Menu
I'm working on adding authorization to an ASP.NET MVC App and have run into a road block. I was finally able to get our custom membership provider wired up and get authentication working for the App. Now, as expected, if I add the [Authorize] attribute to my controllers, the user must be authenticated to view the page. I have also successfully tested [Authorize(Users="{userName}")] which also works to restrict the page to that specific user.
The problem is that [Authorize(Roles="{RoleName}")] does not seem to work as I'm expecting. If I add that attribute to a controller, anytime I try to access the corresponding page, I am redirected to our login page. This is what I would expect to have happen if the user does not have the required role, but it is happening even if the user has that role. I have checked both User.IsInRole("{roleName}") and HttpContext.Current.User.IsInRole("{roleName}") in a View, a Controller and a Helper method and this always returns 'False'.
I have verified that the users I am working with have the roles I am trying to authorize against. I have also tested these users in a WebForms App that restricts page access by the same roles and it works fine. I figure that I have something setup wrong somewhere or am missing something simple, but after searching all morning, I haven't found anything that has gotten me any closer to the solution, so I'm hoping someone here can help me out.
203
HttpContext.Current.User.Identity.Name returns the name of the user that is currently logged into the application.
It's secure. It's basically the same authentication type used when you connect to a Windows server via file shares or anything else that is using kerberos.
Create a new ASP.NET web application. A window asking what kind of web application you want to create will be displayed. Select MVC in the above window. Select the type of authentication you want for your web site by clicking on the Change Authentication button.
For building custom authentication, we use membership provider class which is able to check the user credentials (username & password) and role provider class that is used to verify the user authorization based on his/her roles.
First : use a profiler and when executing the HttpContext.Current.User.IsInRole("{roleName}") line, check what the sql query is.
If it's not making a query then you probably have cacheRolesInCookie="true" and IsInRole will be checking the FormsAuthenticationTicket for UserData. Be sure that when you create the FormsAuthenticationTicket you set the userdata parameter to a comma delimited string with the roles of the user.
82
I had a similar problem as the OP. Although this is an old post, I thought I would put what worked for me. What I found was that the role provider was disabled in the web.config. I set enabled to true and it solved my issue.
<configuration>
<system.web>
<roleManager enabled="true" defaultProvider="myRoleProvider">
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
