Custom IIdentity class - how to set it?

[Tim Mulholland]

I have created my own IIdentity class (actually inherited from
GenericIdentity) to contain lots of extra useful information to be passed
around with the user's basic information.
The class compiles fine, no problems there.

My problem is that i'm not sure where to actually set this to be part of the
HttpContext. I know that the IIdentity stuff is part of a principal (which
in my case will be a GenericPrinciple i suppose since i'm using forms
authentication). So i figure it needs to be whenever the HttpContext.User
object is set.

What event is raised that i need to handle to be able to do this? I'm going
to be controlling all of the authentication using custom forms
authentication.

Is there a good tutorial about this type of stuff (the 'flow' of the
authentication information) that someone could point me to?

Thanks in advance,

Tim

 

[John Saunders]

I have created my own IIdentity class (actually inherited from
GenericIdentity) to contain lots of extra useful information to be passed
around with the user's basic information.
The class compiles fine, no problems there.

My problem is that i'm not sure where to actually set this to be part of the
HttpContext. I know that the IIdentity stuff is part of a principal (which
in my case will be a GenericPrinciple i suppose since i'm using forms
authentication). So i figure it needs to be whenever the HttpContext.User
object is set.

What event is raised that i need to handle to be able to do this? I'm going
to be controlling all of the authentication using custom forms
authentication.

You need to do this sort of thing in the Application_AuthenticateRequest
event in global.asax.

Be sure to check Request.IsAuthenticated, first, though!

 

[Tim Mulholland]

i've been looking into that...
am i correct then in thinking that this event will be raised multiple times
per page request, and i'll handle it when they've been authenticated and
fill in the User information then? So then the user information would be
recreated (accessed from a db, or whatever) everytime a page loads?
Is there a better way to do that?
Or am i just totally missing something?

 

[John Saunders]

i've been looking into that...
am i correct then in thinking that this event will be raised multiple times
per page request, and i'll handle it when they've been authenticated and
fill in the User information then? So then the user information would be
recreated (accessed from a db, or whatever) everytime a page loads?
Is there a better way to do that?
Or am i just totally missing something?

No. The event will only be raised once per page.

And, yes, it does have to be recreated every page load - so it would be a
good idea to avoid a database hit on each load. Many people do this by
setting the UserData field of the FormsAuthenticationTicket on their login
page, then reading the UserData during Application_AuthenticateRequest. The
idea would be to use it to hold information you'd otherwise have to go to
the database for, but which you don't mind having a bit out of date (it will
be from the time of login, if you never refresh it).

 

[Tim Mulholland]

Thanks for the help John. Much appreciated.

Tim

No. The event will only be raised once per page.

And, yes, it does have to be recreated every page load - so it would be a
good idea to avoid a database hit on each load. Many people do this by
setting the UserData field of the FormsAuthenticationTicket on their login
page, then reading the UserData during Application_AuthenticateRequest. The
idea would be to use it to hold information you'd otherwise have to go to
the database for, but which you don't mind having a bit out of date (it will
be from the time of login, if you never refresh it).

--
John Saunders
John.Saunders at SurfControl.com

part

 

[Steven Cheng[MSFT]]

Hi Tim,



Thanks for posting in the community!
From your description, you're using the FormsAuthentication in ASP.NET and
you're wondering the time when to set the customized principle object(with
the proper roles) to the HttpContext.Current.User, yes?

Based on my expericence, generally , in formsauthentication, since the
roles must be retrieved and set manually via code, so we can put those code
in the Application_AuthenticateRequest event of the global
object(global.asax/global.asax.cs). At that time ,the request hasn't been
processed , we can first retireved all the proper roles of the current user
from our datasource and create a principle objectd and set it to the
HttpContext.Current.User, for example:
---------------------
Sub Application_AuthenticateRequest....
'f?rst hentes roller for brugeren ud i
'array'et roleListArray... og derefter:
HttpContext.Current.User =
New GenericPrincipal(User.Identity, roleListArray)
end sub
---------------------

And here are two tech articles discussing detailedly on this:

#HOW TO: Implement Role-Based Security with Forms-Based Authentication in
Your ASP.NET Application by Using Visual C# .NET
http://support.microsoft.com/?id=311495

#Using Forms Authentication in ASP.NET
http://www.xoc.net/works/tips/forms-authentication.asp

Please check out the above things to see whether they answer your question.



Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[Steven Cheng[MSFT]]

Hi Tim,


Have you had a chance to check out the suggestions in my last reply or have
you got any ideas on this issue? If you have anything unclear or need any
further help, please feel free to post here.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx