Need help improving authorization

[AndiV]

Each of my intranet page (windows authentication) needs to validate user's
roles stored in the database. Currently, I retrieve the the
User.Identity.Name property, then query the database for user's roles
everytime a page is loaded, which is very inefficient.

I think a more efficient approach would be to query the database only once
for each user, the application_start event is probably the best place? Once
this particular user's roles are retrieved, the roles can be concatenated as
a delimied string and stored in cookie or a session variable. Then on each
page load event, I just have to parse the roles string to apply
authorization.

I believe this scheme will work. But it seems more like a hack than a design
pattern or a best practice. I'm seeking a .NET elegant solution. Please
advise.

TIA,
Andi

 

[Chris Simmons]

Each of my intranet page (windows authentication) needs to validate user's
roles stored in the database. Currently, I retrieve the the
User.Identity.Name property, then query the database for user's roles
everytime a page is loaded, which is very inefficient.

I think a more efficient approach would be to query the database only once
for each user, the application_start event is probably the best place? Once
this particular user's roles are retrieved, the roles can be concatenated as
a delimied string and stored in cookie or a session variable. Then on each
page load event, I just have to parse the roles string to apply
authorization.

I believe this scheme will work. But it seems more like a hack than a design
pattern or a best practice. I'm seeking a .NET elegant solution. Please
advise.

TIA,
Andi

I'd say go with your plan (except I hope you mean Session_Start, not
Application_Start).

I'd put your method to authenticate and authorize the user in some
public-accessible place so that you can use it from Session_Start
*and* your pages/controls if you need to re-query at some point during
the same session.

 

[Joe Fallon]

The Principal and Identity objects are supposed to implement IsInRole so
that you can always have that information handy for each user.
===========================================
In my Principal class I have:
'Implements the IsInRole property defined by IPrincipal.
Public Function IsInRole(ByVal Role As String) As Boolean Implements
IPrincipal.IsInRole
Return mIdentity.IsInRole(Role)
End Function
===========================================
In my Identity class I have code like this (air code)

Private mRoles As New ArrayList

Friend Function IsInRole(ByVal role As String) As Boolean
Return mRoles.Contains(role)
End Function

'get user roles
dr = DAL.ExecuteReader(myDAO.GetRoles())
While dr.Read
mRoles.Add(dr.GetString(dr("role")))
End While
==============================

In Global.asax AcquireRequestState you attach your Principal to the thread
and you now have th Roles available through your User object. If you cast it
to your custom Principal object you have any other data you extracted that
is useful (like Name, UserID, etc.)

Private Sub Global_AcquireRequestState(ByVal sender As Object, ByVal e As
System.EventArgs) Handles MyBase.AcquireRequestState

If Not Session("myPrincipal") Is Nothing Then
Thread.CurrentPrincipal = CType(Session("myPrincipal"),
MyCustomPrincipal)
HttpContext.Current.User = CType(Session("myPrincipal"),
MyCustomPrincipal)
Else
If Thread.CurrentPrincipal.Identity.IsAuthenticated = True Then
Web.Security.FormsAuthentication.SignOut()
Server.Transfer(Request.ApplicationPath + "/Login.aspx")
End If
End If

End Sub

 

[AndiV]

Thanks for your help, Chris and Joe.