ExamGuru IT/.Net Guru : Unanswered: Role-based forms authentication question on ASPFriends.com 'aspngescalate' list

.NETGURU

Unanswered: Role-based forms authentication question

Messages

Related Types

This message was discovered on ASPFriends.com 'aspngescalate' list.

Colm Hayden

Hi all,

I have previously posted this question to Click here to reveal e-mail address and recieved no responses so any help is appreciated.

I have been experimenting with forms based authentication and trying to assign roles to a principle but have been unable to make the Principle and the assigned roles span page requests. These are the steps I have used

1 - Using the Web.Config settings (below) requests are redirected to a login page.

<authentication mode="Forms">
<forms
name=".Responsian_Cookie"
path="/"
loginUrl="Login.aspx"
protection="All"
timeout="10">

2 - The user is authenticated and the authentication cookie set before a redirect:
FormsAuthentication.SetAuthCookie(username, persistCookie);

3 - A new IPrincipal is created with roles read from a database
string[] roles = GetRoles(username)
IPrincipal principle = new GenericPrincipal(User.Identity, roles);

4 - The principal is assigned to the context (I have tried all three ways)

a) using Page.Context = principle;
b) using Thread.CurrentThread.Principal
c) using the global.asax

protected void FormsAuthentication_OnAuthenticate(Object sender, FormsAuthenticationEventArgs e)
{
// hardcoded
string[] roles = new string[]{"Administrator"};
GenericIdentity identity = new GenericIdentity("user");
e.User = new GenericPrincipal(identity, roles);
}

5 - On the subsequent page the role is checked:

if(User.IsInRole("Administrator"))
{
Trace.Warn("Page_Load", "User is an Administrator");
}

Results:
using (4.a), (5) evaluates to true in the same page, but not on the next page request
using (4.b), CurrentThread.CurrentThread.Principal is in the role within the same page
using (4.c), (5) evaluates to true on the requested page, but automatic redirection to the login page does not work.

Please could anyone shed some light on this for me.

Thanks in advance,
Colm

========================== Colm Hayden
Responsian Ltd,
Tel: 028 9024 2116
Fax: 028 9050 1909
==========================

Reply to this message...

Dennis Werry

I had this problem right after beta 2 came out: here is what I and some
others on the list worked out.
I keep the roles stuffed in the user data of the ticket and retrieve them
like so.

HTH
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)

' Fires upon attempting to authenticate the user

Dim app As HttpApplication &# C;Type(sender, HttpApplication)

Dim ctx As HttpContext &# a;pp.Context

If ctx.Request.IsAuthenticated Then

Dim ck As HttpCookie

ck &# F;ormsAuthentication.GetAuthCookie(ctx.User.Identity.Name,
False)

Dim strName As String &# c;tx.User.Identity.Name

Dim id As FormsIdentity &# C;Type(ctx.User.Identity, FormsIdentity)

Dim tk As FormsAuthenticationTicket &# i;d.Ticket

Dim newTk As FormsAuthenticationTicket FormsAuthentication.RenewTicketIfOld(tk)

If Not newTk Is tk Then

Dim CookieName As String &# F;ormsAuthentication.FormsCookieName

ctx.Response.Cookies(CookieName).Value FormsAuthentication.Encrypt(newTk)

End If

' grab the roles from our user data (since the framework doesn't
remember them for us)

Dim strRoles As String &# t;k.UserData

Dim c() As Char &# {;","c}

Context.User &# N;ew GenericPrincipal(User.Identity,
strRoles.Split(c))

End If

End Sub

-----Original Message-----
From: Colm Hayden [mailto:Click here to reveal e-mail address]
Sent: Friday, September 14, 2001 12:14 PM
To: aspngescalate
Subject: [aspngescalate] Unanswered: Role-based forms authentication
question

Hi all,

I have previously posted this question to Click here to reveal e-mail address and
recieved no responses so any help is appreciated.

I have been experimenting with forms based authentication and trying to
assign roles to a principle but have been unable to make the Principle and
the assigned roles span page requests. These are the steps I have used

1 - Using the Web.Config settings (below) requests are redirected to a
login page.

<authentication mode&#"F;orms">
<forms
name&#".;Responsian_Cookie"
path&#"/;"
loginUrl&#"L;ogin.aspx"
protection&#"A;ll"
timeout&#"1;0">

2 - The user is authenticated and the authentication cookie set before a
redirect:
FormsAuthentication.SetAuthCookie(username, persistCookie);

3 - A new IPrincipal is created with roles read from a database
string[] roles &# G;etRoles(username)
IPrincipal principle &# n;ew GenericPrincipal(User.Identity, roles);

4 - The principal is assigned to the context (I have tried all three ways)

a) using Page.Context &# p;rinciple;
b) using Thread.CurrentThread.Principal
c) using the global.asax

protected void FormsAuthentication_OnAuthenticate(Object sender,
FormsAuthenticationEventArgs e)
{
// hardcoded
string[] roles &# n;ew string[]{"Administrator"};
GenericIdentity identity &# n;ew GenericIdentity("user");
e.User &# n;ew GenericPrincipal(identity, roles);
}

5 - On the subsequent page the role is checked:

if(User.IsInRole("Administrator"))
{
Trace.Warn("Page_Load", "User is an Administrator");
}

Results:
using (4.a), (5) evaluates to true in the same page, but not on the next
page request
using (4.b), CurrentThread.CurrentThread.Principal is in the role within
the same page
using (4.c), (5) evaluates to true on the requested page, but automatic
redirection to the login page does not work.

Please could anyone shed some light on this for me.

Thanks in advance,
Colm

&#==;&#==;&#==;&#==;&#==;&#==;&#==;&#==;&#==;
Colm Hayden
Responsian Ltd,
Tel: 028 9024 2116
Fax: 028 9050 1909
&#==;&#==;&#==;&#==;&#==;&#==;&#==;&#==;&#==;
| [aspngescalate] member Click here to reveal e-mail address &# Y;OUR ID |
http://www.asplists.com/asplists/aspngescalate.asp &# J;OIN/QUIT

Reply to this message...

Colm Hayden

Hi Dennis,

Thanks for the reply. I have tried your example and it does indeed allow me to assign roles that can be read on any page request.

I have one quick question on how you populate the user data in the first place.

This is a read only property, so I imagine that it must have to be set upon construction of the FormsAuthenticationTicket.

Does this mean that I cannot use the FormsAuthentication.SetAuthCookie() method, but instead would have to create my own ticket and attach it to the cookies collection?
If so, do you have an example of how to do this?

Thanks again,

Colm

----- Original Message -----
From: Dennis Werry
To: aspngescalate
Sent: Friday, September 14, 2001 6:37 PM
Subject: [aspngescalate] RE: Unanswered: Role-based forms authentication question

I had this problem right after beta 2 came out: here is what I and some others on the list worked out.
I keep the roles stuffed in the user data of the ticket and retrieve them like so.

HTH
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)

' Fires upon attempting to authenticate the user

Dim app As HttpApplication = CType(sender, HttpApplication)

Dim ctx As HttpContext = app.Context

If ctx.Request.IsAuthenticated Then

Dim ck As HttpCookie

ck = FormsAuthentication.GetAuthCookie(ctx.User.Identity.Name, False)

Dim strName As String = ctx.User.Identity.Name

Dim id As FormsIdentity = CType(ctx.User.Identity, FormsIdentity)

Dim tk As FormsAuthenticationTicket = id.Ticket

Dim newTk As FormsAuthenticationTicket = FormsAuthentication.RenewTicketIfOld(tk)

If Not newTk Is tk Then

Dim CookieName As String = FormsAuthentication.FormsCookieName

ctx.Response.Cookies(CookieName).Value = FormsAuthentication.Encrypt(newTk)

End If

' grab the roles from our user data (since the framework doesn't remember them for us)

Dim strRoles As String = tk.UserData

Dim c() As Char = {","c}

Context.User = New GenericPrincipal(User.Identity, strRoles.Split(c))

End If

End Sub

-----Original Message-----
From: Colm Hayden [mailto:Click here to reveal e-mail address]
Sent: Friday, September 14, 2001 12:14 PM
To: aspngescalate
Subject: [aspngescalate] Unanswered: Role-based forms authentication question

Hi all,

I have previously posted this question to Click here to reveal e-mail address and recieved no responses so any help is appreciated.

I have been experimenting with forms based authentication and trying to assign roles to a principle but have been unable to make the Principle and the assigned roles span page requests. These are the steps I have used

1 - Using the Web.Config settings (below) requests are redirected to a login page.

<authentication mode="Forms">
<forms
name=".Responsian_Cookie"
path="/"
loginUrl="Login.aspx"
protection="All"
timeout="10">

2 - The user is authenticated and the authentication cookie set before a redirect:
FormsAuthentication.SetAuthCookie(username, persistCookie);

3 - A new IPrincipal is created with roles read from a database
string[] roles = GetRoles(username)
IPrincipal principle = new GenericPrincipal(User.Identity, roles);

4 - The principal is assigned to the context (I have tried all three ways)

a) using Page.Context = principle;
b) using Thread.CurrentThread.Principal
c) using the global.asax

protected void FormsAuthentication_OnAuthenticate(Object sender, FormsAuthenticationEventArgs e)
{
// hardcoded
string[] roles = new string[]{"Administrator"};
GenericIdentity identity = new GenericIdentity("user");
e.User = new GenericPrincipal(identity, roles);
}

5 - On the subsequent page the role is checked:

if(User.IsInRole("Administrator"))
{
Trace.Warn("Page_Load", "User is an Administrator");
}

Results:
using (4.a), (5) evaluates to true in the same page, but not on the next page request
using (4.b), CurrentThread.CurrentThread.Principal is in the role within the same page
using (4.c), (5) evaluates to true on the requested page, but automatic redirection to the login page does not work.

Please could anyone shed some light on this for me.

Thanks in advance,
Colm

========================== Colm Hayden
Responsian Ltd,
Tel: 028 9024 2116
Fax: 028 9050 1909
========================== | [aspngescalate] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngescalate.asp = JOIN/QUIT
| [aspngescalate] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngescalate.asp = JOIN/QUIT

Reply to this message...

Dennis Werry

Colm - glad to help.

Here is my login code - I left my login logic in (kind of) so you could see
the context.:

Private Sub HandleLogin()

' We're sticking the user's roles into the UserData

' field of the FormsAuthenticationTicket, so we have

' to do this manually, instead of using RedirectFromLoginPage().

' Create an auth ticket that expires when the session expires.

Dim CookieName As String &# F;ormsAuthentication.FormsCookieName

Dim CookiePath As String &# F;ormsAuthentication.FormsCookiePath

Dim curDate As DateTime &# D;ateTime.Now

txtUserID.Text &# t;xtUserID.Text.ToUpper()

txtPassword.Text &# t;xtPassword.Text.ToUpper()

Configuration.UserID &# t;xtUserID.Text

Configuration.BaseURL &# R;equest.Url.ToString()

Configuration.Password &# t;xtPassword.Text

Dim strSchool As String &# S;ession.Item("schoolname")

If Not IsNothing(strSchool) AndAlso strSchool.Length > 0 Then

Configuration.SchoolName &# s;trSchool

End If

Initializer.SetState(Configuration.UserID, Configuration.Password,
Configuration.SchoolName)

' Get the teacher id, student id, whatever id from this login id

Dim t As New Teacher()

If t.TestLogin(txtUserID.Text, txtPassword.Text) Then

Configuration.Homeroom &# t;.Homeroom

' Get the roles this teacher/login to which this login is entitled

Configuration.TeachID &# t;.TeachID

Dim myTicket As New FormsAuthenticationTicket(1, t.TeachID, curDate, _

curDate.AddMinutes(Session.Timeout), _

False, t.StringRoles(), CookiePath)

Dim encryptedTicket As String &# F;ormsAuthentication.Encrypt(myTicket)

Dim currentCookie As HttpCookie &# R;equest.Cookies(CookieName)

If IsNothing(currentCookie) Then

Dim authCookie As New HttpCookie(CookieName, encryptedTicket)

authCookie.Path &# C;ookiePath

Response.Cookies.Add(authCookie)

Else

Response.Cookies(CookieName).Value &# e;ncryptedTicket

End If

Dim destURL As String &# R;equest.Params("ReturnUrl")

If IsNothing(destURL) Then

destURL &# ";Default.aspx"

End If

Response.Redirect(destURL)

End If

End Sub

-----Original Message-----
From: Colm Hayden [mailto:Click here to reveal e-mail address]
Sent: Saturday, September 15, 2001 11:45 AM
To: aspngescalate
Subject: [aspngescalate] RE: Unanswered: Role-based forms authentication
question

Hi Dennis,

Thanks for the reply. I have tried your example and it does indeed allow
me to assign roles that can be read on any page request.

I have one quick question on how you populate the user data in the first
place.

This is a read only property, so I imagine that it must have to be set
upon construction of the FormsAuthenticationTicket.

Does this mean that I cannot use the FormsAuthentication.SetAuthCookie()
method, but instead would have to create my own ticket and attach it to the
cookies collection?
If so, do you have an example of how to do this?

Thanks again,

Colm

----- Original Message -----
From: Dennis Werry
To: aspngescalate
Sent: Friday, September 14, 2001 6:37 PM
Subject: [aspngescalate] RE: Unanswered: Role-based forms authentication
question

I had this problem right after beta 2 came out: here is what I and some
others on the list worked out.
I keep the roles stuffed in the user data of the ticket and retrieve
them like so.

HTH
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)

' Fires upon attempting to authenticate the user

Dim app As HttpApplication &# C;Type(sender, HttpApplication)

Dim ctx As HttpContext &# a;pp.Context

If ctx.Request.IsAuthenticated Then

Dim ck As HttpCookie

ck &# F;ormsAuthentication.GetAuthCookie(ctx.User.Identity.Name,
False)

Dim strName As String &# c;tx.User.Identity.Name

Dim id As FormsIdentity &# C;Type(ctx.User.Identity,
FormsIdentity)

Dim tk As FormsAuthenticationTicket &# i;d.Ticket

Dim newTk As FormsAuthenticationTicket FormsAuthentication.RenewTicketIfOld(tk)

If Not newTk Is tk Then

Dim CookieName As String FormsAuthentication.FormsCookieName

ctx.Response.Cookies(CookieName).Value FormsAuthentication.Encrypt(newTk)

End If

' grab the roles from our user data (since the framework doesn't
remember them for us)

Dim strRoles As String &# t;k.UserData

Dim c() As Char &# {;","c}

Context.User &# N;ew GenericPrincipal(User.Identity,
strRoles.Split(c))

End If

End Sub

-----Original Message-----
From: Colm Hayden [mailto:Click here to reveal e-mail address]
Sent: Friday, September 14, 2001 12:14 PM
To: aspngescalate
Subject: [aspngescalate] Unanswered: Role-based forms authentication
question

Hi all,

I have previously posted this question to Click here to reveal e-mail address and
recieved no responses so any help is appreciated.

I have been experimenting with forms based authentication and trying
to assign roles to a principle but have been unable to make the Principle
and the assigned roles span page requests. These are the steps I have used

1 - Using the Web.Config settings (below) requests are redirected to a
login page.

<authentication mode&#"F;orms">
<forms
name&#".;Responsian_Cookie"
path&#"/;"
loginUrl&#"L;ogin.aspx"
protection&#"A;ll"
timeout&#"1;0">

2 - The user is authenticated and the authentication cookie set before
a redirect:
FormsAuthentication.SetAuthCookie(username, persistCookie);

3 - A new IPrincipal is created with roles read from a database
string[] roles &# G;etRoles(username)
IPrincipal principle &# n;ew GenericPrincipal(User.Identity, roles);

4 - The principal is assigned to the context (I have tried all three
ways)

a) using Page.Context &# p;rinciple;
b) using Thread.CurrentThread.Principal
c) using the global.asax

protected void FormsAuthentication_OnAuthenticate(Object sender,
FormsAuthenticationEventArgs e)
{
// hardcoded
string[] roles &# n;ew string[]{"Administrator"};
GenericIdentity identity &# n;ew GenericIdentity("user");
e.User &# n;ew GenericPrincipal(identity, roles);
}

5 - On the subsequent page the role is checked:

if(User.IsInRole("Administrator"))
{
Trace.Warn("Page_Load", "User is an Administrator");
}

Results:
using (4.a), (5) evaluates to true in the same page, but not on the
next page request
using (4.b), CurrentThread.CurrentThread.Principal is in the role
within the same page
using (4.c), (5) evaluates to true on the requested page, but
automatic redirection to the login page does not work.

Please could anyone shed some light on this for me.

Thanks in advance,
Colm

&#==;&#==;&#==;&#==;&#==;&#==;&#==;&#==;&#==;
Colm Hayden
Responsian Ltd,
Tel: 028 9024 2116
Fax: 028 9050 1909
&#==;&#==;&#==;&#==;&#==;&#==;&#==;&#==;&#==;
| [aspngescalate] member Click here to reveal e-mail address &# Y;OUR ID |
http://www.asplists.com/asplists/aspngescalate.asp &# J;OIN/QUIT
| [aspngescalate] member Click here to reveal e-mail address &# Y;OUR ID |
http://www.asplists.com/asplists/aspngescalate.asp &# J;OIN/QUIT
| [aspngescalate] member Click here to reveal e-mail address &# Y;OUR ID |
http://www.asplists.com/asplists/aspngescalate.asp &# J;OIN/QUIT

Reply to this message...

	System.DateTime
	System.Diagnostics.Trace
	System.EventArgs
	System.Runtime.Remoting.Contexts.Context
	System.Security.Principal.GenericIdentity
	System.Security.Principal.GenericPrincipal
	System.Security.Principal.IPrincipal
	System.Threading.Thread
	System.Web.HttpApplication
	System.Web.HttpContext
	System.Web.HttpCookie
	System.Web.Security.FormsAuthentication
	System.Web.Security.FormsAuthenticationEventArgs
	System.Web.Security.FormsAuthenticationTicket
	System.Web.Security.FormsIdentity
	System.Web.UI.Page

ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification

Need Dot Net Interview Questions?
Ask ExamGuru, Inc. for advice and help on Passing .Net Interviews

.Net Projects
Best-of-breed application framework for .NET projects, developed by ExamGuru, Inc. and ExamGuru IT

Free .net Help
Commission ExamGuru, Inc. and his team for your next bespoke software project

FogBUGZ
The only bug tracking system carefully crafted with one goal in mind: helping teams create great software.

Awesome Tools
If you don't know about these, you're missing out... IT Certification Questions
IT Interview Questions
Free Oracle 10g Training
MCSE Boortcamp
Cisco Study Guides
Cheap Study Guides
Exact Questions
Dot Net Interview Questions
Oracle OCP
Cheap Travel
Designer Perfumes - Wholesale Prices
Free Programming Tutorials

	Copyright © ExamGuru, Inc. 2001-2006
	Contact Us - Terms of Use - Privacy Policy - www.dot-net-guru.com - www.examguru.net - www.oraclesource.net - www.itinterviews.net - www.examguru.net/ITCertification