Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Using Principal.GenericPrincipal vs SqlRoleProvider

Reply
Thread Tools

Using Principal.GenericPrincipal vs SqlRoleProvider

 
 
Dave
Guest
Posts: n/a
 
      12-05-2008
Hi, i created my own Users, Roles, & UserRoles table in my SQL DB. I'm
using the following code to associate the user's roles from what's in my
tables.

Snippet 1
----------
//In a page base class, Load the user's roles for subsequent IsInRole
security checks...where userRoles is an array of roleIds pulled from the
UserRole table.

Context.User = new
System.Security.Principal.GenericPrincipal(Context .User.Identity, userRoles);

Snippet 2
----------
I then check the user's role later in the page.
if (Context.User.IsInRole("Admin")
{
//enable some controls here...
}

However, it seems I always have run the Snippet #1 since the user's role
context is not persistent between requests.

I then see that the SqlRoleProvider is designed to do this and apparently
you can cache the roles specifying the roleManager cookie in the web.config.

My question is whether SqlRoleProvider has essentially replaced the method
I'm using? My method is more basic in terms of what I've added to the
database but if I can't persist the user's context in anyway, is it too
inefficient? If I need to track additional user columns I'm guessing I just
tweak the tables/procs created by regaspnet_regsql


 
Reply With Quote
 
 
 
 
Alexey Smirnov
Guest
Posts: n/a
 
      12-10-2008
On Dec 5, 9:11*pm, Dave <(E-Mail Removed)> wrote:
> Hi, i created my own Users, Roles, & UserRoles table in my SQL DB. * I'm
> using the *following code to associate the user's roles from what's in my
> tables. *
>
> Snippet 1
> ----------
> //In a page base class, Load the user's roles for subsequent IsInRole
> security checks...where userRoles is an array of roleIds pulled from the
> UserRole table.
>
> Context.User = new
> System.Security.Principal.GenericPrincipal(Context .User.Identity, userRoles);
>
> Snippet 2
> ----------
> I then check the user's role later in the page.
> if (Context.User.IsInRole("Admin")
> {
> * * * * * //enable some controls here...
>
> }
>
> However, it seems I always have run the Snippet #1 since the user's role
> context is not persistent between requests. *
>
> I then see that the SqlRoleProvider is designed to do this and apparently
> you can cache the roles specifying the roleManager cookie in the web.config.
>
> My question is whether SqlRoleProvider has essentially replaced the method
> I'm using? *My method is more basic in terms of what I've added to the
> database but if I can't persist the user's context in anyway, is it too
> inefficient? *If I need to track additional user columns I'm guessing Ijust
> tweak the tables/procs created by regaspnet_regsql


Hi Dave,

1) you can add your code in Application_AuthenticateRequest event
handler
2) you can cache roles in the cookies to avoid multiple requests to DB

Basically it could looks in the following way

protected void Application_AuthenticateRequest(...)
{

const string cookieKey = "roles";
string[] roles = new string[] {};

// Create the roles cookie if it doesn't exist yet for this session.
if (Request.Cookies[cookieKey] == null || Request.Cookies
[cookieKey].Value == String.Empty)
{

// Get roles from UserRoles table, and add to cookie
roles = ...

// Create a cookie authentication ticket.
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
....
roles
);

// Encrypt the ticket
String cookieStr = FormsAuthentication.Encrypt(ticket);

// Create a cookie and add the encrypted ticket to the cookie as data.
HttpCookie authCookie = new HttpCookie(cookieKey, cookieStr);

// Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie);

} else {

FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt
(Context.Request.Cookies[cookieKey].Value);
roles = ticket.UserData...

}

// Add your own custom principal to the request containing the roles
in the auth ticket
Context.User = new GenericPrincipal(Context.User.Identity, roles);

}

after that you will be able to use Context.User.IsInRole

Hope this helps
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ActiveDirectoryMembershipProvider and SqlRoleProvider Max2006 ASP .Net 1 06-10-2008 02:57 AM
What is the "correct & supported" way to setup SqlRoleProvider David Thielen ASP .Net Security 1 01-08-2007 06:31 AM
Windows authentication and SqlRoleProvider matsla@hotmail.com ASP .Net Security 1 05-10-2006 07:32 AM
SqlRoleProvider =?Utf-8?B?RnJhbmNpcyBSZWVk?= ASP .Net 0 04-10-2006 05:53 PM
how to make SqlRoleProvider.ApplicationName thread safe Francis Reed ASP .Net 2 04-08-2006 03:03 AM



Advertisments