HttpContext.Current.User.IsInRole(roleName) always returns false

Question

I'm working on adding authorization to an ASP.NET MVC App and have run into a road block. I was finally able to get our custom membership provider wired up and get authentication working for the App. Now, as expected, if I add the [Authorize] attribute to my controllers, the user must be authenticated to view the page. I have also successfully tested [Authorize(Users="{userName}")] which also works to restrict the page to that specific user.

The problem is that [Authorize(Roles="{RoleName}")] does not seem to work as I'm expecting. If I add that attribute to a controller, anytime I try to access the corresponding page, I am redirected to our login page. This is what I would expect to have happen if the user does not have the required role, but it is happening even if the user has that role. I have checked both User.IsInRole("{roleName}") and HttpContext.Current.User.IsInRole("{roleName}") in a View, a Controller and a Helper method and this always returns 'False'.

I have verified that the users I am working with have the roles I am trying to authorize against. I have also tested these users in a WebForms App that restricts page access by the same roles and it works fine. I figure that I have something setup wrong somewhere or am missing something simple, but after searching all morning, I haven't found anything that has gotten me any closer to the solution, so I'm hoping someone here can help me out.

Answer 1

A bit of an old topic, but I had a similar problem and the cause was in:

FormsAuthentication.SetAuthCookie(string, bool)

I was using the user's identity token (Guid) as first parameter, since the code I was working with used a variable named token, but in reality it must be a valid username. I found this out after using the profiler and running the aspnetdb's stored proc manually. The MSDN doc also confirms this.

It also causes [Authorize(Roles="rolename")] to fail, even if the user is in the role, though [Authorize] works.

Answer 2

I had a similar problem as the OP. Although this is an old post, I thought I would put what worked for me. What I found was that the role provider was disabled in the web.config. I set enabled to true and it solved my issue.

<configuration>
    <system.web>
        <roleManager enabled="true" defaultProvider="myRoleProvider">

Answer 3

In case others find this question:

I encountered a similar issue and the problem was spaces in the domain group. Using whatever HttpContext.Current.User returns, calls to IsInRole() seems to compare using the pre-Windows 2000 group name which doesn't contain spaces.

In my case stripping the spaces from the group name passed to IsInRole() fixed the issue.

Here's a nifty extension method to do this:

/// <summary>
/// Removes all spaces from a string
/// </summary>
/// <param name="value">The string</param>
/// <returns>The string without spaces</returns>
public static string StripSpaces(this string value)
{
    // my test using both long and short strings showed StringBuilder 
    // to be slightly faster at this than string.Replace()

    StringBuilder b = new StringBuilder(value);

    b.Replace(" ", string.Empty);

    return b.ToString();
}

Alternatively you could use the System.DirectoryServices.AccountManagement.UserPrincipal and call IsMemberOf() which should work better with domain groups that contain spaces.

• msdn - WindowsPrincipal
• msdn - UserPrincipal

Answer 4

Try clearing out your browser cookie cache. I spent a while banging my head on a similar problem, and clearing out my cookies solved the problem.

Answer 5

First : use a profiler and when executing the HttpContext.Current.User.IsInRole("{roleName}") line, check what the sql query is.

If it's not making a query then you probably have cacheRolesInCookie="true" and IsInRole will be checking the FormsAuthenticationTicket for UserData. Be sure that when you create the FormsAuthenticationTicket you set the userdata parameter to a comma delimited string with the roles of the user.