Pregunta

I am designing a system based on Soa principles. For authentication, traditional token approach will be used. But authorization needs to be taken to the point where buttons and labels are activated or deactivated inside the consumer app depending on the role of the user who is accessing the functionality.

The apps are being developed on wpf (prism).

Is there a know and proven way for dealing with this?

Should we design our custom mechanism?

Thanks!

¿Fue útil?

Solución

WPF Prism does not handle authorization (according to this). So you need to build solution on your own.

I would suggest to take a look at claims based authorization (Managing Claims and Authorization with the Identity Model can give you high level view). Examples of claims you can use are: "UserCanSaveCustomerSettings", "UserHasCustomerManagementPrivelege".

After you will get claims configured for your application, you can use this information to make enable/disable controls. I can suggest you two options.

  1. If you use MVVM pattern, you can expose access information(for example you can get it from ClaimsPrincipalPermission.CheckAccess) as properties of the ViewModel and bind this properties directly to controls. Something like

  2. Or alternatively you can implement IValueConverter and again access to the claims through ClaimsPrincipalPermission.CheckAccess or through ClaimsAuthorizationManager.CheckAccess directly.

Also, you might want take in account that you should not base your security on just enable/disable controls. For example in WPF there are many tools (Snoop for instance) that make it easy to enable/unhide/click any control. You might also want to check access rights in your application/serice layer (you can use claims based authorization too, check ClaimsPrincipalPermissionAttribute).

Otros consejos

A few answers:

Is there a know and proven way for dealing with this?

Yes, there are a few ways. What you are looking for is called externalized authorization (that's a principle). Different frameworks and languages have different means of achieving that e.g. Spring Security / Spring EL (in the Java Spring world) or MS Claims in the .NET world. There are technical solutions and there are standards (e.g. RBAC, ABAC, XACML...) ABAC, the attribute-based access control model will let you define authorization in a central location called Policy Decision Point (PDP) and then connect your different applications and tiers to the PDP via Policy Enforcement Points (PEP). This means you can apply the same authorization rules to the presentation tier (WPF) and to other layers (e.g. the service layer with WCF...)

Should we design our custom mechanism?

No :-) Reuse what already exists and use standards where possible. Out of curiosity did you reinvent a token type for authentication or do you use a standard one e.g. SAML or Kerberos?

Disclaimer: I work for a XACML vendor, Axiomatics.

I am not aware of any open-source .NET XACML implementation but Axiomatics does provide a commercial solution which may be of interest to you.

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top