tags:

views:

37

answers:

1
+2  Q: 

Setting user roles in controllers?

I need to be able to manually authorize my users in my controller.
I get my authentication from an AD, and then in my controller,
I want to map up the userID I get from the AD, to my application's internal userID.
Grab the userId from the UserRole table, and then set it in the controller, however,
I don't know how to set the role in the controller?

I've tried doing this in my home controller:
HttpContext.User = new System.Security.Principal.GenericPrincipal(User.Identity, roleName);

roleName is set to "Admin", but this doesn't seem to work as it always fails authorization.

Help please?....

+1  A: 

Assuming you are using [Authorize] in your controller methods, this will run before the action method and therefore will not reach the code you have to set the role name - it needs to be set before the controller is called.

Add a method like this to your Global.asax:

protected void Application_OnPostAuthenticateRequest(Object sender, EventArgs e)
{
    IPrincipal contextUser = Context.User;

    if (contextUser.Identity.AuthenticationType == "Forms")
    {
        // determine role name

        // attach to context
        HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(User.Identity, roleName);
        Thread.CurrentPrincipal = HttpContext.Current.User;
    }
}
Clicktricity  2010-10-14 12:05:53
Hi Clicktricity, thanks for the reply. I think this won't work since I'm using ADFS to authenticate my users. Because of that, I authentication mode isn't form based so the "if" statement will always be false. Am I mistaken?
TriFu  2010-10-14 16:33:16
Fair enough - just adapt to your needs. The key is that the current user assignment takes place during the OnPostAuthenticationRequest
Clicktricity  2010-10-14 19:10:53
Wouldn't this method always check the user's role ever time you try to access certain controllers? isn't there a way to store the user's role in a session object or cookie of some sort? That way you wouldn't need to always hit up the DB for the user's role?
TriFu  2010-10-14 19:35:07
Its up to you how you determine the user's role. A cookie would be reasonable, as long as its encrypted to prevent someone faking it and gaining admin access. You also need to determine how long the cookie persists otherwise someone who no longer should have admin access could still access the admin areas.
Clicktricity  2010-10-14 19:53:52
Good advice! I was wondering if you had any links or resources you could send me? I have no idea how to go about encrypting a cookie with admin role authentication? Any help would be greatly appreciated.
TriFu  2010-10-14 20:04:35
Good question - I suggest you pose that as a separate question so everyone can benefit from the information.
Clicktricity  2010-10-15 08:04:43

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data