Sign In| Join
Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Dec 24, 2012 03:22 AM by BrockAllen
0 Points
1 Post
Dec 19, 2012 09:04 AM|LINK
Hi,
in my application (framework 4), i use security with roles and web.config :
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="User.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="RoleAutorise.aspx">
<allow roles="AdministrateurPrincipal" />
<deny users="*" />
<location path="RoleNonAutorise.aspx">
<allow roles="AdministrateurSecondaire" />
</configuration>
My authentification use mode form
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" defaultUrl="~/Default.aspx" name="compte" />
</authentication>
i use personnal role, and i wish define this roles. How do you my implementation
First method : personate RoleProvider
<roleManager enabled="true" defaultProvider="DispositifRoleProvider">
<providers>
<clear />
<add name="DispositifRoleProvider" type="WebApplication1.DispositifRoleProvider" applicationName="/"/>
</providers>
</roleManager>
Second method : use Application_PostAuthenticateRequest in Global.asax
protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
if (HttpContext.Current.User != null)
if (HttpContext.Current.User.Identity.IsAuthenticated)
if (HttpContext.Current.User.Identity is FormsIdentity)
{ FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
// Get the stored user-data, in this case, our roles
string userData = ticket.UserData;
string[] roles = userData.Split(',');
HttpContext.Current.User = Thread.CurrentPrincipal = new GenericPrincipal(HttpContext.Current.User.Identity, roles);
}
What is the best practice ?
Other question, i don't acces to Session, for implementation Role, must i use FormsAuthentificationTicket for storage role or other method ?
Thanks, Arnaud
All-Star
27544 Points
4907 Posts
MVP
Dec 19, 2012 02:14 PM|LINK
Maybe this will help:
http://brockallen.com/2012/05/23/think-twice-about-using-roleprovider/
Member
188 Points
34 Posts
Dec 24, 2012 02:26 AM|LINK
snopims What is the best practice ?
BrockAllen has replied the first question well. Please see the link he gives.
snopims Other question, i don't acces to Session, for implementation Role, must i use FormsAuthentificationTicket for storage role or other method ?
You can try to save it in cookie. However, it is not recommend.
http://stackoverflow.com/questions/4736209/is-caching-roles-in-cookies-secure
Best wishes,
Dec 24, 2012 03:22 AM|LINK
Caching values in a cookie can be secure:
http://brockallen.com/2012/06/21/use-the-machinekey-api-to-protect-values-in-asp-net/
snopims
0 Points
1 Post
Authentification, implementation role
Dec 19, 2012 09:04 AM|LINK
Hi,
in my application (framework 4), i use security with roles and web.config :
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="User.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="RoleAutorise.aspx">
<system.web>
<authorization>
<allow roles="AdministrateurPrincipal" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="RoleNonAutorise.aspx">
<system.web>
<authorization>
<allow roles="AdministrateurSecondaire" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
My authentification use mode form
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" defaultUrl="~/Default.aspx" name="compte" />
</authentication>
i use personnal role, and i wish define this roles. How do you my implementation
First method : personate RoleProvider
<roleManager enabled="true" defaultProvider="DispositifRoleProvider">
<providers>
<clear />
<add name="DispositifRoleProvider" type="WebApplication1.DispositifRoleProvider" applicationName="/"/>
</providers>
</roleManager>
Second method : use Application_PostAuthenticateRequest in Global.asax
protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
if (HttpContext.Current.User != null)
{
if (HttpContext.Current.User.Identity.IsAuthenticated)
{
if (HttpContext.Current.User.Identity is FormsIdentity)
{ FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
// Get the stored user-data, in this case, our roles
string userData = ticket.UserData;
string[] roles = userData.Split(',');
HttpContext.Current.User = Thread.CurrentPrincipal = new GenericPrincipal(HttpContext.Current.User.Identity, roles);
}
}
}
What is the best practice ?
Other question, i don't acces to Session, for implementation Role, must i use FormsAuthentificationTicket for storage role or other method ?
Thanks, Arnaud
BrockAllen
All-Star
27544 Points
4907 Posts
MVP
Re: Authentification, implementation role
Dec 19, 2012 02:14 PM|LINK
Maybe this will help:
http://brockallen.com/2012/05/23/think-twice-about-using-roleprovider/
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
mitaGreen
Member
188 Points
34 Posts
Re: Authentification, implementation role
Dec 24, 2012 02:26 AM|LINK
Hi,
BrockAllen has replied the first question well. Please see the link he gives.
You can try to save it in cookie. However, it is not recommend.
http://stackoverflow.com/questions/4736209/is-caching-roles-in-cookies-secure
Best wishes,
BrockAllen
All-Star
27544 Points
4907 Posts
MVP
Re: Authentification, implementation role
Dec 24, 2012 03:22 AM|LINK
Caching values in a cookie can be secure:
http://brockallen.com/2012/06/21/use-the-machinekey-api-to-protect-values-in-asp-net/
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/