User.IsInRole not redirecting

[Bob Erwin]

Hi there,

I have been reading up on Authorization and role based security for a couple
of days now, and am trying to implement this in my applications.

I'm having a problem with my roles being reconized by using the
user.isinrole("test") on the redirected page after the Login.

for instance, here is my code after I log into the page:


Dim test() As String = {"OEM", "test"}
HttpContext.Current.User = New GenericPrincipal(User.Identity, test)
FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, False)

At this point if I break at the formsAuthentication.....I watch the
User.isinrole("test") it shows up true, however, when I get redirected to
the webform1.aspx page and also watch user.isinrole("test") then it is
false.

I'm really confused on what I need to do...I've tried the
Threading.currentprincipal = new genericPrincipal(User.Identity, test) and
that didn't work as well. The User.identity.isauthenticated does come over
and also the User.identity.name comes over, it is just the
user.isinrole("test") that does not come over.

Any thoughts?

You help is greatly appreciated...

Thanks,
Bob

 

[Paul Glavich]

You need to associate your principal with associated roles for each request
that comes in. Once you have authenticated and redirected, typically all
that will be passed along (automatically that is) is that the user has been
authenticated. A common way of carrying the roles across multiple requests
is, once authenticated, store the roles in the cookie that is issued to the
client. Each request that comes in (via the Application_AuthenticateRequest
event in Global.asax), you extract the roles, create your generic principal
with the extracted roles, and associate that generic principal wih the
current context . When doing this, you should also remember to encrypt the
cookie.

 

[Bob Erwin]

Hey Paul,

Thanks for the response. I still have a question with this though. Yes you
are correct that the authenticated user info is passed along automatically
for me. So are you saying that Generic Principals assocated with that
identity are *not* passed? Does that mean that I need to create a new
generic principal and populate it each time I re-direct to a new page?

Thanks,
Bob

 

[Bob Erwin]

Hey,

NeverMind on my last post. I was able to get this working based on the
information you had provided.

Just for those who are trying to do the same thing, I referenced:
http://www.codeproject.com/aspnet/formsroleauth.asp as well as other Deja
Articles.

And here is my code below:
'in my login button code
.........
Dim AuthTicket = New FormsAuthenticationTicket(1, oUserInfo.EmailAddress,
DateTime.Now, DateTime.Now.AddMinutes(30), False, oUserInfo.UserRoles,
FormsAuthentication.FormsCookiePath)
Dim hash As String = FormsAuthentication.Encrypt(AuthTicket)
Dim cookie As New HttpCookie(FormsAuthentication.FormsCookieName, hash)
Response.Cookies.Add(cookie)
Response.Redirect(FormsAuthentication.GetRedirectUrl(oUserInfo.EmailAddress,
False), False)
end sub

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)
' Fires upon attempting to authenticate the use
If Request.IsAuthenticated Then
If User.Identity.IsAuthenticated Then
Dim id As FormsIdentity
id = HttpContext.Current.User.Identity
Dim AuthTicket As FormsAuthenticationTicket
AuthTicket = id.Ticket
Dim roles As String = AuthTicket.UserData
Dim RoleArray As String()
RoleArray = Split(roles, "|")
HttpContext.Current.User = New
GenericPrincipal(User.Identity, RoleArray)
End If
End If
End Sub

Thanks for your help...

Bob