业务上我们必须定义一套针对不同的业务功能的角色体系,例如管理员,数据管理员,普通用户的角色... ...
以规则为基础的授权框架,一般利用XML文档存储简单的规则设置,来控制系统访问权限。(也可以存储在数据库中,读者可以扩展Enterprise Library)
<add expression="R:Administrator" name="IsAdministrator" />
<add expression="R:Administrator OR R:DataSteward" name="IsDataSteward" />
<add expression="R:User OR R:DataSteward OR R:Administrator" name="IsUser" />
规则“IsAdministrator”会检查当前用户是否有Administrator的角色。 “IsUser”将对角色User, DataSteward或者Administrator都有效。
SecurityHelper类利用了Enterprise Library 的默认的AuthorizationRuleProvider,它是我们整个系统的权限核心。主要代码如下。
using System.Collections.Generic; using Microsoft.Practices.EnterpriseLibrary.Security; using Microsoft.Practices.Unity; using Volvo.CustomerMaster.Infrastructure.Common.Utilities.Entities; using Volvo.CustomerMaster.Infrastructure.Common.Utilities.Unity; using Volvo.POS.UserDomain.ServiceLayer; using Volvo.POS.UserDomain.DomainLayer; using Volvo.CustomerMaster.Web.Common.Session; namespace Volvo.CustomerMaster.Web.Common.Security { public class SecurityHelper { [Dependency] public static IUserService UserService { get ; set ; } /// <summary> /// Authenticate the user to verify that the user is a logged in user and that the user is approved /// by the external authorization system. /// </summary> /// <returns></returns> public static bool Authenticate() { // Inject implementation of the UserService through DI if (UserService == null ) { UserService = Container.Resolve<UserService>(); } string userName = GetWindowsVcnUserName(); // Get user from external authorization system GenericUser user = UserService.GetUser(userName); if (user == null ) { return false ; } // Set session SessionWrapper.CurrentUser = user; return true ; } /// <summary> /// Returns true if the user contain roles that is valid for selected rule /// </summary> /// <param name="rule"></param> /// <returns></returns> public static bool Authorized( string rule) { try { IList< string > rules = new List< string > { rule }; return Authorized(rules); } catch { return false ; } } /// <summary> /// Returns true if the user contain roles that is valid for selected rules /// </summary> /// <param name="rules"></param> /// <returns></returns> public static bool Authorized(IList< string > rules) { // If user is not defined, try to authenticate it if (SessionWrapper.CurrentUser == null ) { if (!Authenticate()) { return false ; } } // Get authorization provider from Entlib IAuthorizationProvider auth = AuthorizationFactory.GetAuthorizationProvider( "RulesProvider" ); if (rules.Count > 0 && SessionWrapper.CurrentUser.Principal != null ) { foreach ( string rule in rules) { // Authorize user (with its roles) agains the rule if (!auth.Authorize(SessionWrapper.CurrentUser.Principal, rule)) { return false ; } } } else { return false ; } return true ; } private static string GetWindowsVcnUserName() { // Get windows user System.Security.Principal.WindowsIdentity loggedInUser = System.Security.Principal.WindowsIdentity.GetCurrent(); if (loggedInUser != null ) { string username = loggedInUser.Name; username = username.Substring(username.IndexOf( '\\' ) + 1); username = username.ToUpper(); return username; } return null ; } } } |
IAuthorizationProvider auth = AuthorizationFactory.GetAuthorizationProvider( "RulesProvider" ); if (rules.Count > 0 && SessionWrapper.CurrentUser.Principal != null ) { foreach ( string rule in rules) { // Authorize user (with its roles) agains the rule if (!auth.Authorize(SessionWrapper.CurrentUser.Principal, rule)) { return false ; } } } else { return false ; } return true ; |
<?xml version="1.0" encoding="utf-8" ?>
<siteMap enableLocalization="true">
<siteMapNode title="Menu">
<siteMapNode controller="Home" title="Home" action="Index" resourceKey="Tab_Home" AuthorizationRule="IsUser"/>
<siteMapNode controller="Customer" title="Manage Customers" action="Index" resourceKey="Tab_ManageCustomers" AuthorizationRule="IsDataSteward"/>
<siteMapNode title="Switching Brands" resourceKey="Tab_SwitchingBrands" AuthorizationRule="IsUser">
<siteMapNode title="Violin" controller="Home" action="SetTheme/Violin" AuthorizationRule="IsUser"/>
<siteMapNode title="Mack" controller="Home" action="SetTheme/Mack" AuthorizationRule="IsUser"/>
<siteMapNode title="Mack Dual" controller="Home" action="SetTheme/MackDual" AuthorizationRule="IsUser"/>
<siteMapNode title="Renault" controller="Home" action="SetTheme/Renault" AuthorizationRule="IsUser"/>
<siteMapNode title="Volvo BA" controller="Home" action="SetTheme/VolvoBA" AuthorizationRule="IsUser"/>
<siteMapNode title="Volvo Group" controller="Home" action="SetTheme/VolvoGroup" AuthorizationRule="IsUser"/>
菜单的规则如何、什么时候被加载呢?在渲染菜单的SiteMapBinding.cshtml文件中,我们的代码如下。(示例利用了Telerik for Asp.net MVC控件)
@using Volvo.CustomerMaster.Web.Common.Security
@using Volvo.CustomerMaster.Web
@{ Html.Telerik().Menu()
.BindTo("Web",(item, node) =>{
if (node.Attributes["resourceKey"] !=null)
item.Text = UI_Resources.ResourceManager.GetString(node.Attributes["resourceKey"] as string) ?? item.Text;
if(node.Attributes["imageurl"] != null)
item.ImageUrl = node.Attributes["imageurl"].ToString();
item.Visible = SecurityHelper.Authorized(node.Attributes["AuthorizationRule"].ToString());
.Effects(fx =>
利用同样原理,按钮的enable/disable也可以基于规则来控制。我们首先构造一个类 (HtmlHelper)用于在页面上显示按钮。
public static class ButtonHelper
private static IEnumerable<KeyValuePair<string, object>> GetAttributeValues(object attributeValues)
if (attributeValues != null)
Type type = attributeValues.GetType();
//PropertyInfo[] properties = type.GetProperties();
foreach (PropertyInfo property in type.GetProperties())
string attributeName = property.Name;
object value = property.GetValue(attributeValues, null);
yield return new KeyValuePair<string, object>(attributeName, value);
/// <summary>
/// Renders an HTML form submit button including authorization
/// </summary>
public static string Button(this HtmlHelper helper, string name, string buttonText)
return Button(helper, name, buttonText, false,null);
public static string Button(this HtmlHelper helper, string name, string buttonText, object htmlAttributes)
return Button(helper, name, buttonText, false, GetAttributeValues(htmlAttributes));
public static string Button(this HtmlHelper helper, string name, string buttonText, bool disabled, object htmlAttributes)
return Button(helper, name, buttonText, disabled, GetAttributeValues(htmlAttributes));
private static string Button(this HtmlHelper helper, string name, string buttonText, bool disabled, IEnumerable<KeyValuePair<string ,object >> htmlAttributes)
HtmlGenericControl a = new HtmlGenericControl("input");
a.ID = name;
a.Attributes["name"] = name;
a.Attributes["value"] = buttonText;
a.Attributes["type"] = "button";
if (disabled)
a.Attributes["disabled"] = "disabled";
if (htmlAttributes != null)
foreach (KeyValuePair<string, object> attribute in htmlAttributes)
a.Attributes[attribute.Key] = attribute.Value.ToString();
StringBuilder htmlBuilder = new StringBuilder();
HtmlTextWriter htmlWriter = new HtmlTextWriter(new StringWriter(htmlBuilder));
// render the html
string html = htmlBuilder.ToString();//= String.Format("<input type=\"submit\" name=\"{0}\" value=\"{1}\" ", name, buttonText);
//html += (disabled) ? " disabled=\"disabled\" />" : "/>";
return html;
/// <summary>
/// Renders an HTML form image button
/// </summary>
public static string AddFilesButton(this HtmlHelper helper, string imageURI)
if (string.IsNullOrEmpty(imageURI))
imageURI = helper.ViewContext.HttpContext.Request.ApplicationPath +
"http://www.cnblogs.com/Content/Images/Volvo Icons/Add Files/Add_16x16.png";
return String.Format("<input type=\"image\" src=\"{0}\" />", imageURI);
public static bool SetButtonDisability( string id, string rule)
if (SecurityHelper.Authorized(rule))
return false;
{ }
return true;
private static string Button(this HtmlHelper helper, string name, string buttonText, bool disabled, IEnumerable<KeyValuePair<string ,object >> htmlAttributes)
HtmlGenericControl a = new HtmlGenericControl("input");
a.ID = name;
a.Attributes["name"] = name;
a.Attributes["value"] = buttonText;
a.Attributes["type"] = "button";
if (disabled)
a.Attributes["disabled"] = "disabled";
if (htmlAttributes != null)
foreach (KeyValuePair<string, object> attribute in htmlAttributes)
a.Attributes[attribute.Key] = attribute.Value.ToString();
StringBuilder htmlBuilder = new StringBuilder();
HtmlTextWriter htmlWriter = new HtmlTextWriter(new StringWriter(htmlBuilder));
// render the html
string html = htmlBuilder.ToString();//= String.Format("<input type=\"submit\" name=\"{0}\" value=\"{1}\" ", name, buttonText);
//html += (disabled) ? " disabled=\"disabled\" />" : "/>";
return html;
在页面中,我们如何利用ButtonHelper呢?下面的例子利用Telerik来显示一个Grid,在Grid的头上我么将显示edit, add, delete 按钮。
.DataBinding(bind => bind.Ajax().Select("ListCustomerAjax", "Customer"))
.ToolBar(toolBar => toolBar.Template
@Html.Button("toolbarEditRow", UI_Resources.ListCustomer_EditCustomerButton,
ButtonHelper.SetButtonDisability("toolbarEditRow", "IsAdministrator"),
new { title = UI_Resources.ListCustomer_EditCustomerButtonTooltip, @class = "icon edit" })
+"<span > </span>"+
@Html.Button("toolbarAddRow", UI_Resources.ListCustomer_AddNewCustomerButton, ButtonHelper.SetButtonDisability("toolbarAddRow", "IsAdministrator"), new { title = UI_Resources.ListCustomer_AddNewCustomerButtonTooltip, @class = "icon add" })
+"<span > </span>"+
@Html.Button("toolbarDeleteRow", UI_Resources.ListCustomer_DeleteCustomerButton, ButtonHelper.SetButtonDisability("toolbarDeleteRow", "IsAdministrator"), new { title = UI_Resources.ListCustomer_DeleteCustomerButtonTooltip, @class = "icon delete" })
.Columns(columns =>
columns.Bound(o => o.Number).Title("Number").Width(40);
columns.Bound(o => o.Name).Title("Name").Width(100);
columns.Bound(o => o.Address).Title("Address").Width(100);
.ClientEvents(x => x.OnLoad("CustomerGrid_OnLoad"))
.Pageable(paging => paging.PageSize(10).Total(Model.CustomerCount))
MVC Controller类的访问控制
public class CustomerController : BaseController
public ICustomerService CustomerService { get; set; }
public CustomerController(ICustomerService customerService)
CustomerService = customerService;
// 2. Get roles defined for the user
if (userName.Equals("v0cn174", StringComparison.CurrentCultureIgnoreCase))
//user.AddRole(new UserRole(UserRoleConstants.Administrator));
user.AddRole(new UserRole(UserRoleConstants.DataSteward));
//user.AddRole(new UserRole(UserRoleConstants.User));
// All users are superusers in this mock
//user.AddRole(new UserRole(UserRoleConstants.Administrator));
//user.AddRole(new UserRole(UserRoleConstants.DataSteward));
user.AddRole(new UserRole(UserRoleConstants.User));
return user;
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步