I'm using Forms authentication and I would like to make use of roles, can I somehow set the role of the user without Membership ?
+1
A:
Do you mean "without using ASP.NET's standard Membership implementation"?
If so, then yes, you can by implementing your own Membership and/or Roles provider. See here and here for details about how to implement a Membership/Roles provider.
M4N
2010-02-17 16:15:52
actually, I would like to do that without implementing asp.net Membership, I just need one simple thing: to set the user's role, but Membership has a lot of stuff
Omu
2010-02-17 16:21:45
@Omu: IIRC you only have to implement the methods you are actually using. Simply leave the other methods empty.
M4N
2010-02-17 16:43:05
+1
A:
Yes you can.
The only caveat is that roles will not work with an anonymous user (fairly obvious I would have thought) and you'll need some mechanism to set a user's identity (which can be anything you like).
The MSDN article:
contains the following information:
However, role management does not depend on membership. As long as you have a way in your application to set user identity, you can use role management for authorization.
CraigTP
2010-02-17 16:17:27
so I need to implement RoleProvider and set my custom role provider in web.config, after use Roles.AddUserToRole("username", "rolename") , is that correct ?
Omu
2010-02-17 16:34:26
@Omu - Yes, that's what you would have to do. Bear in mind though, that you'll need to persist both the roles and the user object between page requests (as per the comments/conversation on çağdaş's answer) and for the lifetime of the application. This is especially true if your user objects are created purely within code. If you are using a custom role provider (rather than the "built-in" SQL one for example) it may be best to also implement your own custom Membership provider. See: http://www.devx.com/asp/Article/29256 for an example of that.
CraigTP
2010-02-17 21:42:28
+1
A:
You don't need to implement a whole membership provider.
Create your own Principal (which has the IsInRole method) and Identity.
And then make sure your user object (HttpApplication.Context.User) is populated with your principal on each request.
Done. Now the Authorize attribute will be talking to your principal.
çağdaş
2010-02-17 16:23:44
but I'm going to need to store somewhere the logged user like in session and set it on each request (action executing)
Omu
2010-02-17 16:31:51
@Omu, Yes, of course. You're going to have to persist that information somehow.
çağdaş
2010-02-17 16:34:53
well, I could just not use the User.IsInRole at all, and just set Session["role"] ="admin" when I authenticate the user and get it whenever I need it
Omu
2010-02-17 16:37:22
@Omu I guess. I suggested this way because it should work nicely with the built-in Authorize attribute. But of course, if it's going to be too much hassle to make sure this works well with the rest of your application, then obviously this is not the best solution.
çağdaş
2010-02-17 16:45:58
@Omu you can store the roles and the user ID in the authentication cookie. It's quite simple, see my answer.
David G
2010-02-17 16:58:32
+2
A:
A simple way to do it is to store the list of roles in the authentication ticket when the user is authenticated. Then for every request (Application_AuthenticateRequest method of the global.asax file) you extract the roles, add them to a GenericPrincipal object and set the Httpcontext.User property.
Your User.IsInRole("role") and [AuthorizeAttribute(Roles="role")] will then work as normal.
See this answer for code detailing how to do it.
David G
2010-02-17 16:54:28