索赔机制在新的ASP中意味着什么?NET身份核心?

有两种常见的基于角色和声明的授权方法。

基于角色的安全性

用户被分配到一个或多个角色，通过这些角色，用户获得访问权限。 此外，通过将用户分配给某个角色，用户可以立即获得为该角色定义的所有访问权限。

声明的安全

A claims-based identity is the set of claims. A claim is a statement that an entity (a user or another application) makes about itself, it's just a claim. For example a claim list can have the user’s name, user’s e-mail, user’s age, user's authorization for an action. In role-based Security, a user presents the credentials directly to the application. In a claims-based model, the user presents the claims and not the credentials to the application. For a claim to have practical value, it must come from an entity the application trusts.

下面的步骤说明了在基于声明的安全模型中发生的顺序:

用户请求操作。依赖方(RP)应用程序请求 作为一个象征。 用户将凭据提交给RP应用程序信任的颁发机构。 在对用户的声明进行身份验证之后，发出授权的机构发出带有声明的签名令牌 凭证。 用户向RP应用程序提供令牌。应用程序验证令牌 签名，提取索赔，并基于索赔，接受或拒绝 请求。

但是，我仍然无法理解和找到任何信息，当数据 添加到AspNetUserClaims和什么情况下使用这个表?

当您不使用基于角色的安全性，而选择使用基于声明的安全性时 安全性方面，您需要利用AspNetUserClaims表。 关于如何在ASP中使用索赔。NET Identity，参见下面的链接获取更多信息。

http://kevin-junghans.blogspot.com/2013/12/using-claims-in-aspnet-identity.html

更新

什么时候使用基于角色的安全性，什么时候使用基于声明的安全性? 你能写几个例子吗?

没有一个非常明确的情况，你会或不会使用基于角色或基于声明的安全性，不像你会使用a而不是B的情况。

但是，基于声明的访问控制允许将授权规则与核心业务逻辑更好地分离。当授权规则更改时，核心业务逻辑不受影响。在某些情况下，您可能更喜欢使用基于索赔的方法。

Sometimes claims aren't needed. This is an important disclaimer. Companies with a host of internal applications can use Integrated Windows Authentication to achieve many of the benefits provided by claims. Active Directory does a great job of storing user identities, and because Kerberos is a part of Windows, your applications don't have to include much authentication logic. As long as every application you build can use Integrated Windows Authentication, you may have already reached your identity utopia. However, there are many reasons why you might need something other than Windows authentication. You might have web-facing applications that are used by people who don't have accounts in your Windows domain. Another reason might be that your company has merged with another company and you're having trouble authenticating across two Windows forests that don't (and may never) have a trust relationship. Perhaps you want to share identities with another company that has non-.NET Framework applications or you need to share identities between applications running on different platforms (for example, the Macintosh). These are just a few situations in which claims-based identity can be the right choice for you.

欲了解更多信息，请访问http://msdn.microsoft.com/en-us/library/ff359101.aspx

只是补充一下@Lin上面所说的。我具体指的是以下问题:

什么时候使用基于角色的安全性，什么时候使用基于声明的安全性? 你能写几个例子吗?

我不得不在这个答案中添加更多信息，这是因为我没有清楚地说明基于声明的认证模型和基于角色的认证模型之间的区别。根据微软文档中展示和记录的经验和概念本身的性质，这两个授权模型经常一起使用，下面的示例3说明了它们经常一起使用的示例。下面我们来详细讨论一下这个话题:

因为授权:

需要注意的重要一点是，与基于角色的授权相比，基于声明的授权本质上是受第三方约束的。声明是第三方应用程序提供给你(你的应用程序)的描述用户的信息。该信息可以是任何类型的数据。让我们举个例子:

示例1:

Imagined you have a software app that is used to mix songs. And this app basically uses songs from Spotify or YouTube Music platform etc., but it’s built in such a way that it has full access to those platform’s music library. But this app doesn’t require you to sign in with your Spotify or google account, you basically just register with email and password. But after you’re online, to use music from either Spotify or YoutTube music, you’re asked to enter an email address you used to create your sportify or YouTube music account. And then the app requests (via web services) your subscription account number from that respective third-party app and stores it as a claim. So, every time you try to access the music when you’re online, the app uses the registered claim’s policy to check if you have a subscription account and then allow access. The nice thing about this is that the claims are stored with information such as the Issuer where you store where the claim came from. And that’s it. You used a claim, subscriotionAccountNumber, provided by a third-party, that describes you on their side. Obviously, this wouldn’t be the best model to go-about this kind of app but it’s good enough as an example. You’re authorizing your user based on some information about them claimed from another third-party application.

基于角色的授权:

这个已经很清楚了。简单地说，您仅根据用户的角色(Role)向其授予访问权限。

示例2:

想象一个有多个不同职位用户的组织应用程序。您可以根据用户的职位为其分配角色，并根据用户的角色授予访问不同信息的权限。经理、所有者、员工……基本上不是所有员工都能访问经理和所有者能访问的所有内容。这适用于管理者和所有者。管理人员无权访问仅属于所有者的一些信息。就是这么简单。

把它们放在一起:

In applications like ERP systems, Claims and Roles are used together to build up a complex authorization model. I will always say that The current Identity Framework is so complete that often you don’t need unnecessary extensions that disrupt the existing model, Obviously needs may differ and sometimes breaking the model up could be the only option. When Roles and Claims are used together, Claims serve as Permissions. That is why you have the RoleClaim and UserClaim tables within the model. That is to allow you to extend the authorization beyond the roles themselves. When claims are used together with Roles, they merely provide access to perform certain actions.

示例3:

Consider a case where you have a clocking system where you have a technician and a manager. At the end of every week, the technician must arrange reports with clocking information showing hours of work artisans worked for that week, which is consolidated and used by payroll. Such systems often must be amended or corrected before final reports are submitted, because you don't want to overpay or underpay your employees. You can use a Role-Based approach for the Manager and Technician by creating a Manager Role and Technician Role. But the Manager Role is the one with the ability to access and edit the clocking information of the artisans. On the other hand, you can have the Technician Role without these abilities to access that information. But Here's the interesting part; A manager can make a claim and allow a technician to access the Clocking Systems and make reports. So a claim can be made only for access without edit or can be made with access and edit capabilities. Remember, only your app understands what your claims mean. They can be named anything, GrantWriteAccess, GrantReadAccess etc, there’s nothing limiting you. After having the claims pre-Defined as permissions, all you need to do is to associate that claim with the user. In this case the Technician would have Both GrantWriteAccess and GrantReadAccess added to their UserClaim table.

This is more like saying, well, By default as the manager I can access some information that my technician can't access. But I am not always around the office? what can I do so that he can still do the work even when I am not around? To solve this the system can have the feature for the managers to create claims(permissions) for people without access to some specific information. We often see these everywhere in our ERP systems. A user without access to some modules and when they get promoted, they're given permission to more modules of the ERP system, sometimes keeping the same user role, and only with some permissions being opened.

在ASP中有两种类型的身份验证。净的身份。

基于角色的 基于索赔

您可以同时使用其中一个或两个。当您有非常明确的东西时，使用基于角色的方法。例如，您创建了教师和学生两个角色。只有老师才能加科目。因此，您将教师角色分配给那些您希望访问其添加主题的用户。

基于索赔更灵活。假设你有一个要求，一些学生也可以添加科目。在这种情况下，您必须创建一个可以是学生和访问添加主题的角色。但如果你使用的是基于声明的，那就很容易了。只需创建像addSubject这样的声明，并将其分配给任何你想访问添加aubject的用户。

下面是来自ASP的一个相当简单的解释。NET文档:

When an identity is created it may be assigned one or more claims issued by a trusted party. A claim is a name value pair that represents what the subject is, not what the subject can do. For example, you may have a driver's license, issued by a local driving license authority. Your driver's license has your date of birth on it. In this case the claim name would be DateOfBirth, the claim value would be your date of birth, for example 8th June 1970 and the issuer would be the driving license authority. Claims based authorization, at its simplest, checks the value of a claim and allows access to a resource based upon that value.

接着，它给出了一个几乎所有人都能理解的例子:

例如，如果你想进入一个夜总会，授权过程可能是: 在允许你进入之前，门卫会评估你出生日期的价值，以及他们是否信任发证机构(驾驶执照机构)。

So to answer the question when should I use claims-based security?, the answer is when it's not easy to put people in well defined roles. For example, in the night club scenario, it's too hard to put customers into roles, so you use claims-based access control based on their age as confirmed by their ID (e.g. a driver's license). However in that same night club scenario you can use role-based security to control who has access to which rooms (e.g. using key cards for "staff only" rooms). Clearly you can mix claims-based and role-based security depending on the need.