Using Principal.GenericPrincipal vs SqlRoleProvider

[Dave]

Hi, i created my own Users, Roles, & UserRoles table in my SQL DB. I'm
using the following code to associate the user's roles from what's in my
tables.

Snippet 1
----------
//In a page base class, Load the user's roles for subsequent IsInRole
security checks...where userRoles is an array of roleIds pulled from the
UserRole table.

Context.User = new
System.Security.Principal.GenericPrincipal(Context.User.Identity, userRoles);

Snippet 2
----------
I then check the user's role later in the page.
if (Context.User.IsInRole("Admin")
{
//enable some controls here...
}

However, it seems I always have run the Snippet #1 since the user's role
context is not persistent between requests.

I then see that the SqlRoleProvider is designed to do this and apparently
you can cache the roles specifying the roleManager cookie in the web.config.

My question is whether SqlRoleProvider has essentially replaced the method
I'm using? My method is more basic in terms of what I've added to the
database but if I can't persist the user's context in anyway, is it too
inefficient? If I need to track additional user columns I'm guessing I just
tweak the tables/procs created by regaspnet_regsql

 

[Guest]

Hi, i created my own Users, Roles, & UserRoles table in my SQL DB.   I'm
using the  following code to associate the user's roles from what's in my
tables.  

Snippet 1
----------
//In a page base class, Load the user's roles for subsequent IsInRole
security checks...where userRoles is an array of roleIds pulled from the
UserRole table.

Context.User = new
System.Security.Principal.GenericPrincipal(Context.User.Identity, userRoles);

Snippet 2
----------
I then check the user's role later in the page.
if (Context.User.IsInRole("Admin")
{
          //enable some controls here...

}

However, it seems I always have run the Snippet #1 since the user's role
context is not persistent between requests.  

I then see that the SqlRoleProvider is designed to do this and apparently
you can cache the roles specifying the roleManager cookie in the web.config.

My question is whether SqlRoleProvider has essentially replaced the method
I'm using?  My method is more basic in terms of what I've added to the
database but if I can't persist the user's context in anyway, is it too
inefficient?  If I need to track additional user columns I'm guessing Ijust
tweak the tables/procs created by regaspnet_regsql

Hi Dave,

1) you can add your code in Application_AuthenticateRequest event
handler
2) you can cache roles in the cookies to avoid multiple requests to DB

Basically it could looks in the following way

protected void Application_AuthenticateRequest(...)
{

const string cookieKey = "roles";
string[] roles = new string[] {};

// Create the roles cookie if it doesn't exist yet for this session.
if (Request.Cookies[cookieKey] == null || Request.Cookies
[cookieKey].Value == String.Empty)
{

// Get roles from UserRoles table, and add to cookie
roles = ...

// Create a cookie authentication ticket.
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
....
roles
);

// Encrypt the ticket
String cookieStr = FormsAuthentication.Encrypt(ticket);

// Create a cookie and add the encrypted ticket to the cookie as data.
HttpCookie authCookie = new HttpCookie(cookieKey, cookieStr);

// Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie);

} else {

FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt
(Context.Request.Cookies[cookieKey].Value);
roles = ticket.UserData...

}

// Add your own custom principal to the request containing the roles
in the auth ticket
Context.User = new GenericPrincipal(Context.User.Identity, roles);

}

after that you will be able to use Context.User.IsInRole

Hope this helps