Using Principal.GenericPrincipal vs SqlRoleProvider

Discussion in 'ASP .Net Security' started by Dave, Dec 5, 2008.

  1. Dave

    Dave Guest

    Hi, i created my own Users, Roles, & UserRoles table in my SQL DB. I'm
    using the following code to associate the user's roles from what's in my
    tables.

    Snippet 1
    ----------
    //In a page base class, Load the user's roles for subsequent IsInRole
    security checks...where userRoles is an array of roleIds pulled from the
    UserRole table.

    Context.User = new
    System.Security.Principal.GenericPrincipal(Context.User.Identity, userRoles);

    Snippet 2
    ----------
    I then check the user's role later in the page.
    if (Context.User.IsInRole("Admin")
    {
    //enable some controls here...
    }

    However, it seems I always have run the Snippet #1 since the user's role
    context is not persistent between requests.

    I then see that the SqlRoleProvider is designed to do this and apparently
    you can cache the roles specifying the roleManager cookie in the web.config.

    My question is whether SqlRoleProvider has essentially replaced the method
    I'm using? My method is more basic in terms of what I've added to the
    database but if I can't persist the user's context in anyway, is it too
    inefficient? If I need to track additional user columns I'm guessing I just
    tweak the tables/procs created by regaspnet_regsql
    Dave, Dec 5, 2008
    #1
    1. Advertising

  2. On Dec 5, 9:11 pm, Dave <> wrote:
    > Hi, i created my own Users, Roles, & UserRoles table in my SQL DB.   I'm
    > using the  following code to associate the user's roles from what's in my
    > tables.  
    >
    > Snippet 1
    > ----------
    > //In a page base class, Load the user's roles for subsequent IsInRole
    > security checks...where userRoles is an array of roleIds pulled from the
    > UserRole table.
    >
    > Context.User = new
    > System.Security.Principal.GenericPrincipal(Context.User.Identity, userRoles);
    >
    > Snippet 2
    > ----------
    > I then check the user's role later in the page.
    > if (Context.User.IsInRole("Admin")
    > {
    >           //enable some controls here...
    >
    > }
    >
    > However, it seems I always have run the Snippet #1 since the user's role
    > context is not persistent between requests.  
    >
    > I then see that the SqlRoleProvider is designed to do this and apparently
    > you can cache the roles specifying the roleManager cookie in the web.config.
    >
    > My question is whether SqlRoleProvider has essentially replaced the method
    > I'm using?  My method is more basic in terms of what I've added to the
    > database but if I can't persist the user's context in anyway, is it too
    > inefficient?  If I need to track additional user columns I'm guessing Ijust
    > tweak the tables/procs created by regaspnet_regsql


    Hi Dave,

    1) you can add your code in Application_AuthenticateRequest event
    handler
    2) you can cache roles in the cookies to avoid multiple requests to DB

    Basically it could looks in the following way

    protected void Application_AuthenticateRequest(...)
    {

    const string cookieKey = "roles";
    string[] roles = new string[] {};

    // Create the roles cookie if it doesn't exist yet for this session.
    if (Request.Cookies[cookieKey] == null || Request.Cookies
    [cookieKey].Value == String.Empty)
    {

    // Get roles from UserRoles table, and add to cookie
    roles = ...

    // Create a cookie authentication ticket.
    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
    ....
    roles
    );

    // Encrypt the ticket
    String cookieStr = FormsAuthentication.Encrypt(ticket);

    // Create a cookie and add the encrypted ticket to the cookie as data.
    HttpCookie authCookie = new HttpCookie(cookieKey, cookieStr);

    // Add the cookie to the outgoing cookies collection.
    Response.Cookies.Add(authCookie);

    } else {

    FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt
    (Context.Request.Cookies[cookieKey].Value);
    roles = ticket.UserData...

    }

    // Add your own custom principal to the request containing the roles
    in the auth ticket
    Context.User = new GenericPrincipal(Context.User.Identity, roles);

    }

    after that you will be able to use Context.User.IsInRole

    Hope this helps
    Alexey Smirnov, Dec 10, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Harold Crump
    Replies:
    3
    Views:
    5,000
    =?Utf-8?B?QXR1bCBCYWhs?=
    Aug 25, 2005
  2. padma
    Replies:
    3
    Views:
    395
    Victor Bazarov
    Oct 5, 2007
  3. Richard Maher
    Replies:
    0
    Views:
    480
    Richard Maher
    Sep 15, 2010
  4. ryan_fagan
    Replies:
    0
    Views:
    296
    ryan_fagan
    Sep 9, 2003
  5. Erick

    GenericPrincipal

    Erick, Sep 9, 2007, in forum: ASP .Net Security
    Replies:
    6
    Views:
    343
    Dominick Baier
    Sep 13, 2007
Loading...

Share This Page