Reputation: 28699
ASP.Net MVC Memberships
I want to use the the AuthorizeAttribute to control which users are allowed access to my actions. I just want to clarify that my logic is in order.
- I create my own implementation of IPrincipal
- I post a user's credentials to a login action of a security controller.
- I validate the credentials with a UserService class and assign the IPrincipal returned from my UserService class to HttpContext.User
- My WebAuthorizeAttribute, which inherits AuthorizeAttribute, checks the current HttpContext.User.Identity.IsAuthenticated and HttpContext.User.IsInRole to determine if the user has access to the action.
Is the the normal flow of things? I know I could inherit MembershipProvider, but I don't need all of the functionality there, really just the ability to login with two different roles.
Upvotes: 5
Views: 1002
Answers (2)
Reputation: 31882
You'll have to store IPrincipal somewhere and restore it with every request. If you'll use FormsAuthentication, this is good solution:
ASP.NET 2.0 Forms authentication - Keeping it customized yet simple
you can find other solutions here:
Where to store logged user information on ASP.NET MVC using Forms Authentication?
and propably in many other StackOverflow questions:)
EDIT
About MyBusinessLayerSecurityClass.CreatePrincipal(id, id.Name):
You should read this page:
http://msdn.microsoft.com/en-us/library/aa480476.aspx
Specially this:
The FormsAuthenticationModule class constructs a GenericPrincipal object and stores it in the HTTP context. The GenericPrincipal object holds a reference to a FormsIdentity instance that represents the currently authenticated user. You should allow forms authentication to manage these tasks for you. If your applications have specific requirements, such as setting the User property to a custom class that implements the IPrincipal interface, your application should handle the PostAuthenticate event. The PostAuthenticate event occurs after the FormsAuthenticationModule has verified the forms authentication cookie and created the GenericPrincipal and FormsIdentity objects. Within this code, you can construct a custom IPrincipal object that wraps the FormsIdentity object, and then store it in the HttpContext. User property.
FormsIdentity is managed automatically after you set authentication cookie. All you have to do is wrap it up in your IPrincipal. All this happens when HttpContext.Current.User property is not null (it is GenericPrincipal, which you replace shortly after). When HttpContext.Current.User is null then there was no authentication cookie created earlier and user is not authenticated.
Upvotes: 4
Reputation: 7426
I believe the following is more typical:
- I create my own implementation of IPrincipal
- I post a user's credentials to a login action of a security controller.
- I validate the credentials with a UserService class and construct a cookie that has some identifying information for this user. Typically FormsAuthentication.SetAuthCookie or some combination of that class's utility methods are used.
- In the Application AuthenticateRequest event, inspect the cookie and assign Context.User. Note: This value is automatically assigned to Thread.CurrentPrincipal after the AuthenticateRequest event. This is a one-time assignment and these values are not automatically synchronized thereafter.
- My WebAuthorizeAttribute, which inherits AuthorizeAttribute, checks the current HttpContext.User.Identity.IsAuthenticated and HttpContext.User.IsInRole to determine if the user has access to the action.
Upvotes: 2
Related Questions
- How to do Membership in ASP.NET MVC?
- ASP.NET MVC Membership Roles
- Asp.net MVC Membership starter kit
- ASP.NET MVC MEMBERSHIP
- asp.net membership with MVC4
- Membership and asp.net MVC
- ASP.NET MVC2 + Membership
- ASP.NET MVC membership
- ASP.NET MVC Membership: how can I create/configure it?
- How to handle membership in an ASP.NET MVC application?