In an application, we want user can only see the menu bars that he or she is authorized to access. Asp.Net framework has menu control rendered from data defined as Sitemap - an xml-style data structure.
In order to implememnt role-based menu we need to have user, role, resource (urls) and their relationships established. Then, we can implement a SiteMap provider to retrieve data source from a given user account and generate xml feed.
I helped a collegue in RBC with this solution. Where the data source is a set of database tables. The following is the simplified data definition:
SiteMap ::= collection(entry)
entry ::= (id, text, description, parent_id, url)
user ::= (id, name, role_id)
role ::= (id, name, description)
role_entry ::= (role_id, entry_id)
The SiteMap Provider encapsulate datasource and access logic, and end up providing the required structured data for menu control to bind.
It has two interface methods:
Provide(user_name) : SiteMap
Provider(role_id) : SiteMap
It works perfect for the menu. However I feel only a role-based menu is not enough to secure a web application. In fact it is only a matter of effective UI, meaning a user get the right menu items to operate. It doesn't secure anything. An user can simply type an url to access a page that is not shown is
not shown in the menu.
In website security regard, an application needs to verify each single request in terms of who made the request and what was requesting.
This could be done through checking request context in page or application level.
requestUser = Request.User;
requestRole = Role.GetRole(requestUser);
userUrls = Privileges.GetUrls(requestRole);
if(User.Urls.IndexOf(Request.Url) >0 ){
// authorized request
} else {
// alert not authorized access
// redirect(App.LoginUrl);
}
No comments:
Post a Comment