0

I'm trying to use Roles for my forms authentication, I've got the global.asax Application_AuthenticateRequest method getting the roles from the cookie, that works fine. But I don't know what provider to configure in Web.Config. I don't want to use SQL server, just the cookie.

this line creates the IPrincipal: (roles is a string array with the roles)

Context.User = new GenericPrincipal(Context.User.Identity, roles);

The end goal is to get DataAnnotations like [Authorize(Roles = "Admin")] and the IsInRole method working.

Also, the IsInRole method works fine when used in the global.asax but not elsewhere. Why not?

Web.config is configured as such for now:

<roleManager defaultProvider="DefaultRoleProvider" cacheRolesInCookie="true">

and the DefaultProvider is sadly connected to some empty SQL db for no real reason.

Is this even possible?

Thanks.

Michael
  • 287
  • 1
  • 2
  • 10
  • Getting the roles from the cookie using the code from the second answer here: http://stackoverflow.com/questions/1385042/asp-net-mvc-forms-authentication-authorize-attribute-simple-roles – Michael Apr 07 '12 at 06:20
  • Turns out a bug in visual studio or something was causing the problem. The code from the post I noted above works as is, when there's nothing wrong with the web application. – Michael Apr 09 '12 at 22:32

3 Answers3

0

A better alternative might be to use the ASP.NET XmlProviders. (No Database)

Or if you just don't want to have a SQL Service Instance but want the advantages of having some type of database use ErikJ's Sql CE MembershipProvider/RoleProviders. (The blog mentions that CE 4.0 is not ready for production, but that was long ago, and can be used in smaller production environments now).

UPDATE

You could certainly role your own AuthroizeAttribute and override OnAuthorize on a derived authorize attribute class.

Erik Philips
  • 53,428
  • 11
  • 128
  • 150
  • Both of these seem like an overkill to me, isn't it? I'm just trying to use the role already in the Principal. Isn't there a simple solution already in ASP.NET? – Michael Apr 07 '12 at 05:40
  • Nope. Without a user/membership that have assigned roles, how would you know who is in what role? I'm not a fan of recreating a wheel that works well. I've personally used the CE version in smaller websites without issue, and get the full benefit of the providers (less working on login stuff, more work on actual client needs). – Erik Philips Apr 07 '12 at 05:43
  • Your update might be the way to go, but I'm not sure how to proceed. Also, when I use the method IsInRole within the global.asax - it works! but it doesn't when used elsewhere. What can be wrong? – Michael Apr 07 '12 at 06:02
0

You don't need your own provider based on what you've said. So you can read and simply set in authenticaterequest.

Now the question is where do you want to store them. How do you want to store them? Will you only set them in the cookie? Surely there is some persisted store you want to keep then in otherwise when the cookie is gone how do you refresh their roles?

Adam Tuliper
  • 29,982
  • 4
  • 53
  • 71
  • I don't need a store, if the cookie expires the user is out anyway. When they log in again, they'll get a new cookie with the role data. What can I do with authenticaterequest? – Michael Apr 07 '12 at 06:04
  • When I create the cookie for the user, it has the role in it, and the Application_AuthenticateRequest retrieves it. I use the code from the second answer to this post: http://stackoverflow.com/questions/1385042/asp-net-mvc-forms-authentication-authorize-attribute-simple-roles – Michael Apr 07 '12 at 06:18
  • where do you store your role. how does your code know which role to add to the cookie? – Adam Tuliper Apr 09 '12 at 18:01
0

Why don't you just use the built-in role provider and specify that roles be cached in the cookie, thus you only have a single database call on login, and after that they're stored in a cookie automatically.

<roleManager defaultProvider="DefaultRoleProvider" cacheRolesInCookie="true">
Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
  • That's already what I'm doing, that's how my web.config looks. But it doesn't work :( – Michael Apr 07 '12 at 06:05
  • Because I'm getting 'false' for IsInRole method. and Authorize with Roles DataAnnotations doesn't work either. – Michael Apr 07 '12 at 06:21