3

I am trying to store a whole truckload of information about a user from a webservice. As this is information about the currently authenticated user, I thought it would make sense to store that information in a custom IIdentity implementation.

The custom MagicMembershipProvider.GetUser(string id, bool userIsOnline) calls the webservice and returns a MagicMembershipUser instance with all the fields populated (department, phone number, other employee info).

The custom membership provider and custom membership user both work fine.

What and where is the best way to put the membership user information into the IPrincipal User object that is accessible in every controller?

I have been trying to wrap my brain around the program flow of security with IIdentity, IPrincipal and Role authorization in an MVC2 application -- but I'm really struggling here and could use some mentoring. There a Internet Ton of articles about the parts, but not much about the whole.

Edit

My best guess so far is to assign the HttpContext.Current.User in the FormsAuthenticationService:

public void SignIn(string userName, bool createPersistentCookie)
{
  if (String.IsNullOrEmpty(userName)) 
    throw new ArgumentException("Value cannot be null or empty.", "userName");

  try
  {
    FormsAuthentication.SetAuthCookie(userName, createPersistentCookie);
    MagicMembershipUser magicUser = _provider.GetUser("", false) 
      as MagicMembershipUser;
    MagicIdentity identity = new MagicIdentity(userName, magicUser);
    GenericPrincipal principal = new GenericPrincipal(identity, null);

    HttpContext.Current.User = principal;
  }
  catch (Exception)
  {
    throw;
  }

    }
Community
  • 1
  • 1
Scott Baker
  • 10,013
  • 17
  • 56
  • 102

1 Answers1

1

What and where is the best way to put the membership user information into the IPrincipal User object that is accessible in every controller?

In a custom [Authorize] filter implementation. You could override the AuthorizeCore method and call the base method and if it returns true query your membership provider and inject the custom magic identity into the context.

Example:

public class MagicAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);
        if (isAuthorized)
        {
            var username = httpContext.User.Identity.Name;
            var magicUser = _provider.GetUser(username, false) as MagicMembershipUser;
            var identity = new MagicIdentity(username, magicUser);
            var principal = new GenericPrincipal(identity, null);
            httpContext.User = principal;
        }
        return isAuthorized;
    }
}

Now all that's left is decorate your base controller with the [MagicAuthorize] attribute.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • I notice there is no instantiation for _provider - why is that? – Scott Baker Jan 21 '11 at 18:40
  • @ScottSEA, this `_provider` variable could be anything which allows you to retrieve authenticated user information. – Darin Dimitrov Jan 21 '11 at 18:45
  • So would it be safe to instantiate it here in this method? ... and for some reason I am getting an error that says there is "no suitable method found to override" for AuthorizeCore(HttpContextBase httpContext) – Scott Baker Jan 21 '11 at 18:57
  • That's strange. I have no idea. If you press F12 over AuthorizeAttribute do you see the method? – Darin Dimitrov Jan 21 '11 at 19:01
  • Upon some searching, I have found that it might have something to do with the fact that I have the MagicAuthorizeAttribute class in a Class Library Project (I'm trying to make this functionality reusable throughout the company) - but I have not a clue how to fix it. I do have a `using` directive for System.Web and System.Web.Mvc - when I type "override" intellisense pops up a box of `AuthorizeAttribute` methods for me to choose from. (I am using .net 4.0 framework) – Scott Baker Jan 21 '11 at 19:17
  • I ended up having to add a reference to `System.Web.Abstractions` to my Class Project. – Scott Baker Jan 21 '11 at 19:37