3

Using EF DbContext wrapped in interface(s), dependency injected per web request, to make sure the entire request deals with the same context. Also have a custom RoleProvider which consumes the DbContext by interface to customize authorization services.

Until now I have been using service locator pattern to resolve the DbContext instance in the custom RoleProvider's no-arg constructor. This has caused some minor issues because the RoleProvider is singletonish, so it may hold onto a DbContext indefinitely whereas other requests may want to dispose of it during Application_EndRequest.

I now have a solution based on this, though using a different ioc container than windsor. I can use DI to new up a custom RoleProvider instance for each http request.

My question is, should I?

Having an open DbContext hanging off the RoleProvider seems wasteful. On the other hand, I know every MVC AuthorizeAttribute hits the RoleProvider (if it has a non-null Roles property, which most of ours do) so I suppose it could be useful to already have a DbContext in waiting.

The alternative would be to inject a different DbContext for the RoleProvider that is not per web request. This way the DbContexts that live only for the web request can be disposed at the end, without affecting the singletony RoleProvider.

Is either approach better, and why?

Update after comments

Steven, this is essentially what I did. The only difference is that I don't take a dependency on System.Web.Mvc.DependencyResolver. Instead, I basically have the same exact thing in my own project, just named differently:

public interface IInjectDependencies
{
    object GetService(Type serviceType);
    IEnumerable<object> GetServices(Type serviceType);
}

public class DependencyInjector
{
    public static void SetInjector(IInjectDependencies injector)
    {
        // ...
    }

    public static IInjectDependencies Current
    {
        get
        {
           // ...
        }
    }
}

These classes are part of the project's core API, and are in a different project than MVC. This way, that other project (along with the domain project) don't need to take a dependency on System.Web.Mvc in order to compile against its DependencyResolver.

Given that framework, swapping out Unity with SimpleInjector has been painless so far. Here is what the multipurpose singleton RoleProvider setup looks like:

public class InjectedRoleProvider : RoleProvider
{
    private static IInjectDependencies Injector 
        { get { return DependencyInjector.Current; } }

    private static RoleProvider Provider 
        { get { return Injector.GetService<RoleProvider>(); } }

    private static T WithProvider<T>(Func<RoleProvider, T> f)
    {
        return f(Provider);
    }

    private static void WithProvider(Action<RoleProvider> f)
    {
        f(Provider);
    }

    public override string[] GetRolesForUser(string username)
    {
        return WithProvider(p => p.GetRolesForUser(username));
    }

    // rest of RoleProvider overrides invoke WithProvider(lambda)
}

Web.config:

<roleManager enabled="true" defaultProvider="InjectedRoleProvider">
    <providers>
        <clear />
        <add name="InjectedRoleProvider" type="MyApp.InjectedRoleProvider" />
    </providers>
</roleManager>

IoC Container:

Container.RegisterPerWebRequest<RoleProvider, CustomRoleProvider>();

As for CUD, there is only 1 method implemented in my CustomRoleProvider:

public override string[] GetRolesForUser(string userName)

This is the only method used by MVC's AuthorizeAttribute (and IPrincipal.IsInRole), and from all other methods, I simply 

throw new NotSupportedException("Only GetRolesForUser is implemented.");

Since there are no role CUD ops on the provider, I am not worried about transactions.

Community
  • 1
  • 1
danludwig
  • 46,965
  • 25
  • 159
  • 237
  • Can you implement your own `RoleService` and not use the `RoleProvider`? The `RoleProvider` is not very IOC friendly. – Dismissile Mar 22 '12 at 19:18
  • @Dismissile I'm trying to keep things as simple as possible. I wouldn't know where to start as far as plugging the RoleService into `IPrincipal.IsInRole(string)`. It wasn't difficult to wrap it and control its lifetime using the link in my question. What I want to know now is, which lifetime should I use. – danludwig Mar 22 '12 at 19:31
  • Are you doing Windows Authentication or Forms Authentication? Are you using the built in ASP.net Membership database? If you're using either Windows or the standard Membership database then it's probably not as easy. If you're storing users/roles in your own database schema then it's probably not much harder than querying that table for a specific user to see which roles they are in. – Dismissile Mar 22 '12 at 19:43
  • @Dismissile it's FormsAuthentication. I do use the standard MembershipProvider, only the RoleProvider is custom. Basically I just store user passwords in the SqlMembershipProvider, and use it for authentication. All auhorization rules & data, however, come from custom tables in the app db (not the same db as SqlProviders). – danludwig Mar 22 '12 at 20:04
  • You can build your own `SimpleInjectorRoleProvider`, which look quite much like that of Windsor. But... Wouldn't it be better you use a general `DependencyResolverRoleProvider` that uses the static `System.Web.Mvc.DependencyResolver.Current` property. This way your provider is oblivious of the used container and it allows you to swap containers later on. There is only one catch though; the `IDependencyResolver` interface does not have a `Release` method, which makes it probably unsuited to be used with Windsor (although it will work fine with Simple Injector, StructureMap, Unity, and Autofac). – Steven Mar 22 '12 at 21:40
  • Another question: Should you inject an web request-scoped `DbContext` into your custom role provider? Doing this will mean that the `RoleProvider` operations run in the same transaction as the rest of the request. You need to think about this before hand, because you need to know whether an CUD operation should explicitly commit the `DbContext` or not. If it should run in its own little scope, perhaps it is better to inject an `IDbContextFactory` into your custom role provider. – Steven Mar 22 '12 at 21:43
  • 1
    Instead of defining your own `IInjectDependencies`, you can also use the `System.IServiceProvider` interface, which has the same semantics as the `IDependencyResolver.GetService` method. It is part of .NET so reusable to anyone. The Simple Injector `Container` class implements `IServiceProvider`, so it can directly be passed to your `SetInjector(IServiceProvider)` method. – Steven Mar 23 '12 at 08:21
  • One note about the `IServiceProvider`. It is a good interface, but almost all Common Service Locator adapters [implement it incorrectly](http://commonservicelocator.codeplex.com/discussions/44293#post564134) and are useles as `IServiceProvider` implementations. Please be aware of that. – Steven Mar 23 '12 at 13:13
  • @Steven, I also noticed `IServiceProvider` doesn't define a default method for returning multiply-registered services, like `IDependencyResolver` does. I may keep `IInjectDependencies` just to define `IEnumerable GetServices(Type serviceType)`, and extend `IServiceProvider` for the other `GetService` method. – danludwig Mar 23 '12 at 14:14
  • 1
    You can do `(IEnumerable)serviceProvider.GetService(typeof(IEnumerable))` to get a collection of things with the service locator. – Steven Mar 23 '12 at 14:21

1 Answers1

3

Take a look at the Griffin.MvcContrib project. It contains a MembershipProvider and RoleProvider implementation that make use of the MVC DependencyResolver.

You can configure the RoleProvider like this:

<roleManager enabled="true" defaultProvider="MvcRoleManager">
  <providers>
    <clear />
    <add name="MvcRoleManager" 
      type="Griffin.MvcContrib.Providers.Roles.RoleProvider, Griffin.MvcContrib"
    />
  </providers>
</roleManager>

It makes use of the System.Web.MVC DependencyResolver class so you need to configure an IDependencyResolver implementation for the DI container you are using. With Simple Injector (and the SimpleInjector.MVC3 integration NuGet package), you need the following configuration in your Application_Start event:

container.RegisterAsMvcDependencyResolver();

The Griffin.MvcContrib.Providers.Roles.RoleProvider takes a dependency on a IRoleRepository which is defined in the same assembly. Instead of having to implement a complete role provider you can now just implement the IRoleRepository and register it in your container:

container.Register<IRoleRepository, MyOwnRoleRepository>();

You can find this project here on NuGet.

UPDATE

And now let's answer the question:

The Griffin.MvcContrib RoleProvider will be singleton, and the question now moves to the IRoleRepository and its dependencies, but the question indeed still remains.

If all you do is read from the Role Provider (never update the database); in that case it doesn't matter which lifetime you choose, as long as you don't reuse the same DbContext over threads.

However, when you do use the role provider to update the database, things get different. In that case I would give it its own context, and let it explicitly commit it after each operation. Because if you don't, who is going to commit those changes? When running in the context of a Command Handler (and especially a TransactionCommandHandlerDecorator), the operation will be committed after the command succeeded and rolled back when the command failed. Perhaps it is fine to roll that change back when the command failed. But when the role provider runs outside the context of a command handler, who is going to commit it? I'm sure you will be able to solve this, but I believe you end up with a system that is hard to grasp and it will dazzle other developers who try to find out why those changes didn't commit.

Steven
  • 166,672
  • 24
  • 332
  • 435
  • +1 for the info, I will look into this project. But the question still remains: Is it better to keep the RoleProvider singletony, or to have it recreated for each http context? Maybe it doesn't even matter..? – danludwig Mar 23 '12 at 11:29
  • "If all you do is read from the Role Provider (never update the database); in that case it doesn't matter which lifetime you choose..." Really? Say I register `DbContext` to be per web request, and then dispose of it during `Application_EndRequest`. If `RoleProvider` is singleton, and it uses the per-web-request `DbContext`, it will throw an exception during the second and all subsequent requests, because the DbContext was disposed of after the first request. – danludwig Mar 23 '12 at 14:21
  • Well of course, that would violate one of the first rules of DI: A service should not depend on a service which lifetime is shorter than its own lifetime. The role provider is always a singleton, since it is configured in the configuration file. In that case you should use a abstract factory or a service locator (what the `DependencyResolver` is) to request the dependencies on each method call. This way you ensure you don't use a stale dependency. But still, what lifetime that `DbContext` dependency has, doesn't matter much (as long as you won't reuse the same context over threads). – Steven Mar 23 '12 at 15:27