gra*_*der 13 .net c# security azman netsqlazman
我一直试图"在线之间阅读"关于NetSqlAzMan项目的原始(和/或当前)动机.
这是写的吗?
适用于Windows授权管理器(AzMan)的适配器.NetSqlAzMan中的方法只是将调用传递给(Windows授权管理器(AzMan)),但是可能使用更好/更清晰的方法?
(Windows授权管理器(AzMan))的替代品.在(Windows授权管理器(AzMan))中可用的功能(大部分或全部)在NetSqlAzMan中重新创建,但代码是独立开发的.(也许是为了提供DotNet 4.0支持???)(也许是为了删除任何COM依赖项)
提供比(Windows授权管理器(AzMan))提供的更多功能.Aka,(Windows授权管理器(AzMan))的"更智能"/"更好"版本.
重写,但也通过开源保持一个半死的项目.(可能是(Windows授权管理器(AzMan)))是微软的一个死的或被遗弃的项目.
其他?
................
我喜欢NetSqlAzMan的对象模型.但我需要捍卫任何将其用于我的项目经理和其他开发人员的决定.对象模型似乎"恰到好处"(想想金发姑娘和中间床)就我对安全的渴望而言.我不想做基于角色的安全性.我想要正确(或任务或许可)的安全性.
(参见:http: //lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/ 和 http://granadacoder.wordpress.com/ 2010/12/01/rant-hard-coded-security-roles / )
基本上提出的问题是:"使用NetSqlAzMan而不是(Windows授权管理器(AzMan))有什么好处?"
子问题是"Windows授权管理器(AzMan)死了吗?".(还有Long Live NetSqlAzMan的内容!).
..................
我的一般要求是:
非Active Directory用户.(在路上Active Directory和/或LDAP支持会很好,但不是必需的).密码未存储为纯文本.能够处理安全检查的权利.
将权利分组在任何角色下.为用户分配角色.(但同样,代码将检查权限,而不是执行操作时的角色.)允许(有时)将权限分配给用户.使用拒绝覆盖.(Aka,一个做愚蠢事情的用户(比如"删除员工")可以撤销该权利.)可以为多个应用程序维护角色和权限.
所以欢迎其他想法.但Windows Identity Foundation看起来有点矫枉过正.
谢谢.
gra*_*der 11
我昨晚终于找到了一篇"比较"的文章.
http://www.c-sharpcorner.com/uploadfile/a.ferendeles/netsqlazman12122006123316pm/netsqlazman.aspx
我将在这里粘贴相关部分(下面).(以防网站将来不再存在.我知道,机会很小,但我讨厌"答案就在这里"链接,当你点击链接时,它就是一个死机.)
从我所知道的.
NetSqlAzMan提供了一个(表)用户定义的函数,您可以重载该函数以提供用户列表(分配给角色/任务).NetSqlAzMan不仅提供"Yeah you can"映射(Grant),还提供Deny和Grant-With-Delegate.NetSqlAzMan和Azman允许用户(组)进行角色映射.只有NetSqlAzMan允许用户进行任务映射.
看了几个样本...... NetSqlAzMan的对象模型非常干净.
================================================== =====
授权经理(AzMan)与.NET Sql授权管理器(NetSqlAzMan)
如前所述,类似的Microsoft产品已经存在,称为授权管理器(AzMan); 默认情况下,AzMan存在于Windows Server 2003中,并且通过Admin Pack设置存在于Windows XP中.
AzMan和NetSqlAzMan之间的重要区别在于,第一个是基于角色的,即基于属性 - 角色概念和每个角色中的操作容器,而第二个是基于项目(或者如果您更喜欢基于操作) ,即可以或不可以属于角色或执行此类任务和/或操作(项目)的用户或用户组或组的组.
这里介绍两种产品最重要的特点和区别:
AzMan女士:
Run Code Online (Sandbox Code Playgroud)* It's COM. * It's equipped by a MMC 2.0 (COM) console. * Its storage can be an XML file or ADAM (Active Directory Application Mode - e un LDAP). * It's role-based. * It supports static/dynamic applicative groups, members/not-members. * Structure based on Roles -> Tasks -> Operations. (Hierarchical Roles and Tasks , none Operations). * Authorizations can be added only to Roles. * It doesn't implement the "delegate" concept. * It doesn't manage authorizations "in the time". * It doesn't trigger events. * The only type of authorization is "Allow". (to "deny" it needs to remove the user/group from his Role). * It supports Scripting / Biz rules. * It supports Active Directory users/groups and ADAM users.NetSqlAzMan:
Run Code Online (Sandbox Code Playgroud)* It's .NET 2.0. * It's equipped by a MMC 3.0 (.NET) console. * Its storage is a Sql Server database(2000/MSDE/2005/Express). * It's based on Tdo - Typed Data Object technology. * It's Item-based. * Structure based on Roles -> Tasks -> Operations. (all hierarchical ones). * Authorizations can be added to Roles, Task and Operations. * It supports static/dynamic applicative groups, members/not-members. * LDAP query testing directly from console. * It's time-dependant. * It's delegate-compliant. * It triggers events (ENS). * It supports 4 authorization types: o Allow with delegation (authorized and authorized to delegate). o Allow (authorized). o Deny (not authorized). o Neutral (neutral permission, it depends on higher level Item permission). * Hierarchical authorizations. * It supports Scripting / Biz rules (compiled in .NET - C# - VB - and not interpreted) * It supports Active Directory users/groups and custom users defined in SQL Server Database.
这是另一个问题.
Azman示例代码:http : //channel9.msdn.com/forums/sandbox/252978-AzMan-in-the-Enterprise-Sample-Code http://channel9.msdn.com/forums/sandbox/252973-Programming-AzMan -抽样码
using System;
using System.Security.Principal;
using System.Runtime.InteropServices;
using AZROLESLib;
namespace TreyResearch {
public class AzManHelper : IDisposable {
AzAuthorizationStore store;
IAzApplication app;
string appName;
public AzManHelper(string connectionString, string appName) {
this.appName = appName;
try {
// load and initialize the AzMan runtime
store = new AzAuthorizationStore();
store.Initialize(0, connectionString, null);
// drill down to our application
app = store.OpenApplication(appName, null);
}
catch (COMException x) {
throw new AzManException("Failed to initizlize AzManHelper", x);
}
catch (System.IO.FileNotFoundException x) {
throw new AzManException(string.Format("Failed to load AzMan policy from {0} - make sure your connection string is correct.", connectionString), x);
}
}
public void Dispose() {
if (null == app) return;
Marshal.ReleaseComObject(app);
Marshal.ReleaseComObject(store);
app = null;
store = null;
}
public bool AccessCheck(string audit, Operations op,
WindowsIdentity clientIdentity) {
try {
// first step is to create an AzMan context for the client
// this looks at the security identifiers (SIDs) in the user's
// access token and maps them onto AzMan roles, tasks, and operations
IAzClientContext ctx = app.InitializeClientContextFromToken(
(ulong)clientIdentity.Token.ToInt64(), null);
// next step is to see if this user is authorized for
// the requested operation. Note that AccessCheck allows
// you to check multiple operations at once if you desire
object[] scopes = { "" };
object[] operations = { (int)op };
object[] results = (object[])ctx.AccessCheck(audit, scopes, operations,
null, null, null, null, null);
int result = (int)results[0];
return 0 == result;
}
catch (COMException x) {
throw new AzManException("AccessCheck failed", x);
}
}
public bool AccessCheckWithArg(string audit, Operations op,
WindowsIdentity clientIdentity,
string argName, object argValue) {
try {
// first step is to create an AzMan context for the client
// this looks at the security identifiers (SIDs) in the user's
// access token and maps them onto AzMan roles, tasks, and operations
IAzClientContext ctx = app.InitializeClientContextFromToken(
(ulong)clientIdentity.Token.ToInt64(), null);
// next step is to see if this user is authorized for
// the requested operation. Note that AccessCheck allows
// you to check multiple operations at once if you desire
object[] scopes = { "" };
object[] operations = { (int)op };
object[] argNames = { argName };
object[] argValues = { argValue };
object[] results = (object[])ctx.AccessCheck(audit, scopes, operations,
argNames, argValues,
null, null, null);
int result = (int)results[0];
return 0 == result;
}
catch (COMException x) {
throw new AzManException("AccessCheckWithArg failed", x);
}
}
// use this to update a running app
// after you change the AzMan policy
public void UpdateCache() {
try {
store.UpdateCache(null);
Marshal.ReleaseComObject(app);
app = store.OpenApplication(appName, null);
}
catch (COMException x) {
throw new AzManException("UpdateCache failed", x);
}
}
}
public class AzManException : Exception {
public AzManException(string message, Exception innerException)
: base(message, innerException)
{}
}
}
那是Azman帮手代码.这是丑陋的COM/Interopish的东西.<
现在检查NetSqlAzMan代码示例:
http://netsqlazman.codeplex.com/wikipage?title=Samples
/// <summary>
/// Create a Full Storage through .NET code
/// </summary>
private void CreateFullStorage()
{
// USER MUST BE A MEMBER OF SQL DATABASE ROLE: NetSqlAzMan_Administrators
//Sql Storage connection string
string sqlConnectionString = "data source=(local);initial catalog=NetSqlAzManStorage;user id=netsqlazmanuser;password=password";
//Create an instance of SqlAzManStorage class
IAzManStorage storage = new SqlAzManStorage(sqlConnectionString);
//Open Storage Connection
storage.OpenConnection();
//Begin a new Transaction
storage.BeginTransaction(AzManIsolationLevel.ReadUncommitted);
//Create a new Store
IAzManStore newStore = storage.CreateStore("My Store", "Store description");
//Create a new Basic StoreGroup
IAzManStoreGroup newStoreGroup = newStore.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), "My Store Group", "Store Group Description", String.Empty, GroupType.Basic);
//Retrieve current user SID
IAzManSid mySid = new SqlAzManSID(WindowsIdentity.GetCurrent().User);
//Add myself as sid of "My Store Group"
IAzManStoreGroupMember storeGroupMember = newStoreGroup.CreateStoreGroupMember(mySid, WhereDefined.Local, true);
//Create a new Application
IAzManApplication newApp = newStore.CreateApplication("New Application", "Application description");
//Create a new Role
IAzManItem newRole = newApp.CreateItem("New Role", "Role description", ItemType.Role);
//Create a new Task
IAzManItem newTask = newApp.CreateItem("New Task", "Task description", ItemType.Task);
//Create a new Operation
IAzManItem newOp = newApp.CreateItem("New Operation", "Operation description", ItemType.Operation);
//Add "New Operation" as a sid of "New Task"
newTask.AddMember(newOp);
//Add "New Task" as a sid of "New Role"
newRole.AddMember(newTask);
//Create an authorization for myself on "New Role"
IAzManAuthorization auth = newRole.CreateAuthorization(mySid, WhereDefined.Local, mySid, WhereDefined.Local, AuthorizationType.AllowWithDelegation, null, null);
//Create a custom attribute
IAzManAttribute<IAzManAuthorization> attr = auth.CreateAttribute("New Key", "New Value");
//Create an authorization for DB User "Andrea" on "New Role"
IAzManAuthorization auth2 = newRole.CreateAuthorization(mySid, WhereDefined.Local, storage.GetDBUser("Andrea").CustomSid, WhereDefined.Local, AuthorizationType.AllowWithDelegation, null, null);
//Commit transaction
storage.CommitTransaction();
//Close connection
storage.CloseConnection();
}
这本身讲述了一个故事.
| 归档时间: |
|
| 查看次数: |
8052 次 |
| 最近记录: |