我有一个对象的安全描述符。我想使用该安全描述符让用户和组对该对象具有权限。如何知道使用该安全描述符的用户具有哪些权限?是否可以使用ObjectSecurity或CommonObjectSecurity抽象类?如果是这样,如何定义访问规则?是否有任何工作示例?
要访问具有权限的用户和组,在.Net中,我们有一个简单的机制。实现作为抽象类的CommonObjectSecurity
类,并覆盖方法AccessRuleFactory
和AuditRuleFactory
,还覆盖属性AccessRuleType
和AuditRuleType
。在以下示例中,SampleSecurity
类是从CommonObjectSecurity
派生的。我们还从SampleAccessRule
定义了类AccessRule
。我们可以选择实现AddAccessRule
和RemoveAccessRule
来修改安全性。
public class SampleSecurity : CommonObjectSecurity
{
public SampleSecurity(bool isContainer)
: base(isContainer)
{
}
public override AccessRule AccessRuleFactory(IdentityReference identityReference,
int accessMask, bool isInherited, InheritanceFlags inheritanceFlags,
PropagationFlags propagationFlags, AccessControlType type)
{
return new SampleAccessRule(identityReference, accessMask, type);
}
public void AddAccessRule(IdentityReference identityReference,
int accessMask, AccessControlType type)
{
base.AddAccessRule(new SampleAccessRule(identityReference, accessMask, type));
}
public void RemoveAccessRule(SampleAccessRule rule)
{
base.RemoveAccessRule(rule);
}
public override Type AccessRuleType
{
get { return typeof(SampleAccessRule); }
}
public override AuditRule AuditRuleFactory(System.Security.Principal.IdentityReference identityReference, int accessMask, bool isInherited, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AuditFlags flags)
{
throw new NotImplementedException();
}
public override Type AuditRuleType
{
get { throw new NotImplementedException(); }
}
public override Type AccessRightType
{
get { return typeof(SampleRightsEnum); }
}
}
public class SampleAccessRule : AccessRule
{
public SampleAccessRule(IdentityReference identity, int accessMask, AccessControlType accessType)
: base(identity, accessMask, false, InheritanceFlags.None, PropagationFlags.None, accessType)
{
}
public int AccessRights { get { return AccessMask; } }
}
public enum SampleRightsEnum
{
sampleRead = 0x001,
sampleWrite = 0x002,
sampleExecute = 0x004
}
一旦定义,我们就可以创建SampleSecurity对象并为其分配安全描述符,从中我们可以读取下面列出的不同用户的权限。
SampleSecurity security = new SampleSecurity(false);
security.SetSecurityDescriptorBinaryForm((byte[])securityDescriptor, AccessControlSections.All);
AuthorizationRuleCollection coll = dataSecurity.GetAccessRules(true, false, typeof(NTAccount));
foreach (AuthorizationRule rule in coll)
{
SampleAccessRule accRule = rule as SampleAccessRule;
SampleRightsEnum rights = (SampleRightsEnum)accRule.AccessRights;
Console.Writeline("User or Group {0} having the permissions {1} with access type {2}", rule.IdentityReference.Value, rights.ToString(), accRule.AccessControlType.ToString());
}