问题描述
我正在使用 WindowsTokenRoleProvide
r 来确定 ASP.NET Web 应用程序中的 Active Directory 组成员身份.
I'm using WindowsTokenRoleProvide
r to determine Active Directory group membership in an ASP.NET web application.
我的问题是性能不好,尤其是当用户在多个组中时.例如,我在 253(!) 个组中,WindowsTokenRoleProvider
需要大约 150 秒来确定我在哪些组中.
My problem is that performance is not good, especially when a user is in many groups. As an example, I am in 253(!) groups, and WindowsTokenRoleProvider
is taking around 150 seconds to determine what groups I am in.
我知道我可以使用缓存,这样就不会在对用户的后续请求中执行此操作,但显然在第一次点击时花费这么长时间是不可接受的.
I know I can use caching so that this isn't done on subsequent requests for a user, but obviously it isn't acceptable to take that long on the first hit.
我有哪些选择?我可以强制 WindowsTokenRoleProvider
只考虑某些组吗?(我只对 5 个感兴趣).
What are my options? Can I force WindowsTokenRoleProvider
to only consider certain groups? (I'm only interested in 5).
推荐答案
一些测试表明我的问题是调用:
Some testing has revealed that my problem is that calling:
Roles.IsUserInRole(groupName)
正在访问 RoleProvider
中的方法 GetRolesForUser
- 该方法检索用户所属的每个角色的详细信息.
is accessing the method GetRolesForUser
in the RoleProvider
- which is retrieving details of every role the user is a member of.
但是打电话:
Roles.Provider.IsUserInRole(groupName)
确定用户是否在组中 - 无需检索用户所在的每个角色的详细信息.
determines whether or not the user is in the group - without retrieving the details of every role the user is in.
很奇怪,但看起来使用 Roles.Provider.IsUserInRole
可以解决我的问题.
Weird, but it looks like using Roles.Provider.IsUserInRole
will solve my problem.
* 更新 *
事实证明,这只是部分解决方法;如果我使用命令式权限检查,或者在 web.comfig 中使用允许"和拒绝",那么 WindowsTokenRoleProvider
仍然会继续并且 缓慢 获取用户所属的每个组的详细信息:o(
It turns out that this is just a partial workaround; if I use imperative permission checks, or 'allow' and 'deny' in web.comfig, then WindowsTokenRoleProvider
still goes and slowly gets details of every group the user is a member of :o(
所以我的问题仍然存在......
So my question still stands...
* 更新 *
我通过创建一个从 WindowsTokenRoleProvider 扩展并覆盖 GetRolesForUser
的类解决了这个问题,因此它只检查配置中指定的角色的成员资格.它也包括缓存:
I solved this by creating a class that extends from WindowsTokenRoleProvider and overriding GetRolesForUser
so it only checks for membership of roles specified in the configuration. It includes caching too:
/// <summary>
/// Retrieve the list of roles (Windows Groups) that a user is a member of
/// </summary>
/// <remarks>
/// Note that we are checking only against each system role because calling:
/// base.GetRolesForUser(username);
/// Is _very_ slow if the user is in a lot of AD groups
/// </remarks>
/// <param name="username">The user to check membership for</param>
/// <returns>String array containing the names of the roles the user is a member of</returns>
public override string[] GetRolesForUser(string username)
{
// Will contain the list of roles that the user is a member of
List<string> roles = null;
// Create unique cache key for the user
string key = String.Concat(username, ":", base.ApplicationName);
// Get cache for current session
Cache cache = HttpContext.Current.Cache;
// Obtain cached roles for the user
if (cache[key] != null)
{
roles = new List<string>(cache[key] as string[]);
}
// Was the list of roles for the user in the cache?
if (roles == null)
{
roles = new List<string>();
// For each system role, determine if the user is a member of that role
foreach (SystemRoleElement role in WebConfigSection.Settings.SystemRoles)
{
if (base.IsUserInRole(username, role.Name))
{
roles.Add(role.Name);
}
}
// Cache the roles for 1 hour
cache.Insert(key, roles.ToArray(), null, DateTime.Now.AddHours(1), Cache.NoSlidingExpiration);
}
// Return list of roles for the user
return roles.ToArray();
}
这篇关于WindowsTokenRoleProvider 的性能不佳的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!