tags:

views:

283

answers:

2
+4  Q: 

ASP.Net MVC Memberships

I want to use the the AuthorizeAttribute to control which users are allowed access to my actions. I just want to clarify that my logic is in order.

  1. I create my own implementation of IPrincipal
  2. I post a user's credentials to a login action of a security controller.
  3. I validate the credentials with a UserService class and assign the IPrincipal returned from my UserService class to HttpContext.User
  4. My WebAuthorizeAttribute, which inherits AuthorizeAttribute, checks the current HttpContext.User.Identity.IsAuthenticated and HttpContext.User.IsInRole to determine if the user has access to the action.

Is the the normal flow of things? I know I could inherit MembershipProvider, but I don't need all of the functionality there, really just the ability to login with two different roles.

+3  A: 

You'll have to store IPrincipal somewhere and restore it with every request. If you'll use FormsAuthentication, this is good solution:

ASP.NET 2.0 Forms authentication - Keeping it customized yet simple

you can find other solutions here:

http://stackoverflow.com/questions/1821412/where-to-store-logged-user-information-on-asp-net-mvc-using-forms-authentication/1821560#1821560

and propably in many other StackOverflow questions:)

EDIT

About MyBusinessLayerSecurityClass.CreatePrincipal(id, id.Name):

You should read this page:

http://msdn.microsoft.com/en-us/library/aa480476.aspx

Specially this:

The FormsAuthenticationModule class constructs a GenericPrincipal object and stores it in the HTTP context. The GenericPrincipal object holds a reference to a FormsIdentity instance that represents the currently authenticated user. You should allow forms authentication to manage these tasks for you. If your applications have specific requirements, such as setting the User property to a custom class that implements the IPrincipal interface, your application should handle the PostAuthenticate event. The PostAuthenticate event occurs after the FormsAuthenticationModule has verified the forms authentication cookie and created the GenericPrincipal and FormsIdentity objects. Within this code, you can construct a custom IPrincipal object that wraps the FormsIdentity object, and then store it in the HttpContext. User property.

FormsIdentity is managed automatically after you set authentication cookie. All you have to do is wrap it up in your IPrincipal. All this happens when HttpContext.Current.User property is not null (it is GenericPrincipal, which you replace shortly after). When HttpContext.Current.User is null then there was no authentication cookie created earlier and user is not authenticated.

LukLed  2009-12-01 23:32:25
I've read a lot of the questions and outside blogs but none really seem to put this whole part into context.
scottm  2009-12-01 23:56:13
could you explain the MyBusinessLayerSecurityClass.CreatePrincipal(id, id.Name) portion. i don't understand how you get a FormsIdentity if the the HttpContext.Current.User property is null.
scottm  2009-12-02 02:12:26
+2  A: 

I believe the following is more typical:

  1. I create my own implementation of IPrincipal
  2. I post a user's credentials to a login action of a security controller.
  3. I validate the credentials with a UserService class and construct a cookie that has some identifying information for this user. Typically FormsAuthentication.SetAuthCookie or some combination of that class's utility methods are used.
  4. In the Application AuthenticateRequest event, inspect the cookie and assign Context.User. Note: This value is automatically assigned to Thread.CurrentPrincipal after the AuthenticateRequest event. This is a one-time assignment and these values are not automatically synchronized thereafter.
  5. My WebAuthorizeAttribute, which inherits AuthorizeAttribute, checks the current HttpContext.User.Identity.IsAuthenticated and HttpContext.User.IsInRole to determine if the user has access to the action.
gWiz  2009-12-02 00:03:29
+1: That is what I do too. My post explains how to inspect the cookie.
LukLed  2009-12-02 00:14:10
excellent, thanks for the input
scottm  2009-12-02 01:56:27

related questions

Store user id in Principal or Identity? ASP.Net/OpenID.
Converting Single DB ASP.NET Site into MultiTenant - Membership and Roles Dilema
customize asp.net membership by changing "userid" type to integer
ASP Membership cannot handle encrypted connection strings in web.config
what is the best way to make some pages in asp.net require login?
Looking for a Yahoo Groups (CMS) replacement
Why should I Use ASP.NET Membership security model?
ASP.NET: Does implementing a custom MembershipProvider class needs you to implement a custom Membership class too?
How to set the Principal in an ASP.Net app
How can you test if an ASP.NET membership password will meet configured complexity requirements?
ExpressionEngine Multiple Site Manager and Member Groups
Locking out a user in an ASP .Net Custom Membership Provider
ASP.NET Application to authenticate to Active Directory or SQL via Windows Authentication or Forms Authentication
Not using e-mail address in a custom MembershipProvider?
How to get current user in Asp.Net MVC
programmatic login with .net membership provider
ASP.NET Forms Authentication With Only UserName
Unit test Custom membership provider with NUnit throws null reference error
How to access UserId in ASP.NET Membership without using Membership.GetUser() ?
How can I wire users with their respective folders in ASP.NET?
Grabbing Users with a specific value in their profile
How do you pass an authenticaticated session between app domains
What's the best way to authenticate over WCF?
Memcached chunk limit
ASP.NET Site Maps