谁能告诉我有关如何为 WCF 数据服务定义 XACML 拦截器的信息?
问问题
273 次
1 回答
1
Expression<Func<T, bool>>WCF 数据服务的拦截器本质上是数据源中每个实体的 lambda 表达式(有关拦截器的更多信息),这将您限制在非常简单且几乎是静态的授权规则中。另一方面,XACML 是非常灵活和动态的授权解决方案。我想不出可能的通用集成方式。同时非泛型集成非常简单:
[QueryInterceptor ("Customers")]
public Expression<Func<Customer, bool>> FilterCustomers()
{
// First of all you need to get all request attributes
// information could come from session, from cookies
// from request, in this example I will only use subjectId
// In XACML subjectId could be user name
var subjectId = GetSubjectId();
// After you have all data, build XACML request
// this code is specific to our XACML implementation
var xacmlRequest = new XacmlDecisionRequestContext()
.AddRequest(r => r
.AddResource(a => a.Add(XacmlConstants.ResourceAttributes.ResourceId, new Uri("Customer", UriKind.RelativeOrAbsolute)))
.AddSubject(a => a.Add(XacmlConstants.SubjectAttributes.SubjectId, subjectId ))
);
// Evaluate request
var result = PolicyDecisionPoint.Evaluate(xacmlRequest);
// Based on XACML decision result you can construct expression
// this example is simple true or false, but based on
// XACML Advices or XACML Attributes you can build much more
// sophisticated expression
if (result.Decisions.Single().Decision == XacmlDecision.Permit)
{
return () => true;
}
return () => false;
}
此示例假定您拦截对 Customer 实体的访问。它仅适用于查询。您应该将此方法放在您的 DataService 类中。
示例基于 Axiomatics PEP SDK for .NET(我正在开发此产品),但想法将适用于任何 XACML 实现。
于 2013-04-29T09:33:56.847 回答