tags:

views:

72

answers:

3
+1  Q: 

ASP.NET MVC2 and MemberShipProvider: How well do they go together?

I have an existing ASP.NET application with lots of users and a large database. Now I want to have it in MVC 2. I do not want to migrate, I do it more or less from scratch. The database I want to keep and not touch too much.

I already have my database tables and I also want to keep my LINQ to SQL-Layer. I didn't use a MembershipProvider in my current implementation (in ASP.NET 1.0 that wasn't strongly supported).

So, either I write my own Membershipprovider to meet the needs of my database and app or I don't use the membershipprovider at all.

I'd like to understand the consequences if I don't use the membership provider. What is linked to that? I understand that in ASP.NET the Login-Controls are linked to the provider. The AccountModel which is automatically generated with MVC2 could easily be changed to support my existing logic.

What happens when a user is identified by a an AuthCookie? Does MVC use the MembershipProvider then?

Am I overlooking something? I have the same questions regarding RoleProvider.

Input is greatly appreciated.

+1  A: 

Although you most likely can do this without a custom membership provider, I'm not sure that you save that much effort. Until I read this blog post I thought implementing one was hard, but it's really not. Basically you do this:

  1. Create a class that inherits System.Web.Security.MembershipProvider.
  2. MembershipProvider is an abstract class, so you are readily shown what methods need to be implemented.
  3. The names are pretty self explanatory, so you can probably more or less copy your existing logic.

You might end up doing more than you need with this approach - but on the other hand, anything you might want to use now or in the future that requires a membership provider will already have its needs met.

Tomas Lycken  2010-06-17 20:25:32
+1  A: 

The source of the SQLMembershipProvider is available here http://weblogs.asp.net/scottgu/archive/2006/04/13/442772.aspx. Take that as a base.

It looks a bit much at first, but you only have to implement the methods you need.

Yes the AuthCookie is used. Yes its a good idea to use the MembershipProvider, because it is well known by other developers.

There are thinks I dont like about it: For example It is not possible to have a transaction that spans the creation of a user by the membershipsystem and some other data in your own datbase. But still it works well.

Malcolm Frexner  2010-06-17 20:57:47
Hm, I still would like to understand from where the MembershipProvider is invoked. In which situations ASP.NET/MVC will use the configured membership provider??? Or is it only used when I am explicitly referring to it like in the AccountModel?
Sparhawk  2010-06-17 21:01:34
The Membership provider must be invoked in your code, as you can see in the code generated when you create a new MVC project in VS. The Role provider OTOH is invoked by the built in Authorize attribute. You can create a custom Authorize attribute and bypass Membership/Role provider altogether (see my answer). This is perfectly valid approach if creating a custom Membership/Role provider doesn't fit what you're trying to do.
DSO  2010-06-18 07:01:42
+1  A: 

With MVC it is simple to bypass the Membership and Role provider framework altogether. Sometimes it is easier to do this than to implement custom Membership/Role providers, in particular if your authn/authz model doesn't quite fit the mold of those providers.

First, you should realize that you don't need to write everything from scratch, you can use the core Forms authentication API, which can be used independently of the Membership/Role provider framework:

  • FormsAuthentication.SetAuthCookie - Call this after user has been authenticated, specify the user name
  • Request.IsAuthenticated - Returns true if SetAuthCookie was called
  • HttpContext.Current.User.Identity.Name - Returns the user name specified in the call to SetAuthCookie

So here is what you do in MVC to bypass the Membership/Role provider:

  1. Authentication: In your controller, authenticate the user using your custom logic.If successful, call FormsAuthentication.SetAuthCookie with the user name.

  2. Authorization: Create a custom authorize attribute (deriving from AuthorizeAttribute) . In the AuthorizeCore override, implement your custom authorization logic, taking the user in HttpContext.Current.User.Identity.Name and the roles defined in the Roles property of the AuthorizeAttribute base class. Note you can also define properties on your custom authorization attribute and use that in your authorization logic. For example you can define a property representing roles as enumerated values specific to your app, instead of using the Roles property which is just a string.

  3. Affix your controllers and actions with your custom authorize attribute, instead of the default Authorize attribute.

DSO  2010-06-18 06:55:13

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data