Search results matching tag 'IPrincipal'

Custom RoleProvider and Custom Principal

french_duke — Sun, 25 May 2008 04:00:00 GMT

Hi folks

I am implementing asp.net 2.0 roles and authentication for the first time so bear with me if my ideas are a bit mixed-up!

I have written a CustomRoleProvider class which overrides all the necessary members required to use my custom datastore for user roles - and this appears to be working great. Next, I posted asking how to store extra information for my user as I require access to a userId (representing the primary key from my users table), companyId and company name (similar database columns).

I was advised to create a Custom Principal class (implementing the IPrincipal interface), and to add properties to this class to store the data I need, then on the Application_AuthenticateRequest event I initialise my CustomPrincipal object, sending in the data from the database. Here is the code:

CustomPrincipal.cs

public class CustomPrincipal : IPrincipal
{
    #region "Private member variables"

    private IIdentity _identity;
    private int _userId;
    private int _companyId;
    private string _companyName;

    #endregion

    #region "Public member properties"

    public IIdentity Identity
    {
        get
        {
            return _identity;
        }
    }

    public int UserId
    {
        get
        {
            return _userId;
        }
        set
        {
            _userId = value;
        }
    }

    public int CompanyId
    {
        get
        {
            return _companyId;
        }
        set
        {
            _companyId = value;
        }
    }

    public string CompanyName
    {
        get
        {
            return _companyName;
        }
        set
        {
            _companyName = value;
        }
    }

    #endregion

    public CustomPrincipal(IIdentity identity, int userId, int companyId, string companyName)
    {
        _identity = identity;
        _userId = userId;
        _companyId = companyId;
        _companyName = companyName;
    }

    // IPrincipal Implementation
    public bool IsInRole(string role)
    {
        //How do I implement this?
        return true;
    }

}

Global.asax

protected void Application_AuthenticateRequest(object sender, EventArgs e)
    {
        // Extract the forms authentication cookie
        string cookieName = FormsAuthentication.FormsCookieName;
        HttpCookie authCookie = Context.Request.Cookies[FormsAuthentication.FormsCookieName];

        if (authCookie == null)
            return;

        FormsAuthenticationTicket authTicket = null;
        try
        {
            authTicket = FormsAuthentication.Decrypt(authCookie.Value);
        }
        catch
        {
            return;
        }

        if (authTicket == null)
            return;
        
        //Get extra user data from database
        UserClass u = new UserClass(); //BLL object
        int userId = 0;
        int companyId = 0;
        string companyName = string.Empty;

        FormsIdentity id = new FormsIdentity(authTicket);

        UserDataSet.UserDataTable users = u.GetUserByName(id.Name);

        if (users.Rows.Count > 0)
        {
            UserDataSet.UserRow user = (UserDataSet.UserRow)users.Rows[0];
            userId = user.UserID;
            
            if (!user.IsCompanyIDNull())
            {
                companyId = user.CompanyID;
                companyName = user.CompanyName;
            }
        }
        
        // This principal will flow throughout the request.
        CustomPrincipal principal = new CustomPrincipal(id, userId, companyId, companyName);
        // Attach the new principal object to the current HttpContext object
        Context.User = principal;
    }

My questions are:

1. How do I implement the IsInRole(string role) method of the CustomPrincipal? Have I now made my CustomRolePovider redundant?

2. By getting the user data on every page load (which seems to be how often the Application_AuthenticateRequest event is fired) I am making an extra round-trip to the database. Is there a more efficient but equally secure way of persisting this data?

3. Finally, should I really be creating a custom Principal to hold the extra properties, or should it really be a custom Identity?

Sorry if this is a lengthy problem - I hope someone has the patience to read it!

Thanks in advance!

Re: Role Based Windows Authentication

CharlesF — Fri, 11 Apr 2008 04:00:00 GMT

Sounds like what you need is to use a sitemap provider for your menu and have security trimming enabled.

This should get you started in the right direction...

http://msdn2.microsoft.com/en-us/library/system.web.sitemapprovider.aspx

http://msdn2.microsoft.com/en-us/library/system.web.xmlsitemapprovider.aspx

http://msdn2.microsoft.com/en-us/library/ms227425.aspx

Here's my design, if you're interested (not sure this is the best way or not, I'm self-taught):

First, I create custom Roles and manage them in my database. Then I allow roles access to directories and files in my application via the web.config, like this...

  <location path="roles.aspx">
    <system.web>
      <authorization>
        <allow roles="ManageRoles"/>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>
  
  <location path="groups.aspx">
    <system.web>
      <authorization>
        <allow roles="ManageGroups"/>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

  <location path="users.aspx">
    <system.web>
      <authorization>
        <allow roles="ManageUsers"/>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

Note: You don't have to create custom roles, you can put in the Windows Group names like this...

If you choose to not use custom roles, then you may want to consider adding this to your web.config...

The trick is getting those roles assigned to the current logged in windows user.

To do this, I create a Global Application Class (global.asax) and within the Application_PostAuthenticateRequest() event I have code that does the work necessary to build an ArrayList of Roles that the user should be in.

Once I have the ArrayList (named "UserRoles") populated with the names of the roles I want to assign to the current user, I create a GenericPrinciple and assign it to the Context.User and System.Threading.Thread.CurrentPrinciple, as shown below:

                ' Convert ArrayList of Objects into an Array of Strings
                ReDim aryRoles(UserRoles.Count)
                UserRoles.CopyTo(aryRoles)

                ' Assign new principle to the system security Context and Thread for THIS user
                Context.User = New System.Security.Principal.GenericPrincipal(Context.User.Identity, aryRoles)
                System.Threading.Thread.CurrentPrincipal = New System.Security.Principal.GenericPrincipal(Context.User.Identity, aryRoles)

Note: I also make sure to put the windows groups the user is currently in, into that list or roles as well.

Here's a way to get the names of the roles a user is in... (this is way faster than Active Directory)

        Dim sb As StringBuilder = New StringBuilder
        Dim WinId As IIdentity = User.Identity
        Dim userId As WindowsIdentity = DirectCast(WinId, WindowsIdentity)
        sb.Append("<br /><b>Windows Groups</b> for: " & userId.Name)
        Dim irefGroups As IdentityReferenceCollection = userId.Groups.Translate(GetType(NTAccount))
        Dim idRef As NTAccount
        For i As Integer = 0 To irefGroups.Count - 1
            idRef = irefGroups(i)
            sb.Append("<br />" & idRef.ToString)
        Next
        Label1.Text = sb.ToString()

I know, my method is a little complex. But I do it because my intranet web applications are "products" that I sell to clients. They set up their sites and they are not all that technical. So I need to be able to provide them a web interface that they can use to authorize users easily either by the Windows User Account name (domain\user) or Windows Group name (domain\group). With thousands of possible users, Forms authentication was out of the question. (What a nightmare for a non-technical person to have to deal with). In my method, they can utilize pre-existing windows groups and be up and running quickly.

Hope this helps.

Associate Business Logic to Current User/Does it still make sence to Extend User and IPrinciple in 2.0

dwilliams459 — Wed, 07 Nov 2007 05:00:00 GMT

I am looking for the best way associate business objects to the current user of the website. I am guessing the best way to do this is to extend the Identity.User object (i.e. extend the user object to include properties such as User.ID, User.Company. etc.). A search for a solution reveals a number of discussions and articles about extending IPrinciple etc, but most of these seems old and related to 1.1. I do not know if this is still the best method in 2.0. I utilized P&P IPrinciple in the 1.1 days, but have not looked at it since. Can someone please let me know if extending IPrinciple is still the best way to map your business objects to your current user? If not can you please point me in a better direction? In either case can you please provide a link to a 2.0 based article if you know of one?

Thanks very much. I am a little rusty when it comes to security and 2.0

Defaultnetworkcredential are empty

Groslot — Fri, 10 Aug 2007 04:00:00 GMT

I have a web apps on a win 2003 server that access a web services on a different web server 2003. When everything is on the same machine it works but when I split them I got a HTTP status 401: Unauthorized. I have impersonate set to true and using <authentication mode="Windows"/>. The apps has its own web site and owns application pool running with a domain account identity. I have done the delegation (setspn -a http/servername domainname\myaccount) of the account and I have also done the aspnet_regiis - ga domainname\myaccount.

If fact I have two apps, one is working and the other one not. They both work with basic authentication. It is really a kerberos security contaxt not transfer. The only different between the 2 appps is one we use the "add web reference" which create the wdsl stuff and the other one is the manuual way of doing it by using the SoapHttpClientProtocol. At the webservice server it seen the failing apps present itself with no credential because in the event log I have fail logon mentioning bad username or password and the username field is empty.

here the stack trace:

[WebException: The request failed with HTTP status 401: Unauthorized.]
   System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) +533199
   System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) +204
   NPG.Framework.EntityWSProxy.EntityWSProxy.InvokeWebMethod(String name, Object[] parameters) +664
   CSA.MDB.EntityWSProxy.EntityWSProxy.GetMissionBrowserPages(String fileName) +79
   CSA.MDB.WebIntranet.TestWS.Button1_Click(Object sender, EventArgs e) +506
   System.Web.UI.WebControls.Button.OnClick(EventArgs e) +105
   System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +107
   System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
   System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
   System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +5102

Anyone has hint for me. I'm not a programmer so be indulgent. I'm a system admin helping our programmers.

Re: PageMethods

Fredrik K — Tue, 24 Oct 2006 04:00:00 GMT

Page.User is merely a convenience property that wraps System.Threading.Thread.CurrentPrincipal, which is static, so just access that instead :)

SerializationException when Casting Context.User to my Custom Principal object

sontek — Fri, 08 Sep 2006 04:00:00 GMT

I'm getting this error randomly on my site:

Exception Details: System.Runtime.Serialization.SerializationException: Type is not resolved for member 'Authentication.CustomPrincipal,OrchidAuthentication, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'.

By random meaning I can surf around before it'll crash and then most of the time I can hit refresh and it'll work just fine again. I have an HttpModule that sets the context.User to my principal on begin request.