XAF之Security System

原创 2012年03月25日 22:54:29

安全系统策略

        XAF的安全系统是用静态类SecuritySystem定义的。终端用户使用XAF程序时,安全系统会检查当前用户是否有足够的权限执行某项操作。

XAF提供了两个内置安全策略:

Simple Security Strategy

       该策略有两个用户类型:用户(user)和管理员(administrator)。user可以访问除User对象外的所有对象。然而,它可以修改自身的密码和其他安全无关的详情。此外,user可以在只读模式下访问User列表。Administrator可以访问全部的对象,此外还可以编辑Application Model。

Complex Security Strategy

      该策略提供了多种用户组,这些组被叫做Role。每个组拥有不同的权限,用户user可以拥有多个Role,即用户的权限可以叠加。user和role的关系是多对多的关系。

XAF的两种认证方式:

Standard  Authentication

标准认证。弹出登录窗口,输入用户名和密码登录。

Active Directory Authentication

活动文件夹认证。程序使用WindowsActiveDirectory服务获取用户信息,然后使用该信息验证用户。若在当前系统找到用户和数据库的对象符合,则通过验证。XAF默认使用这种方式验证。


Complex Security Strategy

1.基本概念

五种操作权限:

SecurityOperations.Create

SecurityOperations.Delete

SecurityOperations.Navigation

SecurityOperations.Read

SecurityOperations.Write

这里要说一下的是SecurityOperations.Navigation权限,当针对的是Type时,表示在导航栏和列表可导航,当针对的是object时,在导航栏不可见,但在列表中可导航。

精细的权限控制,三种权限控制级别:

object-level: 针对具体的对象,一般需要设置对象筛选;

type-level:   针对某种类型,其子类当然也属于该权限范围;

member-level:针对某类型的属性(成员);

三种权限可以组合,构成复杂的权限。

2.实现步骤

2.1  加入安全Model

将Security Strategy Complex和Authentication Standard拖到 WinApplication.cs中。


以下代码需要加入到MySolution.Module | DatabaseUpdate | Updater.cs的UpdateDatabaseAfterUpdateSchema方法中。另外,其中用到的两个自定义函数如下,他们也位于该文件中:

 private void GrantAllAccess(Type type, ref SecurityRole role)
        {
            role.Permissions.GrantRecursive(type, SecurityOperations.Create);
            role.Permissions.GrantRecursive(type, SecurityOperations.Delete);
            role.Permissions.GrantRecursive(type, SecurityOperations.Navigate);
            role.Permissions.GrantRecursive(type, SecurityOperations.Read);
            role.Permissions.GrantRecursive(type, SecurityOperations.Write);
        }
        private void DenyAllAccess(Type type, ref SecurityRole role)
        {
            role.Permissions.DenyRecursive(type, SecurityOperations.Create);
            role.Permissions.DenyRecursive(type, SecurityOperations.Delete);
            role.Permissions.DenyRecursive(type, SecurityOperations.Navigate);
            role.Permissions.DenyRecursive(type, SecurityOperations.Read);
            role.Permissions.DenyRecursive(type, SecurityOperations.Write);
        }

2.2 创建各Role和User

#region 创建Administrator Role
            // If a role with the Administrators name does not exist in the database, create this role
            SecurityRole adminRole = ObjectSpace.FindObject<SecurityRole>(new BinaryOperator("Name", "Administrators"));
            if (adminRole == null)
            {
                adminRole = ObjectSpace.CreateObject<SecurityRole>();
                adminRole.Name = "Administrators";
            }
            adminRole.BeginUpdate();
            //Give a permission to edit the Application Model
            adminRole.CanEditModel = true;
            //Provide full access to all objects
            GrantAllAccess(typeof(object), ref adminRole);
            adminRole.EndUpdate();
            //Save the Administrators role to the database
            adminRole.Save();
            #endregion
            #region 创建User Role,从Administrator中减少权限
            // If a role with the "Users" name doesn't exist in the database, create this role
            SecurityRole userRole = ObjectSpace.FindObject<SecurityRole>(new BinaryOperator("Name", "Users"));
            if (userRole == null)
            {
                userRole = ObjectSpace.CreateObject<SecurityRole>();
                userRole.Name = "Users";
            }
            userRole.BeginUpdate();
            GrantAllAccess(typeof(object), ref userRole);
            DenyAllAccess(typeof(SecurityUser), ref userRole);
            DenyAllAccess(typeof(SecurityRole), ref userRole);
            DenyAllAccess(typeof(PermissionDescriptorBase), ref userRole);
            DenyAllAccess(typeof(PermissionData), ref userRole);
            DenyAllAccess(typeof(TypePermissionDetails), ref userRole);
            userRole.EndUpdate();
            // Save the "Users" role to the database
            userRole.Save();

            #endregion

            SecurityRole defaultRole = ObjectSpace.FindObject<SecurityRole>(new BinaryOperator("Name", "Default"));
            if (defaultRole == null)
            {
                defaultRole = ObjectSpace.CreateObject<SecurityRole>();
                defaultRole.Name = "Default";
//object-level控制,针对Oid为当前用户id的SecurityUser对象                
//Allow reading and navigating to the SecurityUser object representing the current user
                ObjectOperationPermissionData myDetailsPermission = ObjectSpace.CreateObject<ObjectOperationPermissionData>();
                myDetailsPermission.TargetType = typeof(SecurityUser);
                myDetailsPermission.Criteria = "[Oid] = CurrentUserId()";
                myDetailsPermission.AllowNavigate = true;
                myDetailsPermission.AllowRead = true;
                myDetailsPermission.Save();
                defaultRole.PersistentPermissions.Add(myDetailsPermission);
//Member-level控制,针对SecurityUser的ChangePasswordOnFirstLogon和StoredPassword属性                
//Allow an access to change the ChangePasswordOnFirstLogon and StoredPassword properties of the 
                MemberOperationPermissionData userMembersPermission = ObjectSpace.CreateObject<MemberOperationPermissionData>();
                userMembersPermission.TargetType = typeof(SecurityUser);
                userMembersPermission.Members = "ChangePasswordOnFirstLogon, StoredPassword";
                userMembersPermission.AllowWrite = true;
                userMembersPermission.Save();
                defaultRole.PersistentPermissions.Add(userMembersPermission);
                //Allow reading and navigating to the SecurityRole object representing the current Role
                ObjectOperationPermissionData defaultRolePermission = ObjectSpace.CreateObject<ObjectOperationPermissionData>();
                defaultRolePermission.TargetType = typeof(SecurityRole);
                defaultRolePermission.Criteria = "[Name] = 'Default'";
                defaultRolePermission.AllowNavigate = true;
                defaultRolePermission.AllowRead = true;
                defaultRolePermission.Save();
                defaultRole.PersistentPermissions.Add(defaultRolePermission);
//Type-level控制,针对AuditDataItemPersistent类型               
 //Allow access to the objects of the AuditDataItemPersistent type
                TypeOperationPermissionData auditDataItemPermission = ObjectSpace.CreateObject<TypeOperationPermissionData>();
                auditDataItemPermission.TargetType = typeof(AuditDataItemPersistent);
                auditDataItemPermission.AllowRead = true;
                auditDataItemPermission.AllowWrite = true;
                auditDataItemPermission.AllowCreate = true;
                auditDataItemPermission.Save();
                defaultRole.PersistentPermissions.Add(auditDataItemPermission);
                
                defaultRole.Save();
            }


            SecurityUser user1 = ObjectSpace.FindObject<SecurityUser>(new BinaryOperator("UserName", "Sam"));
            if (user1 == null)
            {
                user1 = ObjectSpace.CreateObject<SecurityUser>();
                user1.UserName = "Sam";
                // Set a password if the standard authentication type is used
                user1.SetPassword("");
            }
            // If a user named 'John' doesn't exist in the database, create this user
            SecurityUser user2 = ObjectSpace.FindObject<SecurityUser>(new BinaryOperator("UserName", "John"));
            if (user2 == null)
            {
                user2 = ObjectSpace.CreateObject<SecurityUser>();
                user2.UserName = "John";
                // Set a password if the standard authentication type is used
                user2.SetPassword("");
            }


            // Add the "Administrators" Role to the user1
            user1.Roles.Add(adminRole);
            // Add the "Users" Role to the user2
            user2.Roles.Add(userRole);
            user2.Roles.Add(defaultRole);
            // Save the users to the database
            user1.Save();
            user2.Save();
            ObjectSpace.CommitChanges();


            SecurityRole anonymousRole = ObjectSpace.FindObject<SecurityRole>(new BinaryOperator("Name", SecurityStrategy.AdministratorRoleName));
            if (anonymousRole == null)
            {
                anonymousRole = ObjectSpace.CreateObject<SecurityRole>();
                anonymousRole.Name = SecurityStrategy.AnonymousUserName;
                anonymousRole.BeginUpdate();
                anonymousRole.Permissions[typeof(SecurityUser)].Grant(SecurityOperations.Read);
                anonymousRole.EndUpdate();
                anonymousRole.Save();
            }
            SecurityUser anonymousUser = ObjectSpace.FindObject<SecurityUser>(new BinaryOperator("UserName", SecurityStrategy.AnonymousUserName));
            if (anonymousUser == null)
            {
                anonymousUser = ObjectSpace.CreateObject<SecurityUser>();
                anonymousUser.UserName = SecurityStrategy.AnonymousUserName;
                anonymousUser.IsActive = true;
                anonymousUser.SetPassword("");
                anonymousUser.Roles.Add(anonymousRole);
                anonymousUser.Save();
            }

另外,也可在运行时创建权限控制策略:









                    

相关文章推荐

异常详细信息: System.Security.SecurityException: 请求失败。

安全性异常说明: 应用程序试图执行安全策略不允许的操作。要授予此应用程序所需的权限,请与系统管理员联系,或在配置文件中更改该应用程序的信任级别。 异常详细信息: System.Security...
  • hymcn
  • hymcn
  • 2011年05月01日 23:04
  • 4158

System.Security.Cryptography C# 加密和解密的学习

总结:注册的时候经过MD5加密存进数据库,在登录的时候需要先加密输入的密码,再进行和数据库里的比对,因为同一字符串加密后是一样的,并不是无规则的:实例:string name = this.TextB...

C#学习笔记16——.net中System.Security.Cryptography 命名空间

.net中System.Security.Cryptography命名空间 在.NETFramework出现之前,如果我们需要进行加密的话,我们只有各种较底层的技术可以选择,如 Microsoft C...
  • byxdaz
  • byxdaz
  • 2011年09月01日 23:14
  • 9572

system security pass exam paper

  • 2013年02月27日 13:14
  • 114KB
  • 下载

System.Web.Security.SqlMembershipProvider”要求一个与架构版本“1”兼容的数据库架构。

通过sql脚本生成的方式,将本地数据库迁移到服务器上,本来只是选择了表,其他都没选,发生了没有存储过程的错误,然后把存储过程create一次,生成成功,发生了如题所示的错误。Asp.net配置也显示这...

TMS.Security.System.v.2.7.0.0.0

  • 2016年06月03日 21:52
  • 5.63MB
  • 下载

VS2010~2015番茄助手VA_X 2073 重新安装时遇到问题The security key for this program currently stored on your system

解决办法  1.控制面板卸载visual assist 2.开始-运行-regedit-删除HKEY_CURRENT_USER/SOFTWARE/WHOLE TOMATO项 3.将HKEY_...
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:XAF之Security System
举报原因:
原因补充:

(最多只允许输入30个字)