GenericPrincipal

[Erick]

I'm trying to create a use a genericprincipal object with roles
authorization to use in my asp.net apps

My user directs new users to an asp.net login page.
They log in and I use that ifnormation to create a genericidentity.
Then i get their roles from the data store and use that and the
generic identity to create a genericprincipal object.

I then assign the genericprincipal object to the
My.User.CurrentPrincipal.
It all works fine up to this piont

The problem occurs when I navigate to a new page.
I lose the generic identity and all the roles.
Surely I don't need to go to the datastore each time i navigate to a
new page ?
Why aren't all my values of the GenericPrincipal which i attached in
My.user.Currentprincipal
saved for the user's ENTIRE SESSION ?

Thanks
Erick

 

[Joe Kaplan]

Of course you have to execute some code on every request. The web is a
stateless protocol. As to whether you need to go all the way back to the
data store on each request to get your role data, that depends a great deal
on your implementation. You should probably be able to cache that data
somewhere.

There are a variety implementations of this type of thing built into .NET
(forms authentication, membership provider framework, etc.). Why are you
reinventing the wheel?

Joe K.

 

[Erick]

The genericprincipal is there to use for when you don't want to use
forms or windows authtentication. I want to create a single
genericprincipal object for windows authtenticated users within our
domain and for users comming in through our internet.

Once I have a principal object I can then add roles to the principal
object and use that to authorize my users through the rest of the
application. I only want to get their roles once at the start of their
session. Then use that for authorization throughout the application

Like this
If my.user.isinrole("administrator") then
.....
....
end if

If i use forms authentication for those comming in from the outside I
can use the code above but for users within our domain i would need to
write something like this to handle nt security groups

If my.user.isinrole("OurDomain\ag myapplication administratorsgourp")
then
....
,,
end if

The code shouldn't really care that my administator is external or
internal ..once authenticated the authorization should be the same.

So i want to convert both forms and windows into generic. Then use
the one type of syntax throughout. My issue is that the principal
object should apply for the entire users session. It makes no sense
to have to authorize and authenticate some one on each request. Just
once per session is required.

 

[Joe Kaplan]

Right, but what I'm saying is that all of the other frameworks for doing
this have code to authenticate the user, recreate the principal and perform
authorization on each request and so must your code. If you need to save
your roles in between executions to avoid a round trip to the db to look
them up again, then you need to persist them in cache, session or in a
secure cookie and regenerate them that way.

People usually use the membership providers so they don't have to write all
that code.

Joe K.

 

[WhiskeyRomeo]

I am new to VS2005 and .NetFramework 2.0. But if you use the built in
authentication of a website, doesn't that create a SQL Express database to
maintain membership logins, passwords, and roles?

Is there a way to use the membership provider without the overhead of
creating a duplicate database when you have all the information in a SQL
Server 2000 database? See my later post (Forms Auth Roles being ignored).

WR

 

[Joe Kaplan]

I think if you want to use your existing user database, you would need to
create your own custom membership provider that talks to your SQL server.
The default one doesn't necessarily require SQL express, but it does assume
a specific schema that certainly won't match your existing database.

I would think this would be pretty doable though. The source code for the
SQL membership provider is freely available for you to look at and modify.
It is probably a better way to go than by starting with the lower level
forms auth as you'll get a lot more integration that way.

You might also consider migrating your existing user store to the schema
expected by the SQL membership provider.

I'm not really an expert in the SQL membership provider stuff (I'm a
directory guy and think you should put users in directories like AD and ADAM
), so if you have more specific questions about the SQL stuff, you'd need
to ask someone else.

Joe K.

 

[Dominick Baier]

Well - Roles Provider would be the right provider in that case.

Either use the out of the box one - if you are happy to use the MS provided
DB schema -

otherwise simply derive from RoleProvider and implement the GetRolesForUser
method.

When you register the provider using system.web/roleManager you have all
kinds of caching options.