Re: [DOTNET] Question about Jeff Prosise's Article on ASP.NET Sec urity

Thu, 11 Apr 2002 13:07:57 -0700 

Check this thread from a week or two ago about this very thing.

http://discuss.develop.com/archives/wa.exe?A2=ind0204a&L=dotnet&F=&S=&P=54


-----Original Message-----
From: Howard Pinsley
To: [EMAIL PROTECTED]
Sent: 4/11/02 3:07 PM
Subject: [DOTNET] Question about Jeff Prosise's Article on ASP.NET Security

I just read Jeff Prosise's excellent article on ASP.NET security.  I had
one question about doing forms authentication using a database of users
and
roles.  His code sample uses a technique that appears to require looking
up
a user's role in the database for each page request -- as opposed to
somehow assigning it in the "loginUrl" page.

So, although the following code works...

//From login.aspx

private void CtlLoginBtn_Click(object sender, System.EventArgs e) {
     //get username/password from form and validate from database
     FormsAuthentication.RedirectFromLoginPage(username,false);
}

//From global.aspx

protected void Application_AuthenticateRequest(Object sender, EventArgs
e)
{
     HttpApplication app = (HttpApplication) sender;

     if ((app.Request.IsAuthenticated) && (app.User.Identity is
FormsIdentity)) {
          FormsIdentity Identity = (FormsIdentity) app.User.Identity;
          //Look up proper role for user.  For now, test with "Alumni"
          GenericPrincipal p =
               new GenericPrincipal(Identity, new String[] { "Alumni"
});
          //Assign the new principal which now is in the right role
          app.Context.User = p;
     }
}

I would think there would be a way to assign the role (I'm testing with
"Alumni") in the  CtlLoginBtn_Click method and have that persist in the
principal associated with the session.  But I tried to move the
resetting
of the principal (with the new role) out of the
Application_AuthenticateRequest into CtlLoginBtn_Click but it didn't
work.

Since Application_AuthenticateRequest appears to be called once per
page, I
then hoped that I could simply check if the user was already in a role
and
skip the db lookup.  But alas the principal returned within the handler
was
not associated with any roles -- so that didn't work either.

So is it really necessary to assign the roles for each request?  I hope
I'm
missing something.

Any insight?

TIA

You can read messages from the DOTNET archive, unsubscribe from DOTNET,
or
subscribe to other DevelopMentor lists at http://discuss.develop.com.

You can read messages from the DOTNET archive, unsubscribe from DOTNET, or
subscribe to other DevelopMentor lists at http://discuss.develop.com.

Reply via email to