ASP.NET MVC: Relationship between MembershipUser, Identity, MembershipProvider and Principal

Question

I need some functionality in an ASP.NET MVC application and after doing some research, I feel that I have to implement custom MembershipUser, MembershipProvider, Identity and Principal. My problem is: I don't understand the relationship, if any, between MembershipUser and Identity and where exactly MembershipProvider and Principal come into the picture. Could someone please shed some light. I have seed several articles and tutorials around the web about all the four players, but none addresses the relationship between them fully.

Also: is there an elegant way of assigning the custom principal to Context.User other than during AuthenticateRequest in the Global.asax? I have seen many examples on how to do this in ASP.NET WebForms applications and I was wondering if ASP.NET MVC has a better way.

Answer 1

an IPrincipal is the security context which is created for each web request and contains information related to the identity of the user and roles that they have.

an IPrincipal contains an IIdentity that has a Name, an IsAuthenticated and AuthenticationType properties.

a custom MembershipProvider is a class that derives from the abstract class MembershipProvider to provide custom data about users who use your application. The provider will operate on MembershipUser types and can be used to get data for a particular user or users, create new users, etc. You can inherit from MembershipUser to create your own user type and may typically want to do this when also using your own provider.

When you access an application, an IPrincipal and IIdentity are created and assigned to HttpContext.Current.User and Thread.CurrentPrincipal to provide security information for any action that may be taken during the lifetime of the request.

If you're using a RoleProvider, then a RolePrincipal type instance is created which hooks into the configured RoleProvider to get roles for the user; if you're not using a RoleProvider then a GenericPrincipal type instance is created.

If you're using forms authentication and a user is logged in, then a FormsIdentity type instance is created; if a user is not authenticated then a GenericIdentity type instance is created. The IIdentity that is created is what ultimately will be serialized into the authentication cookie passed back to the browser and what will be used to construct the FormsAuthenticationTicket and the IIdentity on the next request.

The MembershipProvider fits into this by providing additional information about the user. the static Membership class's GetUser() method will use the current IIdentity.Name and the configured MembershipProvider to return an instance of MembershipUser (or derived class if you've defined one) containing the data about the user.

Since ASP.NET MVC is built on top of the ASP.NET processing pipeline, the place where you would want to set your own IIdentity and IPrincipal is the same. As far as I know, there is no better place in the MVC architecture to set them.

Note: this is all from memory. If I have got something wrong, please let me know and I will update.