【发布时间】:2011-09-02 16:16:25
【问题描述】:
我计划使用基于CodeAccessSecurity 的自定义基于权限的声明式授权机制。为了实现它,我创建了以下从CodeAccessSecurityAttribute 派生的子类:
[Serializable]
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = true, Inherited = false)]
public class RequirePermissionAttribute : CodeAccessSecurityAttribute {
private static readonly IPermission _deny = new SecurityPermission(PermissionState.None);
private static readonly IPermission _allow = new SecurityPermission(PermissionState.Unrestricted);
public RequirePermissionAttribute(SecurityAction action)
: base(action) {
}
public string Permission { get; set; }
public override IPermission CreatePermission() {
if (User.HasPermission(Permission))
return _allow;
else
return _deny;
}
}
我是这样用的:
[ServiceContract]
public class Service {
[OperationContract]
[RequirePermission(SecurityAction.Demand, Permission = "GetArbitaryProduct")]
public User GetProduct(string name) {
return _productRepository.Get(name);
}
}
我预计如果CreatePermission 方法返回_deny 访问GetProduct 将受到限制。但看起来CodeAccessSecurity 不是这样工作的。我是否必须抛出异常才能正确限制访问?或者也许有更优雅的方式来实现这一目标?
【问题讨论】:
标签: wcf authorization code-access-security