.NETGURU

Search:   Namespaces Discussions .NET v1.1 Dot Net Guru's Blog IT Certification

Role authorization in Beta 2 Messages   Related Types This message was discovered on ASPFriends.com 'aspngsec' list. Responses highlighted in red are from those people who are likely to be able to contribute good, authoratitive information to this discussion. They include Microsoft employees, MVP's and others who IMHO contribute well to these kinds of discussions. Ryan S Hey all, I know this has been a frequently discussed issue, and I've spent most of the night poring through the archives found in this group, and have seen many helpful answers. The only problem is (and of course, theres always a problem, elsewise I would not be writing this) - I have not been able to get them to work. I previously (more like 4 months ago) wrote in with this problem, and Erik Olson graciously provided me with the following snippit of code: // global.asax <%@ Import Namespace="System.Security.Principal" %> <script language="C#" runat=server > // assume that some other form of auth is happening and we're // handling this event just to tack on role information void Application_OnAuthenticateRequest(Object src, EventArgs e) { HttpContext ctx = HttpContext.Current;     // make sure some earlier form of auth has occurred // this user is in the "role1" and "role2" roles // do your role resolution here based on ctx.User.Identity if( ctx != null && ctx.User.Identity != null ) {      HttpContext.Current.User = new GenericPrincipal(ctx.User.Identity, new string[]{"role1", "role2"}); } } </script>     Later on, the discussion about FormsAuthentication_OnAuthenticate having null references to the identity object, and thus the Application_OnAuthenticateRequest method was suggested, again with more code provided by Erik Olson, provided below: <%@ Import Namespace="System.Security.Principal" %> <script language="vb" runat=server > Sub Application_OnAuthenticateRequest(src As Object, e As EventArgs)     Dim app As HttpApplication = CType(src, HttpApplication)     Dim ctx As HttpContext = app.Context     ' only do this if auth has already applied     If ctx.Request.IsAuthenticated         ctx.User = New GenericPrincipal(ctx.User.Identity, new string() {"role1", "role2"})     End If End Sub     However, I've been unable to get either method to sucessfully work. My goal is to hook in to a database to provide the list of roles. I've read the article at http://www.asp-zone.com/articles/ck100800/ck100800.asp, and attempted to implement that strategy. Below is the resultant code from my Global.asax: <%@ Import Namespace="System.Data" %> <%@ Import Namespace="System.Data.SqlClient" %> <%@ Import Namespace="System.Security.Principal" %> <script language="VB" runat="server"> Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) Dim app as HttpApplication = CType(Source, HttpApplication) Dim ctx as HttpContext = app.Context If ctx.Request.IsAuthenticated Dim UserDB as LovesPYT.Users = New LovesPYT.Users Dim myRoles as ArrayList = new ArrayList() Dim UserID as String = ctx.User.Identity.Name Dim myReader as SqlDataReader = UserDB.GetRoles(cint(UserID)) Do While (myReader.Read()) myRoles.Add(myReader("RoleName")) Loop ctx.User = New GenericPrincipal(ctx.User.Identity, myRoles.ToArray(userID.GetType)) End If End Sub </script>     However, if I utilize forms authentication, and log on and call FormsAuthentication.RedirectFromLoginPage(userID, True), it appears that the OnAuthenticateRequest event does not fire. I can measure this by calling the same method which returns the data reader - LovesPYT.Users.GetRoles() - and += the results of each row in to a label. However, if I test if User.IsInRole for one of the roles listed, it consistently returns false.     I know before B2, many people would refer to the IBuySpy Portal, but as this is apparently undergoing upgrades to Beta 2, I do not have access to those code resources. If someone could suggest a method, preferably in VB.NET, on how to add these roles, or to point out where my tragic flaw in the code is, I would greatly appreciate it. God bless,     Ryan Reply to this message...        Tom Cabanski Your signature for _OnAuthenticateRequest is incorrect. Use Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) instead. This should work fine. I know it works for me with beta2. The signature you're using is for FormsAuthentication_OnAuthenticate. It works a bit differently. Thanks TFC -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 12:33 PM To: aspngsec Subject: [aspngsec] Role authorization in Beta 2 Hey all, I know this has been a frequently discussed issue, and I've spent most of the night poring through the archives found in this group, and have seen many helpful answers. The only problem is (and of course, theres always a problem, elsewise I would not be writing this) - I have not been able to get them to work. I previously (more like 4 months ago) wrote in with this problem, and Erik Olson graciously provided me with the following snippit of code: // global.asax <%@ Import Namespace=3D"System.Security.Principal" %> <script language=3D"C#" runat=3Dserver > // assume that some other form of auth is happening and we're // handling this event just to tack on role information void Application_OnAuthenticateRequest(Object src, EventArgs e) { HttpContext ctx =3D HttpContext.Current;     // make sure some earlier form of auth has occurred // this user is in the "role1" and "role2" roles // do your role resolution here based on ctx.User.Identity if( ctx !=3D null && ctx.User.Identity !=3D null ) {      HttpContext.Current.User =3D new GenericPrincipal(ctx.User.Identity, new string[]{"role1", "role2"}); } } </script>     Later on, the discussion about FormsAuthentication_OnAuthenticate having null references to the identity object, and thus the Application_OnAuthenticateRequest method was suggested, again with more code provided by Erik Olson, provided below: <%@ Import Namespace=3D"System.Security.Principal" %> <script language=3D"vb" runat=3Dserver > Sub Application_OnAuthenticateRequest(src As Object, e As EventArgs)     Dim app As HttpApplication =3D CType(src, HttpApplication)     Dim ctx As HttpContext =3D app.Context     ' only do this if auth has already applied     If ctx.Request.IsAuthenticated         ctx.User =3D New GenericPrincipal(ctx.User.Identity, new string() {"role1", "role2"})     End If End Sub     However, I've been unable to get either method to sucessfully work. My goal is to hook in to a database to provide the list of roles. I've read the article at http://www.asp-zone.com/articles/ck100800/ck100800.asp, and attempted to implement that strategy. Below is the resultant code from my Global.asax: <%@ Import Namespace=3D"System.Data" %> <%@ Import Namespace=3D"System.Data.SqlClient" %> <%@ Import Namespace=3D"System.Security.Principal" %> <script language=3D"VB" runat=3D"server"> Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) Dim app as HttpApplication =3D CType(Source, HttpApplication) Dim ctx as HttpContext =3D app.Context If ctx.Request.IsAuthenticated Dim UserDB as LovesPYT.Users =3D New LovesPYT.Users Dim myRoles as ArrayList =3D new ArrayList() Dim UserID as String =3D ctx.User.Identity.Name Dim myReader as SqlDataReader =3D = UserDB.GetRoles(cint(UserID)) Do While (myReader.Read()) myRoles.Add(myReader("RoleName")) Loop ctx.User =3D New GenericPrincipal(ctx.User.Identity, myRoles.ToArray(userID.GetType)) End If End Sub </script>     However, if I utilize forms authentication, and log on and call FormsAuthentication.RedirectFromLoginPage(userID, True), it appears that the OnAuthenticateRequest event does not fire. I can measure this by calling the same method which returns the data reader - LovesPYT.Users.GetRoles() - and +=3D the results of each row in to a label. However, if I test if User.IsInRole for one of the roles listed, it consistently returns false.     I know before B2, many people would refer to the IBuySpy Portal, but as this is apparently undergoing upgrades to Beta 2, I do not have access to those code resources. If someone could suggest a method, preferably in VB.NET, on how to add these roles, or to point out where my tragic flaw in the code is, I would greatly appreciate it. God bless,     Ryan | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives Reply to this message...        Ryan S Tom,     Thanks immensely for your help. I must have left the FormsAuthenticationEventArgs as a carry over from when it was FormsAuthentication_OnAuthenticate. I changed it simply to EventArgs and the program apparently runs great now :) Thanks for pointing out my fairly stupid mistake :) God bless,     Ryan -----Original Message----- From: Tom Cabanski [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 3:40 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Your signature for _OnAuthenticateRequest is incorrect. Use Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) instead. This should work fine. I know it works for me with beta2. The signature you're using is for FormsAuthentication_OnAuthenticate. It works a bit differently. Thanks TFC -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 12:33 PM To: aspngsec Subject: [aspngsec] Role authorization in Beta 2 Hey all, I know this has been a frequently discussed issue, and I've spent most of the night poring through the archives found in this group, and have seen many helpful answers. The only problem is (and of course, theres always a problem, elsewise I would not be writing this) - I have not been able to get them to work. I previously (more like 4 months ago) wrote in with this problem, and Erik Olson graciously provided me with the following snippit of code: // global.asax <%@ Import Namespace="System.Security.Principal" %> <script language="C#" runat=server > // assume that some other form of auth is happening and we're // handling this event just to tack on role information void Application_OnAuthenticateRequest(Object src, EventArgs e) { HttpContext ctx = HttpContext.Current;     // make sure some earlier form of auth has occurred // this user is in the "role1" and "role2" roles // do your role resolution here based on ctx.User.Identity if( ctx != null && ctx.User.Identity != null ) {      HttpContext.Current.User = new GenericPrincipal(ctx.User.Identity, new string[]{"role1", "role2"}); } } </script>     Later on, the discussion about FormsAuthentication_OnAuthenticate having null references to the identity object, and thus the Application_OnAuthenticateRequest method was suggested, again with more code provided by Erik Olson, provided below: <%@ Import Namespace="System.Security.Principal" %> <script language="vb" runat=server > Sub Application_OnAuthenticateRequest(src As Object, e As EventArgs)     Dim app As HttpApplication = CType(src, HttpApplication)     Dim ctx As HttpContext = app.Context     ' only do this if auth has already applied     If ctx.Request.IsAuthenticated         ctx.User = New GenericPrincipal(ctx.User.Identity, new string() {"role1", "role2"})     End If End Sub     However, I've been unable to get either method to sucessfully work. My goal is to hook in to a database to provide the list of roles. I've read the article at http://www.asp-zone.com/articles/ck100800/ck100800.asp, and attempted to implement that strategy. Below is the resultant code from my Global.asax: <%@ Import Namespace="System.Data" %> <%@ Import Namespace="System.Data.SqlClient" %> <%@ Import Namespace="System.Security.Principal" %> <script language="VB" runat="server"> Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) Dim app as HttpApplication = CType(Source, HttpApplication) Dim ctx as HttpContext = app.Context If ctx.Request.IsAuthenticated Dim UserDB as LovesPYT.Users = New LovesPYT.Users Dim myRoles as ArrayList = new ArrayList() Dim UserID as String = ctx.User.Identity.Name Dim myReader as SqlDataReader = UserDB.GetRoles(cint(UserID)) Do While (myReader.Read()) myRoles.Add(myReader("RoleName")) Loop ctx.User = New GenericPrincipal(ctx.User.Identity, myRoles.ToArray(userID.GetType)) End If End Sub </script>     However, if I utilize forms authentication, and log on and call FormsAuthentication.RedirectFromLoginPage(userID, True), it appears that the OnAuthenticateRequest event does not fire. I can measure this by calling the same method which returns the data reader - LovesPYT.Users.GetRoles() - and += the results of each row in to a label. However, if I test if User.IsInRole for one of the roles listed, it consistently returns false.     I know before B2, many people would refer to the IBuySpy Portal, but as this is apparently undergoing upgrades to Beta 2, I do not have access to those code resources. If someone could suggest a method, preferably in VB.NET, on how to add these roles, or to point out where my tragic flaw in the code is, I would greatly appreciate it. God bless,     Ryan | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives Reply to this message...        Dennis Werry Ryan, Doesn't this seem like it will hit the database way too often? I want to do something similar, but would like to have the roles saved in the cookie as well and have the architecture check the roles for me (just like it would if I had entered them in the web.config manually). When I set a breakpoint in the code at the AuthenticateRequest event, it gets hit way too often to insert a database query. Seems like the architecture would handle the roles for us after we look them up once. The security model is so sweet, I'd hate to think that I'd have to encumber it with a database lookup on every page. .... or am I missing something simple? What do you think? Dennis -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 10:15 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Tom,     Thanks immensely for your help. I must have left the FormsAuthenticationEventArgs as a carry over from when it was FormsAuthentication_OnAuthenticate. I changed it simply to EventArgs and the program apparently runs great now :) Thanks for pointing out my fairly stupid mistake :) God bless,     Ryan -----Original Message----- From: Tom Cabanski [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 3:40 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Your signature for _OnAuthenticateRequest is incorrect. Use Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) instead. This should work fine. I know it works for me with beta2. The signature you're using is for FormsAuthentication_OnAuthenticate. It works a bit differently. Thanks TFC -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 12:33 PM To: aspngsec Subject: [aspngsec] Role authorization in Beta 2 Hey all, I know this has been a frequently discussed issue, and I've spent most of the night poring through the archives found in this group, and have seen many helpful answers. The only problem is (and of course, theres always a problem, elsewise I would not be writing this) - I have not been able to get them to work. I previously (more like 4 months ago) wrote in with this problem, and Erik Olson graciously provided me with the following snippit of code: // global.asax <%@ Import Namespace="System.Security.Principal" %> <script language="C#" runat=server > // assume that some other form of auth is happening and we're // handling this event just to tack on role information void Application_OnAuthenticateRequest(Object src, EventArgs e) { HttpContext ctx = HttpContext.Current;     // make sure some earlier form of auth has occurred // this user is in the "role1" and "role2" roles // do your role resolution here based on ctx.User.Identity if( ctx != null && ctx.User.Identity != null ) {      HttpContext.Current.User = new GenericPrincipal(ctx.User.Identity, new string[]{"role1", "role2"}); } } </script>     Later on, the discussion about FormsAuthentication_OnAuthenticate having null references to the identity object, and thus the Application_OnAuthenticateRequest method was suggested, again with more code provided by Erik Olson, provided below: <%@ Import Namespace="System.Security.Principal" %> <script language="vb" runat=server > Sub Application_OnAuthenticateRequest(src As Object, e As EventArgs)     Dim app As HttpApplication = CType(src, HttpApplication)     Dim ctx As HttpContext = app.Context     ' only do this if auth has already applied     If ctx.Request.IsAuthenticated         ctx.User = New GenericPrincipal(ctx.User.Identity, new string() {"role1", "role2"})     End If End Sub     However, I've been unable to get either method to sucessfully work. My goal is to hook in to a database to provide the list of roles. I've read the article at http://www.asp-zone.com/articles/ck100800/ck100800.asp, and attempted to implement that strategy. Below is the resultant code from my Global.asax: <%@ Import Namespace="System.Data" %> <%@ Import Namespace="System.Data.SqlClient" %> <%@ Import Namespace="System.Security.Principal" %> <script language="VB" runat="server"> Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) Dim app as HttpApplication = CType(Source, HttpApplication) Dim ctx as HttpContext = app.Context If ctx.Request.IsAuthenticated Dim UserDB as LovesPYT.Users = New LovesPYT.Users Dim myRoles as ArrayList = new ArrayList() Dim UserID as String = ctx.User.Identity.Name Dim myReader as SqlDataReader = UserDB.GetRoles(cint(UserID)) Do While (myReader.Read()) myRoles.Add(myReader("RoleName")) Loop ctx.User = New GenericPrincipal(ctx.User.Identity, myRoles.ToArray(userID.GetType)) End If End Sub </script>     However, if I utilize forms authentication, and log on and call FormsAuthentication.RedirectFromLoginPage(userID, True), it appears that the OnAuthenticateRequest event does not fire. I can measure this by calling the same method which returns the data reader - LovesPYT.Users.GetRoles() - and += the results of each row in to a label. However, if I test if User.IsInRole for one of the roles listed, it consistently returns false.     I know before B2, many people would refer to the IBuySpy Portal, but as this is apparently undergoing upgrades to Beta 2, I do not have access to those code resources. If someone could suggest a method, preferably in VB.NET, on how to add these roles, or to point out where my tragic flaw in the code is, I would greatly appreciate it. God bless,     Ryan | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives Reply to this message...        Tom Cabanski There is a way to stash the roles in the authentication cookie. I saw an example at TechEd. Unfortunately, dummy me assumed it would be available to download. Too bad I can only get the slides. Note that you certainly can't use session stuff because the session is unavailable to the event. Maybe someone knows the answer. I'm planning to figure it out when I have spare time (ha ha). TFC -----Original Message----- From: Dennis Werry [mailto:Click here to reveal e-mail address] Sent: Monday, June 25, 2001 5:34 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Ryan, Doesn't this seem like it will hit the database way too often? I want to do something similar, but would like to have the roles saved in the cookie as well and have the architecture check the roles for me (just like it would if I had entered them in the web.config manually). When I set a breakpoint in the code at the AuthenticateRequest event, it gets hit way too often to insert a database query. Seems like the architecture would handle the roles for us after we look them up once. The security model is so sweet, I'd hate to think that I'd have to encumber it with a database lookup on every page. .... or am I missing something simple? What do you think? Dennis -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 10:15 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Tom,     Thanks immensely for your help. I must have left the FormsAuthenticationEventArgs as a carry over from when it was FormsAuthentication_OnAuthenticate. I changed it simply to EventArgs and the program apparently runs great now :) Thanks for pointing out my fairly stupid mistake :) God bless,     Ryan -----Original Message----- From: Tom Cabanski [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 3:40 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Your signature for _OnAuthenticateRequest is incorrect. Use Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) instead. This should work fine. I know it works for me with beta2. The signature you're using is for FormsAuthentication_OnAuthenticate. It works a bit differently. Thanks TFC -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 12:33 PM To: aspngsec Subject: [aspngsec] Role authorization in Beta 2 Hey all, I know this has been a frequently discussed issue, and I've spent most of the night poring through the archives found in this group, and have seen many helpful answers. The only problem is (and of course, theres always a problem, elsewise I would not be writing this) - I have not been able to get them to work. I previously (more like 4 months ago) wrote in with this problem, and Erik Olson graciously provided me with the following snippit of code: // global.asax <%@ Import Namespace=3D"System.Security.Principal" %> <script language=3D"C#" runat=3Dserver > // assume that some other form of auth is happening and we're // handling this event just to tack on role information void Application_OnAuthenticateRequest(Object src, EventArgs e) { HttpContext ctx =3D HttpContext.Current;     // make sure some earlier form of auth has occurred // this user is in the "role1" and "role2" roles // do your role resolution here based on ctx.User.Identity if( ctx !=3D null && ctx.User.Identity !=3D null ) {      HttpContext.Current.User =3D new GenericPrincipal(ctx.User.Identity, new string[]{"role1", "role2"}); } } </script>     Later on, the discussion about FormsAuthentication_OnAuthenticate having null references to the identity object, and thus the Application_OnAuthenticateRequest method was suggested, again with more code provided by Erik Olson, provided below: <%@ Import Namespace=3D"System.Security.Principal" %> <script language=3D"vb" runat=3Dserver > Sub Application_OnAuthenticateRequest(src As Object, e As EventArgs)     Dim app As HttpApplication =3D CType(src, HttpApplication)     Dim ctx As HttpContext =3D app.Context     ' only do this if auth has already applied     If ctx.Request.IsAuthenticated         ctx.User =3D New GenericPrincipal(ctx.User.Identity, new string() {"role1", "role2"})     End If End Sub     However, I've been unable to get either method to sucessfully work. My goal is to hook in to a database to provide the list of roles. I've read the article at http://www.asp-zone.com/articles/ck100800/ck100800.asp, and attempted to implement that strategy. Below is the resultant code from my Global.asax: <%@ Import Namespace=3D"System.Data" %> <%@ Import Namespace=3D"System.Data.SqlClient" %> <%@ Import Namespace=3D"System.Security.Principal" %> <script language=3D"VB" runat=3D"server"> Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) Dim app as HttpApplication =3D CType(Source, HttpApplication) Dim ctx as HttpContext =3D app.Context If ctx.Request.IsAuthenticated Dim UserDB as LovesPYT.Users =3D New LovesPYT.Users Dim myRoles as ArrayList =3D new ArrayList() Dim UserID as String =3D ctx.User.Identity.Name Dim myReader as SqlDataReader =3D = UserDB.GetRoles(cint(UserID)) Do While (myReader.Read()) myRoles.Add(myReader("RoleName")) Loop ctx.User =3D New GenericPrincipal(ctx.User.Identity, myRoles.ToArray(userID.GetType)) End If End Sub </script>     However, if I utilize forms authentication, and log on and call FormsAuthentication.RedirectFromLoginPage(userID, True), it appears that the OnAuthenticateRequest event does not fire. I can measure this by calling the same method which returns the data reader - LovesPYT.Users.GetRoles() - and +=3D the results of each row in to a label. However, if I test if User.IsInRole for one of the roles listed, it consistently returns false.     I know before B2, many people would refer to the IBuySpy Portal, but as this is apparently undergoing upgrades to Beta 2, I do not have access to those code resources. If someone could suggest a method, preferably in VB.NET, on how to add these roles, or to point out where my tragic flaw in the code is, I would greatly appreciate it. God bless,     Ryan | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives Reply to this message...        Ryan S While I have VS.NET, I haven't used it much so I haven't experienced the breakpoints to see how often its fired. If it's fired on every page, I agree, that's way to much to be decent. The whole point of the database look ups is of course to store it so you have to avoid that. I remember during the reading that one of the Microsofties who read this list said they were looking to place some method between authentication and authorization so that the FormsAuthenticationEventArgs would return an IPrincipal, but I guess since B2 is feature complete, this will not be so.     I have yet to work with the cookies on .NET, and I'm wondering what the trade off in performance would be between cookies and sessions. Understandably, the sessions would time out, but this would allow the database to be updated without having to check each request to compare the cookie against the database to see if theres been updates. Did I make sense there?     I assume the logical thing to do would be to populate the rows from the datareader in to the array. Without trying to stray too off topic, is there some method like GetRows that you might know of off hand? I do plan to check the docs later.     Returning to the original topic - How often does OnAuthenticateRequest fire? Every page? Every time the Security Principal is accessed? Every time a user logs in? This will help me in determining whether I should seek alternate methods re: performance issues. God bless,     Ryan -----Original Message----- From: Dennis Werry [mailto:Click here to reveal e-mail address] Sent: Monday, June 25, 2001 6:34 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Ryan, Doesn't this seem like it will hit the database way too often? I want to do something similar, but would like to have the roles saved in the cookie as well and have the architecture check the roles for me (just like it would if I had entered them in the web.config manually). When I set a breakpoint in the code at the AuthenticateRequest event, it gets hit way too often to insert a database query. Seems like the architecture would handle the roles for us after we look them up once. The security model is so sweet, I'd hate to think that I'd have to encumber it with a database lookup on every page. .... or am I missing something simple? What do you think? Dennis -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 10:15 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Tom,     Thanks immensely for your help. I must have left the FormsAuthenticationEventArgs as a carry over from when it was FormsAuthentication_OnAuthenticate. I changed it simply to EventArgs and the program apparently runs great now :) Thanks for pointing out my fairly stupid mistake :) God bless,     Ryan -----Original Message----- From: Tom Cabanski [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 3:40 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Your signature for _OnAuthenticateRequest is incorrect. Use Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) instead. This should work fine. I know it works for me with beta2. The signature you're using is for FormsAuthentication_OnAuthenticate. It works a bit differently. Thanks TFC -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 12:33 PM To: aspngsec Subject: [aspngsec] Role authorization in Beta 2 Hey all, I know this has been a frequently discussed issue, and I've spent most of the night poring through the archives found in this group, and have seen many helpful answers. The only problem is (and of course, theres always a problem, elsewise I would not be writing this) - I have not been able to get them to work. I previously (more like 4 months ago) wrote in with this problem, and Erik Olson graciously provided me with the following snippit of code: // global.asax <%@ Import Namespace="System.Security.Principal" %> <script language="C#" runat=server > // assume that some other form of auth is happening and we're // handling this event just to tack on role information void Application_OnAuthenticateRequest(Object src, EventArgs e) { HttpContext ctx = HttpContext.Current;     // make sure some earlier form of auth has occurred // this user is in the "role1" and "role2" roles // do your role resolution here based on ctx.User.Identity if( ctx != null && ctx.User.Identity != null ) {      HttpContext.Current.User = new GenericPrincipal(ctx.User.Identity, new string[]{"role1", "role2"}); } } </script>     Later on, the discussion about FormsAuthentication_OnAuthenticate having null references to the identity object, and thus the Application_OnAuthenticateRequest method was suggested, again with more code provided by Erik Olson, provided below: <%@ Import Namespace="System.Security.Principal" %> <script language="vb" runat=server > Sub Application_OnAuthenticateRequest(src As Object, e As EventArgs)     Dim app As HttpApplication = CType(src, HttpApplication)     Dim ctx As HttpContext = app.Context     ' only do this if auth has already applied     If ctx.Request.IsAuthenticated         ctx.User = New GenericPrincipal(ctx.User.Identity, new string() {"role1", "role2"})     End If End Sub     However, I've been unable to get either method to sucessfully work. My goal is to hook in to a database to provide the list of roles. I've read the article at http://www.asp-zone.com/articles/ck100800/ck100800.asp, and attempted to implement that strategy. Below is the resultant code from my Global.asax: <%@ Import Namespace="System.Data" %> <%@ Import Namespace="System.Data.SqlClient" %> <%@ Import Namespace="System.Security.Principal" %> <script language="VB" runat="server"> Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) Dim app as HttpApplication = CType(Source, HttpApplication) Dim ctx as HttpContext = app.Context If ctx.Request.IsAuthenticated Dim UserDB as LovesPYT.Users = New LovesPYT.Users Dim myRoles as ArrayList = new ArrayList() Dim UserID as String = ctx.User.Identity.Name Dim myReader as SqlDataReader = UserDB.GetRoles(cint(UserID)) Do While (myReader.Read()) myRoles.Add(myReader("RoleName")) Loop ctx.User = New GenericPrincipal(ctx.User.Identity, myRoles.ToArray(userID.GetType)) End If End Sub </script>     However, if I utilize forms authentication, and log on and call FormsAuthentication.RedirectFromLoginPage(userID, True), it appears that the OnAuthenticateRequest event does not fire. I can measure this by calling the same method which returns the data reader - LovesPYT.Users.GetRoles() - and += the results of each row in to a label. However, if I test if User.IsInRole for one of the roles listed, it consistently returns false.     I know before B2, many people would refer to the IBuySpy Portal, but as this is apparently undergoing upgrades to Beta 2, I do not have access to those code resources. If someone could suggest a method, preferably in VB.NET, on how to add these roles, or to point out where my tragic flaw in the code is, I would greatly appreciate it. God bless,     Ryan | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives Reply to this message...        Mitch Denny (VIP) How about making use of the ASP.NET Cache to reduce the hits on the database? If you grab the current context you could push these values into the cache. That way you would be able to tune the system without changing too much code aswell. What do you think? ---------------------------------------- - Mitch Denny - http://www.warbyte.com - Click here to reveal e-mail address - +61 (414) 610-141 - [Original message clipped] Reply to this message...        Ryan S Mitch,     Are you suggesting caching the datareader per-user, or per-site? -----Original Message----- From: Mitch Denny [mailto:Click here to reveal e-mail address] Sent: Monday, June 25, 2001 10:23 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 How about making use of the ASP.NET Cache to reduce the hits on the database? If you grab the current context you could push these values into the cache. That way you would be able to tune the system without changing too much code aswell. What do you think? ---------------------------------------- - Mitch Denny - http://www.warbyte.com - Click here to reveal e-mail address - +61 (414) 610-141 - [Original message clipped] | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives Reply to this message...        Mitch Denny (VIP) Ryan, No I am suggesting storing the role information in the cache, not the actual data access mechanism. In fact, I'd possibly layer up a solution that when a list of roles are requested, the class first checks the cache for that information, if it doesn't exist there then it pulls it out of the database, updates the cache and returns the list. You'd have to setup the caching policy so that it would force the role details to be updated every once and a while. So out of your authentication/authorization framework you'd just receive a collection/array of roles and you wouldn't have to think about data readers at all in your day to day code. ---------------------------------------- - Mitch Denny - http://www.warbyte.com - Click here to reveal e-mail address - +61 (414) 610-141 - [Original message clipped] Reply to this message...        Dennis Werry Mitch, et al, Thanks for the tips (I'll look into the cache idea - I did not know that we could "push" other things into the cache). However, my original question still perplexes me. Seems to me that a system that claimed to support role based security and which can remember the current users identity should be able to remember his/her current roles as well. I'm sure that I can conjur up a way to remember the roles, but I'd rather not do something that the system was already doing (or at least should be doing). I was pretty impressed with the security model and was glad to throw away all of the code I was going to use to manage security. I just don't want to write it if it is already there. No use re-inventing the wheel. Thanks again for your input, Dennis -----Original Message----- From: Mitch Denny [mailto:Click here to reveal e-mail address] Sent: Monday, June 25, 2001 10:55 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Ryan, No I am suggesting storing the role information in the cache, not the actual data access mechanism. In fact, I'd possibly layer up a solution that when a list of roles are requested, the class first checks the cache for that information, if it doesn't exist there then it pulls it out of the database, updates the cache and returns the list. You'd have to setup the caching policy so that it would force the role details to be updated every once and a while. So out of your authentication/authorization framework you'd just receive a collection/array of roles and you wouldn't have to think about data readers at all in your day to day code. ---------------------------------------- - Mitch Denny - http://www.warbyte.com - Click here to reveal e-mail address - +61 (414) 610-141 - [Original message clipped] | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives Reply to this message...        Tom Cabanski Much easier to stuff the roles into the cookie. =20 -----Original Message----- From: Mitch Denny [mailto:Click here to reveal e-mail address] Sent: Monday, June 25, 2001 10:55 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Ryan, No I am suggesting storing the role information in the cache, not the actual data access mechanism. In fact, I'd possibly layer up a solution that when a list of roles are requested, the class first checks the cache for that information, if it doesn't exist there then it pulls it out of the database, updates the cache and returns the list. You'd have to setup the caching policy so that it would force the role details to be updated every once and a while. So out of your authentication/authorization framework you'd just receive a collection/array of roles and you wouldn't have to think about data readers at all in your day to day code. ---------------------------------------- - Mitch Denny - http://www.warbyte.com - Click here to reveal e-mail address - +61 (414) 610-141 - [Original message clipped] | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives Reply to this message...        Tom Cabanski There is a user data field associated with the forms authentication cookie. I saw an example at TechEd of building the authentication ticket manually, stuffing the roles into the user data portion of the ticket, encoding the ticket into the authentication cookie and going on. Unfortunately, I don't have a copy of the example. My understanding was that it was going to be posted on the conference site but no joy as of yet. =20 Anyway, this method would be slick and would solve all the problems you guys are talking about because the authentication cookie is certainly available at the time of the event. Perhaps someone knows where to handle the FormsAuthenticationTicket? Perhaps someone else that went to TechEd has the example?=20 Thanks TFC -----Original Message----- From: Dennis Werry [mailto:Click here to reveal e-mail address] Sent: Tuesday, June 26, 2001 5:41 AM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Mitch, et al, Thanks for the tips (I'll look into the cache idea - I did not know that we could "push" other things into the cache). However, my original question still perplexes me. Seems to me that a system that claimed to support role based security and which can remember the current users identity should be able to remember his/her current roles as well. I'm sure that I can conjur up a way to remember the roles, but I'd rather not do something that the system was already doing (or at least should be doing). I was pretty impressed with the security model and was glad to throw away all of the code I was going to use to manage security. I just don't want to write it if it is already there. No use re-inventing the wheel. Thanks again for your input, Dennis -----Original Message----- From: Mitch Denny [mailto:Click here to reveal e-mail address] Sent: Monday, June 25, 2001 10:55 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Ryan, No I am suggesting storing the role information in the cache, not the actual data access mechanism. In fact, I'd possibly layer up a solution that when a list of roles are requested, the class first checks the cache for that information, if it doesn't exist there then it pulls it out of the database, updates the cache and returns the list. You'd have to setup the caching policy so that it would force the role details to be updated every once and a while. So out of your authentication/authorization framework you'd just receive a collection/array of roles and you wouldn't have to think about data readers at all in your day to day code. ---------------------------------------- - Mitch Denny - http://www.warbyte.com - Click here to reveal e-mail address - +61 (414) 610-141 - [Original message clipped] | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives Reply to this message...        Dennis Werry Ryan, It appears to fire on every page, every time. I hoped that maybe it would be first time or something to help, but no.... everytime. I'd be happy putting it into the authentication cookie / user data - if I could find the appropriate place to insert it. It seems that on the login page, just before redirection is not the time. Would have been the perfect place, too. It should not be this tough to complete the puzzle. Sheesh! <g> Seems like they presented us with a banquet but are going to make us eat crackers while observing the feast. <g> Thanks all who replied. I'll keep looking and if I find something, I'll post it. Dennis -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Monday, June 25, 2001 6:48 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 While I have VS.NET, I haven't used it much so I haven't experienced the breakpoints to see how often its fired. If it's fired on every page, I agree, that's way to much to be decent. The whole point of the database look ups is of course to store it so you have to avoid that. I remember during the reading that one of the Microsofties who read this list said they were looking to place some method between authentication and authorization so that the FormsAuthenticationEventArgs would return an IPrincipal, but I guess since B2 is feature complete, this will not be so.     I have yet to work with the cookies on .NET, and I'm wondering what the trade off in performance would be between cookies and sessions. Understandably, the sessions would time out, but this would allow the database to be updated without having to check each request to compare the cookie against the database to see if theres been updates. Did I make sense there?     I assume the logical thing to do would be to populate the rows from the datareader in to the array. Without trying to stray too off topic, is there some method like GetRows that you might know of off hand? I do plan to check the docs later.     Returning to the original topic - How often does OnAuthenticateRequest fire? Every page? Every time the Security Principal is accessed? Every time a user logs in? This will help me in determining whether I should seek alternate methods re: performance issues. God bless,     Ryan -----Original Message----- From: Dennis Werry [mailto:Click here to reveal e-mail address] Sent: Monday, June 25, 2001 6:34 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Ryan, Doesn't this seem like it will hit the database way too often? I want to do something similar, but would like to have the roles saved in the cookie as well and have the architecture check the roles for me (just like it would if I had entered them in the web.config manually). When I set a breakpoint in the code at the AuthenticateRequest event, it gets hit way too often to insert a database query. Seems like the architecture would handle the roles for us after we look them up once. The security model is so sweet, I'd hate to think that I'd have to encumber it with a database lookup on every page. .... or am I missing something simple? What do you think? Dennis -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 10:15 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Tom,     Thanks immensely for your help. I must have left the FormsAuthenticationEventArgs as a carry over from when it was FormsAuthentication_OnAuthenticate. I changed it simply to EventArgs and the program apparently runs great now :) Thanks for pointing out my fairly stupid mistake :) God bless,     Ryan -----Original Message----- From: Tom Cabanski [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 3:40 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Your signature for _OnAuthenticateRequest is incorrect. Use Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) instead. This should work fine. I know it works for me with beta2. The signature you're using is for FormsAuthentication_OnAuthenticate. It works a bit differently. Thanks TFC -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 12:33 PM To: aspngsec Subject: [aspngsec] Role authorization in Beta 2 Hey all, I know this has been a frequently discussed issue, and I've spent most of the night poring through the archives found in this group, and have seen many helpful answers. The only problem is (and of course, theres always a problem, elsewise I would not be writing this) - I have not been able to get them to work. I previously (more like 4 months ago) wrote in with this problem, and Erik Olson graciously provided me with the following snippit of code: // global.asax <%@ Import Namespace="System.Security.Principal" %> <script language="C#" runat=server > // assume that some other form of auth is happening and we're // handling this event just to tack on role information void Application_OnAuthenticateRequest(Object src, EventArgs e) { HttpContext ctx = HttpContext.Current;     // make sure some earlier form of auth has occurred // this user is in the "role1" and "role2" roles // do your role resolution here based on ctx.User.Identity if( ctx != null && ctx.User.Identity != null ) {      HttpContext.Current.User = new GenericPrincipal(ctx.User.Identity, new string[]{"role1", "role2"}); } } </script>     Later on, the discussion about FormsAuthentication_OnAuthenticate having null references to the identity object, and thus the Application_OnAuthenticateRequest method was suggested, again with more code provided by Erik Olson, provided below: <%@ Import Namespace="System.Security.Principal" %> <script language="vb" runat=server > Sub Application_OnAuthenticateRequest(src As Object, e As EventArgs)     Dim app As HttpApplication = CType(src, HttpApplication)     Dim ctx As HttpContext = app.Context     ' only do this if auth has already applied     If ctx.Request.IsAuthenticated         ctx.User = New GenericPrincipal(ctx.User.Identity, new string() {"role1", "role2"})     End If End Sub     However, I've been unable to get either method to sucessfully work. My goal is to hook in to a database to provide the list of roles. I've read the article at http://www.asp-zone.com/articles/ck100800/ck100800.asp, and attempted to implement that strategy. Below is the resultant code from my Global.asax: <%@ Import Namespace="System.Data" %> <%@ Import Namespace="System.Data.SqlClient" %> <%@ Import Namespace="System.Security.Principal" %> <script language="VB" runat="server"> Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) Dim app as HttpApplication = CType(Source, HttpApplication) Dim ctx as HttpContext = app.Context If ctx.Request.IsAuthenticated Dim UserDB as LovesPYT.Users = New LovesPYT.Users Dim myRoles as ArrayList = new ArrayList() Dim UserID as String = ctx.User.Identity.Name Dim myReader as SqlDataReader = UserDB.GetRoles(cint(UserID)) Do While (myReader.Read()) myRoles.Add(myReader("RoleName")) Loop ctx.User = New GenericPrincipal(ctx.User.Identity, myRoles.ToArray(userID.GetType)) End If End Sub </script>     However, if I utilize forms authentication, and log on and call FormsAuthentication.RedirectFromLoginPage(userID, True), it appears that the OnAuthenticateRequest event does not fire. I can measure this by calling the same method which returns the data reader - LovesPYT.Users.GetRoles() - and += the results of each row in to a label. However, if I test if User.IsInRole for one of the roles listed, it consistently returns false.     I know before B2, many people would refer to the IBuySpy Portal, but as this is apparently undergoing upgrades to Beta 2, I do not have access to those code resources. If someone could suggest a method, preferably in VB.NET, on how to add these roles, or to point out where my tragic flaw in the code is, I would greatly appreciate it. God bless,     Ryan | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives | [aspngsec] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives Reply to this message...        Tom Cabanski You'll also need "using System.Text" in the login form or login handling object to get to the StringBuilder class as shown in the code. -----Original Message----- From: Tom Cabanski=20 Sent: Tuesday, June 26, 2001 12:31 PM To: 'aspngsec' Subject: RE: [aspngsec] RE: Role authorization in Beta 2 Still can't get the TechEd sample but I just figured out how to stick roles in the cookie. My code uses a class called CSecurityUser in a helper dll to drive the actual authentication so I have to use System.Web.HttpContext to get at context. It should work just fine inside a form as well. This example assumes you have the following usings: using System.Web.Security; using System.Web; First, in the login form, after you've authenticated the password do this: //Generate the default ticket //In my case the user name is represented as <org>\<user> FormsAuthenticationTicket Ticket =3D FormsAuthentication.Decrypt     (FormsAuthentication.GetAuthCookie(m_OrganizationName + @"\" + m_UserLoginName, false).Value); //Build a new ticket based on the old ticket and add-in the roles as user data //My example already stashed a comma-delimited list of roles into m_roles FormsAuthenticationTicket NewTicket =3D new FormsAuthenticationTicket(Ticket.Version, Ticket.Name,     Ticket.IssueDate, Ticket.Expiration, Ticket.IsPersistent, m_Roles, Ticket.CookiePath); //Build a cookie based on the encrypted ticket and inject into the response HttpCookie Cookie =3D new = HttpCookie(FormsAuthentication.FormsCookieName,=20     FormsAuthentication.Encrypt(NewTicket)); Cookie.Path =3D FormsAuthentication.FormsCookiePath; HttpContext.Current.Response.Cookies.Add(Cookie); //Redirect to the proper page HttpContext.Current.Response.Redirect(FormsAuthentication.GetRedirectUrl (NewTicket.Name, false)); Then, in global.asax, stick in something like the following. Note that you'll need the same usings as above: protected void Application_AuthenticateRequest(object sender, EventArgs e) {     if (HttpContext.Current.Request.IsAuthenticated)     {         //Get the roles out of the cookie         FormsAuthenticationTicket Ticket =3D FormsAuthentication.Decrypt(Context.Request.Cookies[FormsAuthentication. FormsCookieName].Value);         string Roles =3D Ticket.UserData;         //Change the identiry to include the roles         Context.User =3D new GenericPrincipal(User.Identity, Roles.Split(','));     } } I've tested it here and it works great -- no database I/O on each Application_AuthenticateRequest required. I'd be very interested to learn of any functions in the run-time that would make this a bit more elegant. It just seems annoying to have to copy a new ticket from the generated ticket, add the user data, manually inject the cookie and manually redirect. Obviously, I could make a helper class but I'm wondering if there is something built-in that I missed. Enjoy TFC -----Original Message----- From: Dennis Werry [mailto:Click here to reveal e-mail address] Sent: Tuesday, June 26, 2001 11:30 AM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Ryan, It appears to fire on every page, every time. I hoped that maybe it would be first time or something to help, but no.... everytime. I'd be happy putting it into the authentication cookie / user data - if I could find the appropriate place to insert it. It seems that on the login page, just before redirection is not the time. Would have been the perfect place, too. It should not be this tough to complete the puzzle. Sheesh! <g> Seems like they presented us with a banquet but are going to make us eat crackers while observing the feast. <g> Thanks all who replied. I'll keep looking and if I find something, I'll post it. Dennis -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Monday, June 25, 2001 6:48 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 While I have VS.NET, I haven't used it much so I haven't experienced the breakpoints to see how often its fired. If it's fired on every page, I agree, that's way to much to be decent. The whole point of the database look ups is of course to store it so you have to avoid that. I remember during the reading that one of the Microsofties who read this list said they were looking to place some method between authentication and authorization so that the FormsAuthenticationEventArgs would return an IPrincipal, but I guess since B2 is feature complete, this will not be so.     I have yet to work with the cookies on .NET, and I'm wondering what the trade off in performance would be between cookies and sessions. Understandably, the sessions would time out, but this would allow the database to be updated without having to check each request to compare the cookie against the database to see if theres been updates. Did I make sense there?     I assume the logical thing to do would be to populate the rows from the datareader in to the array. Without trying to stray too off topic, is there some method like GetRows that you might know of off hand? I do plan to check the docs later.     Returning to the original topic - How often does OnAuthenticateRequest fire? Every page? Every time the Security Principal is accessed? Every time a user logs in? This will help me in determining whether I should seek alternate methods re: performance issues. God bless,     Ryan -----Original Message----- From: Dennis Werry [mailto:Click here to reveal e-mail address] Sent: Monday, June 25, 2001 6:34 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Ryan, Doesn't this seem like it will hit the database way too often? I want to do something similar, but would like to have the roles saved in the cookie as well and have the architecture check the roles for me (just like it would if I had entered them in the web.config manually). When I set a breakpoint in the code at the AuthenticateRequest event, it gets hit way too often to insert a database query. Seems like the architecture would handle the roles for us after we look them up once. The security model is so sweet, I'd hate to think that I'd have to encumber it with a database lookup on every page. .... or am I missing something simple? What do you think? Dennis -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 10:15 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Tom,     Thanks immensely for your help. I must have left the FormsAuthenticationEventArgs as a carry over from when it was FormsAuthentication_OnAuthenticate. I changed it simply to EventArgs and the program apparently runs great now :) Thanks for pointing out my fairly stupid mistake :) God bless,     Ryan -----Original Message----- From: Tom Cabanski [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 3:40 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Your signature for _OnAuthenticateRequest is incorrect. Use Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) instead. This should work fine. I know it works for me with beta2. The signature you're using is for FormsAuthentication_OnAuthenticate. It works a bit differently. Thanks TFC -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 12:33 PM To: aspngsec Subject: [aspngsec] Role authorization in Beta 2 Hey all, I know this has been a frequently discussed issue, and I've spent most of the night poring through the archives found in this group, and have seen many helpful answers. The only problem is (and of course, theres always a problem, elsewise I would not be writing this) - I have not been able to get them to work. I previously (more like 4 months ago) wrote in with this problem, and Erik Olson graciously provided me with the following snippit of code: // global.asax <%@ Import Namespace=3D"System.Security.Principal" %> <script language=3D"C#" runat=3Dserver > // assume that some other form of auth is happening and we're // handling this event just to tack on role information void Application_OnAuthenticateRequest(Object src, EventArgs e) { HttpContext ctx =3D HttpContext.Current;     // make sure some earlier form of auth has occurred // this user is in the "role1" and "role2" roles // do your role resolution here based on ctx.User.Identity if( ctx !=3D null && ctx.User.Identity !=3D null ) {      HttpContext.Current.User =3D new GenericPrincipal(ctx.User.Identity, new string[]{"role1", "role2"}); } } </script>     Later on, the discussion about FormsAuthentication_OnAuthenticate having null references to the identity object, and thus the Application_OnAuthenticateRequest method was suggested, again with more code provided by Erik Olson, provided below: <%@ Import Namespace=3D"System.Security.Principal" %> <script language=3D"vb" runat=3Dserver > Sub Application_OnAuthenticateRequest(src As Object, e As EventArgs)     Dim app As HttpApplication =3D CType(src, HttpApplication)     Dim ctx As HttpContext =3D app.Context     ' only do this if auth has already applied     If ctx.Request.IsAuthenticated         ctx.User =3D New GenericPrincipal(ctx.User.Identity, new string() {"role1", "role2"})     End If End Sub     However, I've been unable to get either method to sucessfully work. My goal is to hook in to a database to provide the list of roles. I've read the article at http://www.asp-zone.com/articles/ck100800/ck100800.asp, and attempted to implement that strategy. Below is the resultant code from my Global.asax: <%@ Import Namespace=3D"System.Data" %> <%@ Import Namespace=3D"System.Data.SqlClient" %> <%@ Import Namespace=3D"System.Security.Principal" %> <script language=3D"VB" runat=3D"server"> Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) Dim app as HttpApplication =3D CType(Source, HttpApplication) Dim ctx as HttpContext =3D app.Context If ctx.Request.IsAuthenticated Dim UserDB as LovesPYT.Users =3D New LovesPYT.Users Dim myRoles as ArrayList =3D new ArrayList() Dim UserID as String =3D ctx.User.Identity.Name Dim myReader as SqlDataReader =3D = UserDB.GetRoles(cint(UserID)) Do While (myReader.Read()) myRoles.Add(myReader("RoleName")) Loop ctx.User =3D New GenericPrincipal(ctx.User.Identity, myRoles.ToArray(userID.GetType)) End If End Sub </script>     However, if I utilize forms authentication, and log on and call FormsAuthentication.RedirectFromLoginPage(userID, True), it appears that the OnAuthenticateRequest event does not fire. I can measure this by calling the same method which returns the data reader - LovesPYT.Users.GetRoles() - and +=3D the results of each row in to a label. However, if I test if User.IsInRole for one of the roles listed, it consistently returns false.     I know before B2, many people would refer to the IBuySpy Portal, but as this is apparently undergoing upgrades to Beta 2, I do not have access to those code resources. If someone could suggest a method, preferably in VB.NET, on how to add these roles, or to point out where my tragic flaw in the code is, I would greatly appreciate it. God bless,     Ryan | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID | http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT | http://www.asplists.com/search =3D SEARCH Archives Reply to this message...        Joel Mueller Folks, Here's some sample code for storing a user role in the authentication cookie. In this sample, the user's role is a bitmask enumerator, so I'm casting it to an int and then converting that to a string before storing it in the authentication ticket. Watch for line wraps. This first snippet shows how to store the user roles in the authentication cookie. <snippet language=3D"C#" source=3D"login page"> // username and password have already been validated // We're sticking the user's roles into the UserData // field of the FormsAuthenticationTicket, so we have=20 // to do this manually, instead of using RedirectFromLoginPage(). // Create an auth ticket that expires when the session expires. string CookieName =3D FormsAuthentication.FormsCookieName; string CookiePath =3D FormsAuthentication.FormsCookiePath; DateTime curDate =3D DateTime.Now; FormsAuthenticationTicket myTicket =3D new = FormsAuthenticationTicket(1, thisUser.UserID.ToString(), curDate, curDate.AddMinutes(Session.Timeout), false, ((int)thisUser.Roles).ToString(), CookiePath); string encryptedTicket =3D FormsAuthentication.Encrypt(myTicket); HttpCookie currentCookie =3D Request.Cookies[CookieName]; if (currentCookie =3D=3D null) { HttpCookie authCookie =3D new HttpCookie(CookieName, = encryptedTicket); authCookie.Path =3D CookiePath; Response.Cookies.Add(authCookie); } else Response.Cookies[CookieName].Value =3D encryptedTicket;                 =09 string destURL =3D Request.Params["ReturnUrl"]; if (destURL =3D=3D null) destURL =3D "Default.aspx"; Response.Redirect(destURL); </snippet> This next snippet comes from an HttpModule that hooks into the HttpApplication.AuthenticateRequest event. <snippet language=3D"C#" source=3D"AuthenticateRequest HttpModule"> private void Application_Authenticate(object sender, EventArgs e) { HttpApplication application =3D (HttpApplication)sender; HttpContext context =3D application.Context; if (context.Request.IsAuthenticated) { // get the user's roles from the UserData field of the CookieAuthenticationTicket =20 FormsIdentity thisUser =3D (FormsIdentity)context.User.Identity; FormsAuthenticationTicket thisTicket =3D thisUser.Ticket;     // Now that we have the ticket, we can access the UserData. // Cast the UserData to our custom roles enumerator UserRoles currentRoles =3D (UserRoles)Int32.Parse(thisTicket.UserData); // update authentication cookie to prevent timeout FormsAuthenticationTicket newTicket =3D FormsAuthentication.RenewTicketIfOld(thisTicket); if (newTicket !=3D thisTicket) { string CookieName =3D FormsAuthentication.FormsCookieName; context.Response.Cookies[CookieName].Value =3D FormsAuthentication.Encrypt(newTicket); } context.User =3D new MyPrincipal(thisUser, currentRoles); } } </snippet> This should be enough to get you started. Hope it helps!     - Joel -----Original Message----- From: Dennis Werry [mailto:Click here to reveal e-mail address] Sent: Tuesday, June 26, 2001 11:30 AM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Ryan, It appears to fire on every page, every time. I hoped that maybe it would be first time or something to help, but no.... everytime. I'd be happy putting it into the authentication cookie / user data - if I could find the appropriate place to insert it. It seems that on the login page, just before redirection is not the time. Would have been the perfect place, too. It should not be this tough to complete the puzzle. Sheesh! <g> Seems like they presented us with a banquet but are going to make us eat crackers while observing the feast. <g> Thanks all who replied. I'll keep looking and if I find something, I'll post it. Dennis -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Monday, June 25, 2001 6:48 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 While I have VS.NET, I haven't used it much so I haven't experienced the breakpoints to see how often its fired. If it's fired on every page, I agree, that's way to much to be decent. The whole point of the database look ups is of course to store it so you have to avoid that. I remember during the reading that one of the Microsofties who read this list said they were looking to place some method between authentication and authorization so that the FormsAuthenticationEventArgs would return an IPrincipal, but I guess since B2 is feature complete, this will not be so.     I have yet to work with the cookies on .NET, and I'm wondering what the trade off in performance would be between cookies and sessions. Understandably, the sessions would time out, but this would allow the database to be updated without having to check each request to compare the cookie against the database to see if theres been updates. Did I make sense there?     I assume the logical thing to do would be to populate the rows from the datareader in to the array. Without trying to stray too off topic, is there some method like GetRows that you might know of off hand? I do plan to check the docs later.     Returning to the original topic - How often does OnAuthenticateRequest fire? Every page? Every time the Security Principal is accessed? Every time a user logs in? This will help me in determining whether I should seek alternate methods re: performance issues. God bless,     Ryan -----Original Message----- From: Dennis Werry [mailto:Click here to reveal e-mail address] Sent: Monday, June 25, 2001 6:34 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Ryan, Doesn't this seem like it will hit the database way too often? I want to do something similar, but would like to have the roles saved in the cookie as well and have the architecture check the roles for me (just like it would if I had entered them in the web.config manually). When I set a breakpoint in the code at the AuthenticateRequest event, it gets hit way too often to insert a database query. Seems like the architecture would handle the roles for us after we look them up once. The security model is so sweet, I'd hate to think that I'd have to encumber it with a database lookup on every page. .... or am I missing something simple? What do you think? Dennis -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 10:15 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Tom,     Thanks immensely for your help. I must have left the FormsAuthenticationEventArgs as a carry over from when it was FormsAuthentication_OnAuthenticate. I changed it simply to EventArgs and the program apparently runs great now :) Thanks for pointing out my fairly stupid mistake :) God bless,     Ryan -----Original Message----- From: Tom Cabanski [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 3:40 PM To: aspngsec Subject: [aspngsec] RE: Role authorization in Beta 2 Your signature for _OnAuthenticateRequest is incorrect. Use Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) instead. This should work fine. I know it works for me with beta2. The signature you're using is for FormsAuthentication_OnAuthenticate. It works a bit differently. Thanks TFC -----Original Message----- From: Ryan S [mailto:Click here to reveal e-mail address] Sent: Sunday, June 24, 2001 12:33 PM To: aspngsec Subject: [aspngsec] Role authorization in Beta 2 Hey all, I know this has been a frequently discussed issue, and I've spent most of the night poring through the archives found in this group, and have seen many helpful answers. The only problem is (and of course, theres always a problem, elsewise I would not be writing this) - I have not been able to get them to work. I previously (more like 4 months ago) wrote in with this problem, and Erik Olson graciously provided me with the following snippit of code: // global.asax <%@ Import Namespace=3D"System.Security.Principal" %> <script language=3D"C#" runat=3Dserver > // assume that some other form of auth is happening and we're // handling this event just to tack on role information void Application_OnAuthenticateRequest(Object src, EventArgs e) { HttpContext ctx =3D HttpContext.Current;     // make sure some earlier form of auth has occurred // this user is in the "role1" and "role2" roles // do your role resolution here based on ctx.User.Identity if( ctx !=3D null && ctx.User.Identity !=3D null ) {      HttpContext.Current.User =3D new GenericPrincipal(ctx.User.Identity, new string[]{"role1", "role2"}); } } </script>     Later on, the discussion about FormsAuthentication_OnAuthenticate having null references to the identity object, and thus the Application_OnAuthenticateRequest method was suggested, again with more code provided by Erik Olson, provided below: <%@ Import Namespace=3D"System.Security.Principal" %> <script language=3D"vb" runat=3Dserver > Sub Application_OnAuthenticateRequest(src As Object, e As EventArgs)     Dim app As HttpApplication =3D CType(src, HttpApplication)     Dim ctx As HttpContext =3D app.Context     ' only do this if auth has already applied     If ctx.Request.IsAuthenticated         ctx.User =3D New GenericPrincipal(ctx.User.Identity, new string() {"role1", "role2"})     End If End Sub     However, I've been unable to get either method to sucessfully work. My goal is to hook in to a database to provide the list of roles. I've read the article at http://www.asp-zone.com/articles/ck100800/ck100800.asp, and attempted to implement that strategy. Below is the resultant code from my Global.asax: <%@ Import Namespace=3D"System.Data" %> <%@ Import Namespace=3D"System.Data.SqlClient" %> <%@ Import Namespace=3D"System.Security.Principal" %> <script language=3D"VB" runat=3D"server"> Public Sub Application_OnAuthenticateRequest(Source as Object, e as FormsAuthenticationEventArgs) Dim app as HttpApplication =3D CType(Source, HttpApplication) Dim ctx as HttpContext =3D app.Context If ctx.Request.IsAuthenticated Dim UserDB as LovesPYT.Users =3D New LovesPYT.Users Dim myRoles as ArrayList =3D new ArrayList() Dim UserID as String =3D ctx.User.Identity.Name Dim myReader as SqlDataReader =3D = UserDB.GetRoles(cint(UserID)) Do While (myReader.Read()) myRoles.Add(myReader("RoleName")) Loop ctx.User =3D New GenericPrincipal(ctx.User.Identity, myRoles.ToArray(userID.GetType)) End If End Sub </script>     However, if I utilize forms authentication, and log on and call FormsAuthentication.RedirectFromLoginPage(userID, True), it appears that the OnAuthenticateRequest event does not fire. I can measure this by calling the same method which returns the data reader - LovesPYT.Users.GetRoles() - and +=3D the results of each row in to a label. However, if I test if User.IsInRole for one of the roles listed, it consistently returns false.     I know before B2, many people would refer to the IBuySpy Portal, but as this is apparently undergoing upgrades to Beta 2, I do not have access to those code resources. If someone could suggest a method, preferably in VB.NET, on how to add these roles, or to point out where my tragic flaw in the code is, I would greatly appreciate it. God bless,     Ryan | [aspngsec] member Click here to reveal e-mail address =3D YOUR ID |