我一直在尝试“从字里行间”了解 NetSqlAzMan 项目最初(和/或当前)的动机。
这是为了什么而写的?
Windows 授权管理器 (AzMan) 的适配器。 NetSqlAzMan 中的方法只是将调用传递给 (Windows 授权管理器 (AzMan)),但可能使用更好/更清洁的方法?
(Windows 授权管理器 (AzMan))的替代品。其中(大部分或全部)(Windows 授权管理器 (AzMan))中可用的功能在 NetSqlAzMan 中重新创建,但代码是独立开发的。 (也许提供 DotNet 4.0 支持???)(也许移除任何 COM 依赖)
提供比 (Windows Authorization Manager (AzMan)) 提供的更多的功能。也就是(Windows 授权管理器 (AzMan))的“更智能”/“更好”版本。
通过开源重写并保持一个半死的项目。 (例如,也许 (Windows Authorization Manager (AzMan))) 是微软的一个死掉或废弃的项目)。
其他?
................
我喜欢 NetSqlAzMan 的对象模型。但我需要向我的项目经理和其他开发人员捍卫使用它的任何决定。 就我对安全性的期望而言,对象模型似乎“恰到好处”(想想 goldilocks 和中间床)。 我不想做基于角色的安全。我想要基于权利(或任务或许可)的安全性。
(参见: http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/ 和 http://granadacoder.wordpress.com/2010/12/01/rant-hard-coded-security-roles/ )
基本上出现的问题是:“使用 NetSqlAzMan 而不是 (Windows Authorization Manager (AzMan)) 有什么优势?”
子问题是“Windows 授权管理器 (AzMan) 死了吗?”。 (以及与 Long Live NetSqlAzMan 类似的东西!)。
......................
我的一般要求是:
非 Active Directory 用户。 (将来 Active Directory 和/或 LDAP 支持会很好,但不是必需的)。
密码未存储为纯文本。
能够处理 RIGHTS 进行安全检查。
将权限分组到任何角色下。
为用户分配角色。 (但同样,代码将检查权限,而不是执行操作时的角色。)
允许(有时)将权限分配给用户。使用拒绝覆盖。 (也就是说,一个人做了愚蠢的事情(比如“删除员工”)可以撤销该权利。)
可以为多个应用维护角色和权限。
欢迎提出其他想法。但是Windows Identity Foundation似乎有点矫枉过正。
谢谢。
最佳答案
昨晚终于找到了一篇“比较”的文章。
http://www.c-sharpcorner.com/uploadfile/a.ferendeles/netsqlazman12122006123316pm/netsqlazman.aspx
我将在此处(下方)粘贴相关部分。 (以防万一该网站将来不复存在。我知道机会很小,但我讨厌“答案就在这里”链接,当您点击该链接时,它就死了。)
据我所知。
NetSqlAzMan 提供了一个(表)用户定义函数,您可以重载该函数以提供用户列表(要分配给角色/任务)。 NetSqlAzMan 不仅提供“Yeah you can”映射 (Grant),还提供 Deny 和 Grant-With-Delegate。 NetSqlAzMan 和 Azman 允许用户(组)角色映射。只有 NetSqlAzMan 允许用户任务映射。
看了几个示例之后……NetSqlAzMan 的对象模型非常干净。
============================================= ========
Ms Authorization Manager (AzMan) vs .NET Sql Authorization Manager (NetSqlAzMan)
As pointed out before, an analogous Microsoft product already exists and is called Authorization Manager (AzMan); AzMan is present, by default, in Windows Server 2003 and, through the Admin Pack setup, in Windows XP.
The important difference between AzMan and NetSqlAzMan is that the first is Role-based, that is, based on the belonging - Role concept and the operations container in each role, while the second is Item-based (or if you prefer Operation-based), that is users or users group or group of groups that can or cannot belong to Roles or execute such Task and/or Operations (Items).
Here the most important features and differences between the two products:
Ms AzMan:
* It's COM. * It's equipped by a MMC 2.0 (COM) console. * Its storage can be an XML file or ADAM (Active Directory Application Mode - e un LDAP). * It's role-based. * It supports static/dynamic applicative groups, members/not-members. * Structure based on Roles -> Tasks -> Operations. (Hierarchical Roles and Tasks , none Operations). * Authorizations can be added only to Roles. * It doesn't implement the "delegate" concept. * It doesn't manage authorizations "in the time". * It doesn't trigger events. * The only type of authorization is "Allow". (to "deny" it needs to remove the user/group from his Role). * It supports Scripting / Biz rules. * It supports Active Directory users/groups and ADAM users.NetSqlAzMan:
* It's .NET 2.0. * It's equipped by a MMC 3.0 (.NET) console. * Its storage is a Sql Server database(2000/MSDE/2005/Express). * It's based on Tdo - Typed Data Object technology. * It's Item-based. * Structure based on Roles -> Tasks -> Operations. (all hierarchical ones). * Authorizations can be added to Roles, Task and Operations. * It supports static/dynamic applicative groups, members/not-members. * LDAP query testing directly from console. * It's time-dependant. * It's delegate-compliant. * It triggers events (ENS). * It supports 4 authorization types: o Allow with delegation (authorized and authorized to delegate). o Allow (authorized). o Deny (not authorized). o Neutral (neutral permission, it depends on higher level Item permission). * Hierarchical authorizations. * It supports Scripting / Biz rules (compiled in .NET - C# - VB - and not interpreted) * It supports Active Directory users/groups and custom users defined in SQL Server Database.
这是另一个问题。
阿兹曼示例代码: http://channel9.msdn.com/forums/sandbox/252978-AzMan-in-the-Enterprise-Sample-Code http://channel9.msdn.com/forums/sandbox/252973-Programming-AzMan-Sample-Code
using System;
using System.Security.Principal;
using System.Runtime.InteropServices;
using AZROLESLib;
namespace TreyResearch {
public class AzManHelper : IDisposable {
AzAuthorizationStore store;
IAzApplication app;
string appName;
public AzManHelper(string connectionString, string appName) {
this.appName = appName;
try {
// load and initialize the AzMan runtime
store = new AzAuthorizationStore();
store.Initialize(0, connectionString, null);
// drill down to our application
app = store.OpenApplication(appName, null);
}
catch (COMException x) {
throw new AzManException("Failed to initizlize AzManHelper", x);
}
catch (System.IO.FileNotFoundException x) {
throw new AzManException(string.Format("Failed to load AzMan policy from {0} - make sure your connection string is correct.", connectionString), x);
}
}
public void Dispose() {
if (null == app) return;
Marshal.ReleaseComObject(app);
Marshal.ReleaseComObject(store);
app = null;
store = null;
}
public bool AccessCheck(string audit, Operations op,
WindowsIdentity clientIdentity) {
try {
// first step is to create an AzMan context for the client
// this looks at the security identifiers (SIDs) in the user's
// access token and maps them onto AzMan roles, tasks, and operations
IAzClientContext ctx = app.InitializeClientContextFromToken(
(ulong)clientIdentity.Token.ToInt64(), null);
// next step is to see if this user is authorized for
// the requested operation. Note that AccessCheck allows
// you to check multiple operations at once if you desire
object[] scopes = { "" };
object[] operations = { (int)op };
object[] results = (object[])ctx.AccessCheck(audit, scopes, operations,
null, null, null, null, null);
int result = (int)results[0];
return 0 == result;
}
catch (COMException x) {
throw new AzManException("AccessCheck failed", x);
}
}
public bool AccessCheckWithArg(string audit, Operations op,
WindowsIdentity clientIdentity,
string argName, object argValue) {
try {
// first step is to create an AzMan context for the client
// this looks at the security identifiers (SIDs) in the user's
// access token and maps them onto AzMan roles, tasks, and operations
IAzClientContext ctx = app.InitializeClientContextFromToken(
(ulong)clientIdentity.Token.ToInt64(), null);
// next step is to see if this user is authorized for
// the requested operation. Note that AccessCheck allows
// you to check multiple operations at once if you desire
object[] scopes = { "" };
object[] operations = { (int)op };
object[] argNames = { argName };
object[] argValues = { argValue };
object[] results = (object[])ctx.AccessCheck(audit, scopes, operations,
argNames, argValues,
null, null, null);
int result = (int)results[0];
return 0 == result;
}
catch (COMException x) {
throw new AzManException("AccessCheckWithArg failed", x);
}
}
// use this to update a running app
// after you change the AzMan policy
public void UpdateCache() {
try {
store.UpdateCache(null);
Marshal.ReleaseComObject(app);
app = store.OpenApplication(appName, null);
}
catch (COMException x) {
throw new AzManException("UpdateCache failed", x);
}
}
}
public class AzManException : Exception {
public AzManException(string message, Exception innerException)
: base(message, innerException)
{}
}
}
那是 Azman 助手代码。那是丑陋的 COM/Interopish 东西。 :
现在检查 NetSqlAzMan 代码示例:
http://netsqlazman.codeplex.com/wikipage?title=Samples
/// <summary>
/// Create a Full Storage through .NET code
/// </summary>
private void CreateFullStorage()
{
// USER MUST BE A MEMBER OF SQL DATABASE ROLE: NetSqlAzMan_Administrators
//Sql Storage connection string
string sqlConnectionString = "data source=(local);initial catalog=NetSqlAzManStorage;user id=netsqlazmanuser;password=password";
//Create an instance of SqlAzManStorage class
IAzManStorage storage = new SqlAzManStorage(sqlConnectionString);
//Open Storage Connection
storage.OpenConnection();
//Begin a new Transaction
storage.BeginTransaction(AzManIsolationLevel.ReadUncommitted);
//Create a new Store
IAzManStore newStore = storage.CreateStore("My Store", "Store description");
//Create a new Basic StoreGroup
IAzManStoreGroup newStoreGroup = newStore.CreateStoreGroup(SqlAzManSID.NewSqlAzManSid(), "My Store Group", "Store Group Description", String.Empty, GroupType.Basic);
//Retrieve current user SID
IAzManSid mySid = new SqlAzManSID(WindowsIdentity.GetCurrent().User);
//Add myself as sid of "My Store Group"
IAzManStoreGroupMember storeGroupMember = newStoreGroup.CreateStoreGroupMember(mySid, WhereDefined.Local, true);
//Create a new Application
IAzManApplication newApp = newStore.CreateApplication("New Application", "Application description");
//Create a new Role
IAzManItem newRole = newApp.CreateItem("New Role", "Role description", ItemType.Role);
//Create a new Task
IAzManItem newTask = newApp.CreateItem("New Task", "Task description", ItemType.Task);
//Create a new Operation
IAzManItem newOp = newApp.CreateItem("New Operation", "Operation description", ItemType.Operation);
//Add "New Operation" as a sid of "New Task"
newTask.AddMember(newOp);
//Add "New Task" as a sid of "New Role"
newRole.AddMember(newTask);
//Create an authorization for myself on "New Role"
IAzManAuthorization auth = newRole.CreateAuthorization(mySid, WhereDefined.Local, mySid, WhereDefined.Local, AuthorizationType.AllowWithDelegation, null, null);
//Create a custom attribute
IAzManAttribute<IAzManAuthorization> attr = auth.CreateAttribute("New Key", "New Value");
//Create an authorization for DB User "Andrea" on "New Role"
IAzManAuthorization auth2 = newRole.CreateAuthorization(mySid, WhereDefined.Local, storage.GetDBUser("Andrea").CustomSid, WhereDefined.Local, AuthorizationType.AllowWithDelegation, null, null);
//Commit transaction
storage.CommitTransaction();
//Close connection
storage.CloseConnection();
}
这本身就是一个故事。
关于c# - NetSqlAzMan vs AzMan vs (?????),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/8750367/
如何在ruby中调用C#dll? 最佳答案 我能想到几种可能性:为您的DLL编写(或找人编写)一个COM包装器,如果它还没有,则使用Ruby的WIN32OLE库来调用它;看看RubyCLR,其中一位作者是JohnLam,他继续在Microsoft从事IronRuby方面的工作。(估计不会再维护了,可能不支持.Net2.0以上的版本);正如其他地方已经提到的,看看使用IronRuby,如果这是您的技术选择。有一个主题是here.请注意,最后一篇文章实际上来自JohnLam(看起来像是2009年3月),他似乎很自在地断言RubyCL
我正在尝试在Ruby中复制Convert.ToBase64String()行为。这是我的C#代码:varsha1=newSHA1CryptoServiceProvider();varpasswordBytes=Encoding.UTF8.GetBytes("password");varpasswordHash=sha1.ComputeHash(passwordBytes);returnConvert.ToBase64String(passwordHash);//returns"W6ph5Mm5Pz8GgiULbPgzG37mj9g="当我在Ruby中尝试同样的事情时,我得到了相同sha
C#实现简易绘图工具一.引言实验目的:通过制作窗体应用程序(C#画图软件),熟悉基本的窗体设计过程以及控件设计,事件处理等,熟悉使用C#的winform窗体进行绘图的基本步骤,对于面向对象编程有更加深刻的体会.Tutorial任务设计一个具有基本功能的画图软件**·包括简单的新建文件,保存,重新绘图等功能**·实现一些基本图形的绘制,包括铅笔和基本形状等,学习橡皮工具的创建**·设计一个合理舒适的UI界面**注明:你可能需要先了解一些关于winform窗体应用程序绘图的基本知识,以及关于GDI+类和结构的知识二.实验环境Windows系统下的visualstudio2017C#窗体应用程序三.
我如何做Ruby方法"Flatten"RubyMethod在C#中。此方法将锯齿状数组展平为一维数组。例如:s=[1,2,3]#=>[1,2,3]t=[4,5,6,[7,8]]#=>[4,5,6,[7,8]]a=[s,t,9,10]#=>[[1,2,3],[4,5,6,[7,8]],9,10]a.flatten#=>[1,2,3,4,5,6,7,8,9,10 最佳答案 递归解决方案:IEnumerableFlatten(IEnumerablearray){foreach(variteminarray){if(itemisIEnume
我最近从C#转向了Ruby,我发现自己无法制作可折叠的标记代码区域。我只是想到做这种事情应该没问题:classExamplebegin#agroupofmethodsdefmethod1..enddefmethod2..endenddefmethod3..endend...但是这样做真的可以吗?method1和method2最终与method3是同一种东西吗?还是有一些我还没有见过的用于执行此操作的Ruby惯用语? 最佳答案 正如其他人所说,这不会改变方法定义。但是,如果要标记方法组,为什么不使用Ruby语义来标记它们呢?您可以使用
什么是Linq聚合方法的ruby等价物。它的工作原理是这样的varfactorial=new[]{1,2,3,4,5}.Aggregate((acc,i)=>acc*i);每次将数组序列中的值传递给lambda时,变量acc都会累积。 最佳答案 这在数学以及几乎所有编程语言中通常称为折叠。它是更普遍的变形概念的一个实例。Ruby从Smalltalk中继承了这个特性的名称,它被称为inject:into:(像aCollectioninject:aStartValueinto:aBlock一样使用。)所以,在Ruby中,它称为inj
关闭。这个问题是opinion-based.它目前不接受答案。想要改进这个问题?更新问题,以便editingthispost可以用事实和引用来回答它.关闭8年前。Improvethisquestion几年前我去学校学习编程,毕业后我找到了一份系统管理方面的工作,这就是我职业生涯的方向。我想重新开始某种开发,并且一直在“玩”C#和ASP.NET,但我已经听到很多关于其他"new"语言的讨论(新的意思是它们是新的)我)喜欢Ruby和F#。我想我想知道我是否在浪费时间学习主要的MS语言,而不是成为一名通才。很长一段时间没有离开开发社区(如果我曾经离开过的话)让我在潮流中挣扎,我不想落在时代的
我有一个简单的Ruby脚本,我用它在某些HTTPheader上执行private_encrypt以签署要发送到rubyRESTAPI的Web请求,该API会根据Base64编码字符串测试Base64编码字符串生成而不是解码Base64和解密数据然后测试原始字符串。我使用的脚本是require"openssl"require"base64"path_to_cert=ARGV[0].dupplain_text=Base64.decode64(ARGV[1].dup)private_key=OpenSSL::PKey::RSA.new(File.read(path_to_cert))pu
我是ruby开发的新手,我目前正在使用rails2.3.11在ruby1.8.7中开发一个项目,我想知道这种语言是否有与C#的linq等效的集合操作,例如where子句。谢谢。 最佳答案 Ruby中Linq的where等价于find_all检查documentationfortheEnumerableModule用于其他功能。 关于C#的LINQ用于在ruby中等效的集合操作,我们在StackOverflow上找到一个类似的问题: https://
我正在尝试转换Ruby的time到C#,但我现在卡住了。这是我的尝试:publicstaticclassExtensions{publicstaticvoidTimes(thisInt32times,WhatGoesHere?){for(inti=0;i我是C#的新手,也许这个应该很简单,而且我知道我想使用Extensionmethods。但由于函数在C#中不是“第一类”,我现在被卡住了。那么,我应该为WhatGoesHere使用什么参数类型? 最佳答案 您可以使用Action输入:publicstaticclassExtensio