<asp.net> - ASP.NET Role-based Security</asp.net>

advertisement

Search | Recent | Register

Forum => General ASP.NET => ASP.NET Role-based Security

Jump to:

Next Oldest | Next Newest

1/29/2004 1:52:31 PM	Link \| Reply \| Edit \| Quote
Bob Hansen
Location: Wisconsin \| Joined: 1/29/2004 \| Posts: 9 \| Offline
I am trying to implement role based security for an ASP.NET web site using objects based off the IPrincipal and IIdentity interfaces. I have everything coded and password authentication works fine. My problem is that IIS will not hold on to the custom IPrincipal object and keeps returning back an authenticated IPrincipal object with my windows security set. This confuses me because I have the web.config file set up for forms based authentication and I am assigning the principal using Context.User and also setting the Authorization cookie. Does anyone know of any good articles on setting up a secure environment using custom IPrincipal and IIdentity objects or have any clue what's going wrong? I can post "some" code if necessary but a lot of what I'm writing is proprietary. Cheers, Bob Hansen

1/29/2004 2:55:37 PM	Link \| Reply \| Edit \| Quote
Jeff
Location: Cleveland, OH, USA \| Joined: 8/15/2000 \| Posts: 813 \| Offline
The problem might be that you're not doing it on every request. That's what it takes, and it happens from global.asax. This very forum does it (source code at POP Forums). It looks like this: public virtual void Application_OnAuthenticateRequest(object sender, EventArgs e) { if (Request.IsAuthenticated) { HttpContext context = HttpContext.Current; if ((context.Cache["pfuid" + context.User.Identity.Name] == null) \|\| (ConfigurationSettings.AppSettings["PopForumsCacheData"].ToLower() != "true")) { // create a new identity, based on the login GenericIdentity objIdentity = new GenericIdentity(context.User.Identity.Name); IPopForumsData objData = PopForums.Data.Methods(); // get the roles from the database ArrayList listRoles = objData.GetPeopleRoles(context.User.Identity.Name); string[] arrRoles = new string[listRoles.Count]; for (int i=0; i // put the identity and roles in a new principal GenericPrincipal objPrincipal = new GenericPrincipal(objIdentity,arrRoles); // cache it if (ConfigurationSettings.AppSettings["PopForumsCacheData"].ToLower() == "true") context.Cache.Insert("pfuid" + context.User.Identity.Name, objPrincipal, null, DateTime.Now.AddSeconds(Convert.ToDouble(ConfigurationSettings.AppSettings["PopForumsCacheSeconds"])), new TimeSpan(0)); // bust it live context.User = objPrincipal; } else { context.User = (GenericPrincipal)context.Cache["pfuid" + context.User.Identity.Name]; } } } In this example I'm caching the database hit, which gives you a pretty good performance boost. Jeff 'Jones' Putz POP World Media, LLC

2/11/2004 11:27:06 AM	Link \| Reply \| Edit \| Quote
Bob Hansen
Location: Wisconsin \| Joined: 1/29/2004 \| Posts: 9 \| Offline
It seems that the problem now is that I am always authenticated. I bring up the page in debug and go through the IsAuthenticated check and I am automatically authenticated. I check the Identity for the Name property and find that it is my windows login and domain (from here at work). Anyways, I checked the web.config file and I have it set up for Forms authentication and it is specifically set up to require authentication to view pages and to redirect to a login page if the user is not authenticated. The problem is that users are always authenticated. Bob Hansen Manager of Web Development JASCorp, L.L.C. www.jasrx.com

2/11/2004 12:51:42 PM	Link \| Reply \| Edit \| Quote
Jeff
Location: Cleveland, OH, USA \| Joined: 8/15/2000 \| Posts: 813 \| Offline
Can you post the relevant portions of your web.config file? Also, just for fun, put a button somewhere that will call an event to FormsAuthentication.SignOut() and then see what User.Identity.Name says. Jeff 'Jones' Putz POP World Media, LLC

2/11/2004 4:41:19 PM	Link \| Reply \| Edit \| Quote
Bob Hansen
Location: Wisconsin \| Joined: 1/29/2004 \| Posts: 9 \| Offline
For some reason the problem decided to work itself out??? I went back to put that logoff button the the default.aspx page and loaded it and the login page came up! Go figure. Fricken thing works after I go off spouting off that it doesn't. Anyways I have it working and I am not putting in the custom IPrincipal and IIdentity objects and hopefully those will all work too. I'm also going to use your caching idea. I think caching the user information will save us big time on the database hits for authentication. Thanks for the help! Bob Hansen Manager of Web Development JASCorp, L.L.C. www.jasrx.com

2/12/2004 5:30:57 PM	Link \| Reply \| Edit \| Quote
Bob Hansen
Location: Wisconsin \| Joined: 1/29/2004 \| Posts: 9 \| Offline
I just put in the caching code into my global.asax and it works like a charm. Just an a quick question about that. What do you suggest for the length of time before the cache times out? Bob Hansen Manager of Web Development JASCorp, L.L.C. www.jasrx.com

2/12/2004 9:42:05 PM	Link \| Reply \| Edit \| Quote
Jeff
Location: Cleveland, OH, USA \| Joined: 8/15/2000 \| Posts: 813 \| Offline
I can't answer that. There's a bit of a trade-off with caching stuff, because memory is a finite resource. If you have some way to measure how long a user spends on your site, I'd set it for something around there. Another thing to keep in mind is that if you alter the roles a user is in, you need to call the cache's Remove() method to force the above code to look it up again from the database. I think you'll find that code in the People class of the forums. Jeff 'Jones' Putz POP World Media, LLC

Next Oldest | Next Newest

Forum => General ASP.NET => ASP.NET Role-based Security

CliqueSite® POP Forums Feature UI v7.5.0
©2004, POP World Media, LLC

©2009, POP World Media, LLC. All rights reserved
Legal, privacy, terms of service