Getting RolePrincipal to use RoleProvider.IsInRole rather than RoleProvider.GetRolesForUser

Discussion in 'ASP .Net Security' started by Keith Patrick, Aug 8, 2006.

  1. I have a custom security backend that I need to integrate with ASP.Net 2.0.
    The problem I have is that being in a role is not evaluated as simply
    "myRoles.Contains(role)". There's some logic that goes on in a webservice
    such that I really do have to ask the security system the question: "Is the
    user in the role", since the role is in a format that has to be parsed into
    some parameters to get passed elsewhere. GetRolesForUser won't work because
    the security system cannot simply enumerate these roles for string
    comparison. However, RolePrincipal is sealed, so I cannot change its
    behavior. I can fix the sitemap portion (I think) by creating a custom
    sitemap provider that changes implementation of IsAccessibleToUser, but that
    doesn't fix the rest of the controls that wind up calling
    RolePrincipal.GetRolesForUsers.
    Has anyone come up with a way around the string.equals() version of checking
    for a role that asp.net is doing by default?
    Keith Patrick, Aug 8, 2006
    #1
    1. Advertising

  2. RoleManager/RolePrincipal don't have support for what you are trying to do.

    I would suggest to write your own IPrincipal implementation with a customized
    IsInRole method. You can set your Principal on Context.User in the AuthenticateRequest
    event (in an http module or application event handler).

    ---
    Dominick Baier, DevelopMentor
    http://www.leastprivilege.com

    > I have a custom security backend that I need to integrate with ASP.Net
    > 2.0.
    > The problem I have is that being in a role is not evaluated as simply
    > "myRoles.Contains(role)". There's some logic that goes on in a
    > webservice
    > such that I really do have to ask the security system the question:
    > "Is the
    > user in the role", since the role is in a format that has to be parsed
    > into
    > some parameters to get passed elsewhere. GetRolesForUser won't work
    > because
    > the security system cannot simply enumerate these roles for string
    > comparison. However, RolePrincipal is sealed, so I cannot change its
    > behavior. I can fix the sitemap portion (I think) by creating a
    > custom
    > sitemap provider that changes implementation of IsAccessibleToUser,
    > but that
    > doesn't fix the rest of the controls that wind up calling
    > RolePrincipal.GetRolesForUsers.
    > Has anyone come up with a way around the string.equals() version of
    > checking
    > for a role that asp.net is doing by default
    Dominick Baier, Aug 20, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?RGVudmVyIERldmVsb3Blcg==?=

    Cookie problem - getting double rather than updating

    =?Utf-8?B?RGVudmVyIERldmVsb3Blcg==?=, Dec 13, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    343
    =?Utf-8?B?RGVudmVyIERldmVsb3Blcg==?=
    Dec 13, 2004
  2. Kenneth McDonald
    Replies:
    1
    Views:
    388
    =?iso-8859-1?Q?Fran=E7ois?= Pinard
    Oct 10, 2004
  3. Random

    RolePrincipal.ToEncryptedTicket

    Random, Feb 1, 2008, in forum: ASP .Net
    Replies:
    0
    Views:
    312
    Random
    Feb 1, 2008
  4. LetoLtd

    RolePrincipal vs Custom Principal

    LetoLtd, Jan 17, 2007, in forum: ASP .Net Security
    Replies:
    2
    Views:
    657
    Dominick Baier
    Jan 17, 2007
  5. mdcxu
    Replies:
    1
    Views:
    522
    Dominick Baier
    Mar 23, 2007
Loading...

Share This Page