The action.</param>
    /// <returns></returns>
    public static bool CheckAccess(string resource, string action)
    {
        AuthorizationContext context = new AuthorizationContext(HttpContext.Current.User as IClaimsPrincipal, resource, action);
        return FederatedAuthentication.ServiceConfiguration.ClaimsAuthorizationManager.CheckAccess(context);
    }

    /// <summary>
    /// Checks the access for an action based on user context.
    /// </summary>
    /// <param name="resource">The resource.</param>
    /// <param name="action">The action.</param>
    /// <param name="user">The user.</param>
    /// <returns></returns>
    public static bool CheckAccess(string resource, string action, UserInfo user)
    {
        AuthorizationContext context = new AuthorizationContext(HttpContext.Current.User as IClaimsPrincipal, resource, action);
        AuthorizationManager authManager = (AuthorizationManager)FederatedAuthentication.ServiceConfiguration.ClaimsAuthorizationManager;

        return authManager.CheckAccess(context, user);
    }

    /// <summary>
    /// Confirmes the logged in user has access to perform the specified action on the user.
    /// </summary>
    /// <param name="resource">The resource.</param>
    /// <param name="action">The action.</param>
    /// <param name="user">The user.</param>
    /// <exception cref="System.Security.SecurityException"></exception>
    public static void ConfirmAccess(string resource, string action, UserInfo user)
    {
        if (!CheckAccess(resource, action, user))
        {
            throw new SecurityException(string.Format("{0} does not have rights to manage {1}.  Please contact the idm security administrator.", HttpContext.Current.User.Identity.Name, user.UserId));
        }
    }
}
}

AuthorizationManager:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using Microsoft.IdentityModel.Claims;
using ApplicationManager.Models;

namespace ApplicationManager.Authorization
{
public class AuthorizationManager : ClaimsAuthorizationManager
{

    private const string HelpDeskRole = @"****_Helpdesk";
    private const string UsersRole = @"****_ADMIN_USERS";
    private const string SupportRole = @"****_Admin_Support";
    private const string SuperUsersRole = @"****_ADMIN_SUPERUSERS";
    private const string ReportingRole = @"****_ADMIN__Reporting";
    private const string AdminRole = @"****_Admin_Administrator";
    private const string PersonalUserManagmentRole = @"****_PERSONAL_USER_MANAGEMENT";
    private const string ProfessionalUserManagmentRole = @"****_PROF_USER_MANAGEMENT";

    private static readonly string[] AllRoles = new string[] { HelpDeskRole, UsersRole, SupportRole, SuperUsersRole, ReportingRole, AdminRole };
    private static readonly string[] CustomRoles = new string[] { SuperUsersRole, AdminRole };

    public bool CheckAccess(AuthorizationContext context, UserInfo user)
    {
        if (!context.Principal.Identity.IsAuthenticated)
        {
            return false;
        }
        string resource = context.Resource.First().Value;
        string action = null;
        if (context.Action.Count > 0)
        {
            action = context.Action.First().Value;
        }
        switch (resource)
        { 
            case Resources.ApplicationManager:
                return IsAuthorizedForApplications(context.Principal, action);
        }
        return false;
    }

    private bool IsAuthorizedForApplications(IClaimsPrincipal claimsPrincipal, string action)
    {
        switch (action)
        { 
            case Operations.ApplicationManager:
                return IsInAnyRole(claimsPrincipal, CustomRoles);
        }
        return false;
    }

    public bool IsInAnyRole(IClaimsPrincipal principal, string[] roles)
    {
        foreach (string role in roles)
        {
            if (principal.IsInRole(role))
            {
                return true;
            }
        }
        return false;
    }
}
}

操作:

namespace ApplicationManager.Authorization
{
public class Operations
{
    public const string ApplicationManager = "Applications";
}
}

资源:

namespace ApplicationManager.Authorization
{
public class Resources
{
    public const string ApplicationManager = "Applications";
}
}

我想将此全部插入并根据用户所处的角色拒绝使用该应用程序。我确实有适当的模型来获取用户ID和用户角色。我需要知道在何处以及如何对其进行编码以阻止基于用户角色访问整个应用程序。

1 个答案:

答案 0 :(得分:2)

您需要在管道中注册您的声明身份验证管理器。它会在每次请求时触发:

http://www.brainthud.com/cards/5218/5016/explain-the-usage-of-the-claimsauthorizationmanager-class/