custom principal becomes roleprincipal in pages

Discussion in 'ASP .Net Security' started by mdcxu, Mar 23, 2007.

  1. mdcxu

    mdcxu Guest

    I followed the partical "How To: Implement Iprincipal -- J.D. Meier, Alex
    Mackman, Michael Dunner, and Srinath Vasireddy -- November 2002" to implement
    a custom principal. After created the CustomPrincipalApp exactly as described
    in the artical, I changed two things:

    The first is that I use the Membership and Roles classes to do the
    authentication and get all the roles for the logon user in btnLogon_Click,
    see the code below (the original lines are commented out):
    //bool isAuthenticated = IsAuthenticated(txtUserName.Text,
    txtPassword.Text);
    bool isAuthenticated = Membership.ValidateUser(txtUserName.Text,
    txtPassword.Text);
    if (isAuthenticated == true)
    {
    //string roles = GetRoles(txtUserName.Text, txtPassword.Text);
    string[] roleArray = Roles.GetRolesForUser(txtUserName.Text);

    string delimiter = "|";
    StringBuilder builder = new StringBuilder();
    foreach (String item in roleArray)
    {
    builder.Append(item);
    builder.Append(delimiter);
    }
    if (builder.Length > 0)
    builder.Length = builder.Length - delimiter.Length;
    string roles = "";
    roles = builder.ToString();

    The second thing I did was to add entries to the web.config file to use
    membership and role database in MS SQL Server 2005 as below:
    <membership defaultProvider="MySQLMembershipProvider">
    <providers>
    <clear/>
    <add name="MySQLMembershipProvider"
    type="System.Web.Security.SqlMembershipProvider"
    connectionStringName="CustomPrincipalApp"
    enablePasswordRetrieval="false"
    enablePasswordReset="false"
    requiresUniqueEmail="true"
    requiresQuestionAndAnswer="true"
    minRequiredPasswordLength="1"
    minRequiredNonalphanumericCharacters="0"
    applicationName="CustomPrincipalApp"
    passwordFormat="Hashed"/>
    </providers>
    </membership>
    <roleManager enabled="true" cacheRolesInCookie="true"
    defaultProvider="MySqlRoleProvider">
    <providers>
    <clear/>
    <add connectionStringName="CustomPrincipalApp"
    applicationName="CustomPrincipalApp"
    name="MySqlRoleProvider"
    type="System.Web.Security.SqlRoleProvider" />
    </providers>
    </roleManager>

    As soon as I did these two things, the CustomPrincipal assigned in the
    Application_AuthenticateRequest event of Global.asax will be changed to
    RolePrincipal at the Page_Load of default.aspx.

    I saw someone posted same question sometimes ago with the same problem and
    two soultions been provided. The first is said to put the codes into event
    Application_PostAuthenticate instead of Application_AuthenticateRequest,
    unfortunately, I do not know why, the event Application_PostAuthenticate
    failed to fired. The second solution said to disable the roleManager. If I do
    that, then the function call Roles.GetRolesForUser will fail.

    Can someone help out with this?

    Thanks in advance!
     
    mdcxu, Mar 23, 2007
    #1
    1. Advertising

  2. RoleManager places the RolePrincipal on Context.User. You can't use RoleManager
    when you are using a custom principal...


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > I followed the partical "How To: Implement Iprincipal -- J.D. Meier,
    > Alex Mackman, Michael Dunner, and Srinath Vasireddy -- November 2002"
    > to implement a custom principal. After created the CustomPrincipalApp
    > exactly as described in the artical, I changed two things:
    >
    > The first is that I use the Membership and Roles classes to do the
    > authentication and get all the roles for the logon user in
    > btnLogon_Click,
    > see the code below (the original lines are commented out):
    > //bool isAuthenticated = IsAuthenticated(txtUserName.Text,
    > txtPassword.Text);
    > bool isAuthenticated = Membership.ValidateUser(txtUserName.Text,
    > txtPassword.Text);
    > if (isAuthenticated == true)
    > {
    > //string roles = GetRoles(txtUserName.Text,
    > txtPassword.Text);
    > string[] roleArray =
    > Roles.GetRolesForUser(txtUserName.Text);
    > string delimiter = "|";
    > StringBuilder builder = new StringBuilder();
    > foreach (String item in roleArray)
    > {
    > builder.Append(item);
    > builder.Append(delimiter);
    > }
    > if (builder.Length > 0)
    > builder.Length = builder.Length -
    > delimiter.Length;
    > string roles = "";
    > roles = builder.ToString();
    > The second thing I did was to add entries to the web.config file to
    > use
    > membership and role database in MS SQL Server 2005 as below:
    > <membership defaultProvider="MySQLMembershipProvider">
    > <providers>
    > <clear/>
    > <add name="MySQLMembershipProvider"
    > type="System.Web.Security.SqlMembershipProvider"
    > connectionStringName="CustomPrincipalApp"
    > enablePasswordRetrieval="false"
    > enablePasswordReset="false"
    > requiresUniqueEmail="true"
    > requiresQuestionAndAnswer="true"
    > minRequiredPasswordLength="1"
    > minRequiredNonalphanumericCharacters="0"
    > applicationName="CustomPrincipalApp"
    > passwordFormat="Hashed"/>
    > </providers>
    > </membership>
    > <roleManager enabled="true" cacheRolesInCookie="true"
    > defaultProvider="MySqlRoleProvider">
    > <providers>
    > <clear/>
    > <add connectionStringName="CustomPrincipalApp"
    > applicationName="CustomPrincipalApp"
    > name="MySqlRoleProvider"
    > type="System.Web.Security.SqlRoleProvider" />
    > </providers>
    > </roleManager>
    > As soon as I did these two things, the CustomPrincipal assigned in the
    > Application_AuthenticateRequest event of Global.asax will be changed
    > to RolePrincipal at the Page_Load of default.aspx.
    >
    > I saw someone posted same question sometimes ago with the same problem
    > and two soultions been provided. The first is said to put the codes
    > into event Application_PostAuthenticate instead of
    > Application_AuthenticateRequest, unfortunately, I do not know why, the
    > event Application_PostAuthenticate failed to fired. The second
    > solution said to disable the roleManager. If I do that, then the
    > function call Roles.GetRolesForUser will fail.
    >
    > Can someone help out with this?
    >
    > Thanks in advance!
    >
     
    Dominick Baier, Mar 23, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    9
    Views:
    981
    Juha Nieminen
    Aug 22, 2007
  2. padma
    Replies:
    3
    Views:
    407
    Victor Bazarov
    Oct 5, 2007
  3. Stef Mientki

    and becomes or and or becomes and

    Stef Mientki, May 22, 2011, in forum: Python
    Replies:
    9
    Views:
    318
    Chris Angelico
    May 28, 2011
  4. LetoLtd

    RolePrincipal vs Custom Principal

    LetoLtd, Jan 17, 2007, in forum: ASP .Net Security
    Replies:
    2
    Views:
    674
    Dominick Baier
    Jan 17, 2007
  5. Michael
    Replies:
    3
    Views:
    206
    Jerry Goldin
    May 12, 2004
Loading...

Share This Page