Where do I set roles within AuthorizeServices of MVC.NET?

Question

I don't know what I am missing, and I don't know what else to read to get it right. I will try this gray question to see if I get closer to the solution. I am building a .NET MVC application.

This application is authenticating with OpenID using DotNetOpenAuth Library, all that is working ok. Once a user is authenticate I rebcord the openid token in the database and create call the forms authentication like below.

            FormsAuthentication.SetAuthCookie(confirmedUser.OpenID, false);

After that this user pass all authorize attribute in my code. Like below:

    [Authorize]
    public ActionResult About()
    {
        return View();
    }

I don't know where to set the roles for a specific user. I am not using the Membership services.

I need to get working the attributes like below:

    [Authorize(Roles="Administrator")]
    public ActionResult About()
    {
        return View();
    }

Answer 1

I'm still learning this stuff as well, but you probably need to create a custom authorization attribute. Check this out.

Answer 2

First of all, good for you for not using a membership provider. That just doesn't work well with OpenID.

To make roles work without a membership provider, you need to implement your own class that derives from System.Web.Security.RoleProvider. It's completely departed from authentication, which makes it easy for you. You just need to store with each of your users in your database which roles they belong to, and then your RoleProvider interacts with that database.

Once you write your role provider class, wire it up with this in your web.config file. This snippet should appear within your system.web section.

<roleManager enabled="true" defaultProvider="Database">
 <providers>
  <add name="Database" type="MyRoleProvider" />
 </providers>
</roleManager>

Here's one role provider I wrote for an OpenID web application. It's written using Linq to Entities, but you can get the idea and implement it to work against your database.

public class MyRoleProvider : RoleProvider {
 public override string ApplicationName {
  get { throw new NotImplementedException(); }
  set { throw new NotImplementedException(); }
 }

 public override void AddUsersToRoles(string[] usernames, string[] roleNames) {
  var users = from token in Global.DataContext.AuthenticationToken
     where usernames.Contains(token.ClaimedIdentifier)
     select token.User;
  var roles = from role in Global.DataContext.Role
     where roleNames.Contains(role.Name, StringComparer.OrdinalIgnoreCase)
     select role;
  foreach (User user in users) {
   foreach (Role role in roles) {
    user.Roles.Add(role);
   }
  }
 }

 public override void RemoveUsersFromRoles(string[] usernames, string[] roleNames) {
  var users = from token in Global.DataContext.AuthenticationToken
     where usernames.Contains(token.ClaimedIdentifier)
     select token.User;
  var roles = from role in Global.DataContext.Role
     where roleNames.Contains(role.Name, StringComparer.OrdinalIgnoreCase)
     select role;
  foreach (User user in users) {
   foreach (Role role in roles) {
    user.Roles.Remove(role);
   }
  }
 }

 public override void CreateRole(string roleName) {
  Global.DataContext.AddToRole(new Role { Name = roleName });
 }

 /// <summary>
 /// Removes a role from the data source for the configured applicationName.
 /// </summary>
 /// <param name="roleName">The name of the role to delete.</param>
 /// <param name="throwOnPopulatedRole">If true, throw an exception if <paramref name="roleName"/> has one or more members and do not delete <paramref name="roleName"/>.</param>
 /// <returns>
 /// true if the role was successfully deleted; otherwise, false.
 /// </returns>
 public override bool DeleteRole(string roleName, bool throwOnPopulatedRole) {
  Role role = Global.DataContext.Role.SingleOrDefault(r => r.Name == roleName);
  if (role == null) {
   return false;
  }

  if (throwOnPopulatedRole && role.Users.Count > 0) {
   throw new InvalidOperationException();
  }

  Global.DataContext.DeleteObject(roleName);
  return true;
 }

 /// <summary>
 /// Gets an array of user names in a role where the user name contains the specified user name to match.
 /// </summary>
 /// <param name="roleName">The role to search in.</param>
 /// <param name="usernameToMatch">The user name to search for.</param>
 /// <returns>
 /// A string array containing the names of all the users where the user name matches <paramref name="usernameToMatch"/> and the user is a member of the specified role.
 /// </returns>
 public override string[] FindUsersInRole(string roleName, string usernameToMatch) {
  return (from role in Global.DataContext.Role
    where role.Name == roleName
    from user in role.Users
    from authTokens in user.AuthenticationTokens
    where authTokens.ClaimedIdentifier == usernameToMatch
    select authTokens.ClaimedIdentifier).ToArray();
 }

 public override string[] GetAllRoles() {
  return Global.DataContext.Role.Select(role => role.Name).ToArray();
 }

 public override string[] GetRolesForUser(string username) {
  return (from authToken in Global.DataContext.AuthenticationToken
    where authToken.ClaimedIdentifier == username
    from role in authToken.User.Roles
    select role.Name).ToArray();
 }

 public override string[] GetUsersInRole(string roleName) {
  return (from role in Global.DataContext.Role
    where string.Equals(role.Name, roleName, StringComparison.OrdinalIgnoreCase)
    from user in role.Users
    from token in user.AuthenticationTokens
    select token.ClaimedIdentifier).ToArray();
 }

 public override bool IsUserInRole(string username, string roleName) {
  Role role = Global.DataContext.Role.SingleOrDefault(r => string.Equals(r.Name, roleName, StringComparison.OrdinalIgnoreCase));
  if (role != null) {
   return role.Users.Any(user => user.AuthenticationTokens.Any(token => token.ClaimedIdentifier == username));
  }

  return false;
 }

 public override bool RoleExists(string roleName) {
  return Global.DataContext.Role.Any(role => string.Equals(role.Name, roleName, StringComparison.OrdinalIgnoreCase));
 }
}