I have a 3-level ASP.NET MVC 3 project with a data layer, service layer, then the presentation level that calls To get data, the service layer is actually using the doFactory pattern in the action solution.
I want to implement a custom membership, roles, profile provider, but I am not sure where to put it, I was thinking of putting it into service level, after which to get information There is a provider call on DAO objects.
Any other ideas?
You are thinking very well though the UI layer interacts with the client and takes your password , Your service layer should try the process on the enter system. The services objects that are responsible for the authorization with information from the way of your proceedings are passed. Whether it is in a web application or not. The data layer is only where this information is stored, where it is not processed. You can choose to keep the user's ID in session in the UI layer. On the login, the service layer will take the username / password / whatever and the user ID will return. Or, every time your action methods are used to get user information, a level of session can be in the session key. Edit due to comment: I have my security verdict in this current project (area of two million dollars) action methods. (However, To simplify the tools are objects from the service layer.) For example, if the current user does not have this role or that role, then redirect them to the rejection page, otherwise, do this work. This is the easiest way for my app and many others. ("Simple" means that it will get worse at least. When it comes to security, it is very good!) Since the verb method is the gateway to the methodology, hence the security in the service level will have only additional work And what really is happening in the unclear security is now, this is the my app, where there is usually a place where every action happens. Your app may vary, more different action methods and (especially) different components are using the functionality of your services layer, as much as you want your service layer functionality to be your authorization Closed with the scheme. Many people think security should be in the Always service level, and that any additional security action in the UI layer will be bonus redundancy. I do not agree with him. MyServiceLayerObject.DoThing () There is no security in it.
Comments
Post a Comment