RoleManagerModule and RolePrincipal object

Question

Hello,

According to my book, if role management is enabled, then RoleManagerModule creates the security context of the user by assigning RolePrincipal object to the HttpRequest.User. But isn’t security context already created ( thus principal object being assigned to HttpContext.User ) by FormsAuthenticationModule, which is called prior to RoleManagerModule being called?

I’m asking this, because in the following code principal object assigned to HttpRequest.User already exists, even though RoleManagerModule has not yet been called:

    protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
            if (User.Identity.IsAuthenticated && Roles.Enabled)
            {

                //here we subscribe user to a role via Roles.AddUserToRole()

            }       
    }

Thus, is principal object, created by FormsAuthenticationModule and assigned to HttpRequest.User, later replaced by RolePrincipal object ( created by RoleManagerModule )?

thanx

Answer 1

According to this article:

If the Roles framework is enabled, the RoleManagerModule HTTP Module steps in after the FormsAuthenticationModule and identifies the authenticated user’s roles during the PostAuthenticateRequest event, which fires after the AuthenticateRequest event. If the request is from an authenticated user, the RoleManagerModule overwrites the GenericPrincipal object created by the FormsAuthenticationModule and replaces it with a RolePrincipal object. The RolePrincipal class uses the Roles API to determine what roles the user belongs to.

So you're right.