I just read Jeff Prosise's excellent article on ASP.NET security. I had
one question about doing forms authentication using a database of users and
roles. His code sample uses a technique that appears to require looking up
a user's role in the database for each page request -- as opposed to
somehow assigning it in the "loginUrl" page.
So, although the following code works...
//From login.aspx
private void CtlLoginBtn_Click(object sender, System.EventArgs e) {
//get username/password from form and validate from database
FormsAuthentication.RedirectFromLoginPage(username,false);
}
//From global.aspx
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
HttpApplication app = (HttpApplication) sender;
if ((app.Request.IsAuthenticated) && (app.User.Identity is
FormsIdentity)) {
FormsIdentity Identity = (FormsIdentity) app.User.Identity;
//Look up proper role for user. For now, test with "Alumni"
GenericPrincipal p =
new GenericPrincipal(Identity, new String[] { "Alumni" });
//Assign the new principal which now is in the right role
app.Context.User = p;
}
}
I would think there would be a way to assign the role (I'm testing with
"Alumni") in the CtlLoginBtn_Click method and have that persist in the
principal associated with the session. But I tried to move the resetting
of the principal (with the new role) out of the
Application_AuthenticateRequest into CtlLoginBtn_Click but it didn't work.
Since Application_AuthenticateRequest appears to be called once per page, I
then hoped that I could simply check if the user was already in a role and
skip the db lookup. But alas the principal returned within the handler was
not associated with any roles -- so that didn't work either.
So is it really necessary to assign the roles for each request? I hope I'm
missing something.
Any insight?
TIA
You can read messages from the DOTNET archive, unsubscribe from DOTNET, or
subscribe to other DevelopMentor lists at http://discuss.develop.com.
