I want to use the the AuthorizeAttribute to control which users are allowed access to my actions. I just want to clarify that my logic is in order. <ol> <li>I create my own implementation of IPrincipal</li> <li>I post a user's credentials to a login action of a security controller.</li> <li>I validate the credentials with a UserService class and assign the IPrincipal returned from my UserService class to HttpContext.User</li> <li>My WebAuthorizeAttribute, which inherits AuthorizeAttribute, checks the current HttpContext.User.Identity.IsAuthenticated and HttpContext.User.IsInRole to determine if the user has access to the action.</li> </ol> Is the the normal flow of things? I know I could inherit MembershipProvider, but I don't need all of the functionality there, really just the ability to login with two different roles.

You'll have to store IPrincipal somewhere and restore it with every request. If you'll use FormsAuthentication, this is good solution: ASP.NET 2.0 Forms authentication - Keeping it customized yet simple you can find other solutions here: Where to store logged user information on ASP.NET MVC using Forms Authentication? and propably in many other StackOverflow questions:) EDIT About MyBusinessLayerSecurityClass.CreatePrincipal(id, id.Name): You should read this page: http://msdn.microsoft.com/en-us/library/aa480476.aspx Specially this: <blockquote> The FormsAuthenticationModule class constructs a GenericPrincipal object and stores it in the HTTP context. The GenericPrincipal object holds a reference to a FormsIdentity instance that represents the currently authenticated user. You should allow forms authentication to manage these tasks for you. If your applications have specific requirements, such as setting the User property to a custom class that implements the IPrincipal interface, your application should handle the PostAuthenticate event. The PostAuthenticate event occurs after the FormsAuthenticationModule has verified the forms authentication cookie and created the GenericPrincipal and FormsIdentity objects. Within this code, you can construct a custom IPrincipal object that wraps the FormsIdentity object, and then store it in the HttpContext. User property. </blockquote> FormsIdentity is managed automatically after you set authentication cookie. All you have to do is wrap it up in your IPrincipal. All this happens when HttpContext.Current.User property is not null (it is GenericPrincipal, which you replace shortly after). When HttpContext.Current.User is null then there was no authentication cookie created earlier and user is not authenticated.

ASP.Net MVC Memberships

I want to use the the AuthorizeAttribute to control which users are allowed access to my actions. I just want to clarify that my logic is in order.

I create my own implementation of IPrincipal
I post a user's credentials to a login action of a security controller.
I validate the credentials with a UserService class and assign the IPrincipal returned from my UserService class to HttpContext.User
My WebAuthorizeAttribute, which inherits AuthorizeAttribute, checks the current HttpContext.User.Identity.IsAuthenticated and HttpContext.User.IsInRole to determine if the user has access to the action.

Is the the normal flow of things? I know I could inherit MembershipProvider, but I don't need all of the functionality there, really just the ability to login with two different roles.

Is ASP NET MVC discontinued?

ASP.NET MVC is no longer in active development.

Is ASP.NET better than MVC?

MVC is lightweight framework with clear separation between code and HTML. It has following major benefits. Business logic is stored in a single state called model where in traditional asp.net platform, each page has its own business logic making it complex.

What is membership in C#?

Class members, in C#, are the members of a class that represent the data and behavior of a class. Class members are members declared in the class and all those (excluding constructors and destructors) declared in all classes in its inheritance hierarchy.

You'll have to store IPrincipal somewhere and restore it with every request. If you'll use FormsAuthentication, this is good solution:

ASP.NET 2.0 Forms authentication - Keeping it customized yet simple

you can find other solutions here:

Where to store logged user information on ASP.NET MVC using Forms Authentication?

and propably in many other StackOverflow questions:)

EDIT

About MyBusinessLayerSecurityClass.CreatePrincipal(id, id.Name):

You should read this page:

http://msdn.microsoft.com/en-us/library/aa480476.aspx

Specially this:

The FormsAuthenticationModule class constructs a GenericPrincipal object and stores it in the HTTP context. The GenericPrincipal object holds a reference to a FormsIdentity instance that represents the currently authenticated user. You should allow forms authentication to manage these tasks for you. If your applications have specific requirements, such as setting the User property to a custom class that implements the IPrincipal interface, your application should handle the PostAuthenticate event. The PostAuthenticate event occurs after the FormsAuthenticationModule has verified the forms authentication cookie and created the GenericPrincipal and FormsIdentity objects. Within this code, you can construct a custom IPrincipal object that wraps the FormsIdentity object, and then store it in the HttpContext. User property.

FormsIdentity is managed automatically after you set authentication cookie. All you have to do is wrap it up in your IPrincipal. All this happens when HttpContext.Current.User property is not null (it is GenericPrincipal, which you replace shortly after). When HttpContext.Current.User is null then there was no authentication cookie created earlier and user is not authenticated.

ASP.Net MVC Memberships

Tags:

asp.net-mvc

membership

scottm

People also ask

1 Answers

LukLed

Recent Activity

Donate For Us

ASP.Net MVC Memberships

Tags:

asp.net-mvc

membership

scottm

People also ask

1 Answers

LukLed

Related questions

Recent Activity

Donate For Us