Role-based security: Access the role of current user

[Jesper Stocholm]

I have implemented role-based security within my ASP.Net application.
However, it seems the role is not passed to the authentication ticket I
create.

I want to use it to display/hide some content based on the user's role. I
wrote this to do it:

if (HttpContext.Current.User.Identity.IsAuthenticated)
{
plLoggedIn.Visible = true;
liFirstName.Text = HttpContext.Current.User.Identity.Name;
// This condition is causing me problems.
// The condition always returns false, and hence writes
// "user" regardless of what I log on as.
if (HttpContext.Current.User.IsInRole("Administrator"))
{
liUserRole.Text = "administrator";
}
else
{
liUserRole.Text = "user";
}
}
else
{
plLogin.Visible = true; // if not logged in, show login-form
}

I create my ticket as:

FormsAuthenticationTicket oTicket = new FormsAuthenticationTicket(
1,
txtUserName.Text, //user name from form
DateTime.Now,
DateTime.Now.AddMinutes(30),
false, //deletes cookie when closing browser session.
oData.GetString(0), //Data from db with value either "Administrator"
//or "User"
FormsAuthentication.FormsCookiePath
);

In my global.asax I added the code:

if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity is FormsIdentity)
{
FormsIdentity id =
(FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
// Get the stored user-data, in this case, the
string userData = ticket.UserData; //Should contain e.g. "User"
string[] roles = userData.Split(',');
HttpContext.Current.User = new GenericPrincipal(id, roles);
}
}
}

It seems the ticket is created well enough - at least it is possible to
extract the username with User.Identity.Name, but the role passed as
userData above seems to be empty.

Is there any way to see what the role of a current user is - without
doing a explicit match like

User.IsInRole("<some role name>")

I would like to be able to do something similar to

someLabel.Text = "Your role is: " + User.Identity.Role();

.... but I cannot find the right way to do it.

I know this is a lot of code, but can any of you see where I am missing
something?

Thanks,

 

[Jesper Stocholm]

John Saunders wrote :

Jesper,

I don't see anything wrong in your code.

Have you checked in the debugger to see that the role is always
present in global.asax?

Ehm - how do I do this? My application is not compiled to a complete dll
using codebehind, but each .aspx.cs-file is compiled (initially) at
runtime.

Another experiment might be to create your
GenericPrincipal with a new Identity, just to see if this new Identity
makes it as far as the Page_Load of one of your pages.

I will try that. It seems there is no problem with the userdata contained
in my ticket, since I am able to write oTicket.UserData to the page and
get e.g. "Administrator". Also, Page.User.Current.Identity.Name is
available - just not the role.

Thanks for your time - I must admit that I am a bit lost with this
problem, so any help is appreciated.

)

 

[John Saunders]

John Saunders wrote :


Ehm - how do I do this? My application is not compiled to a complete dll
using codebehind, but each .aspx.cs-file is compiled (initially) at
runtime.

I don't know how you debug code except in codebehind. You could use
Page.Trace.Write, but I always use codebehind, so I don't know of any other
way. Try writing out the role in global.asax.

I will try that. It seems there is no problem with the userdata contained
in my ticket, since I am able to write oTicket.UserData to the page and
get e.g. "Administrator".

When do you write it out? In global.asax? The question isn't whether it's
correct on your login page, but whether it's correct later in global.asax on
subsequent page requests.

Also, Page.User.Current.Identity.Name is
available - just not the role.

Correct. The roles are only available via IsInRole.