Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post May 04, 2012 02:24 PM by Ainas
May 04, 2012 01:23 PM|LINK
Hello. I have a very simple custom role provider that retrives the roles from a SQL Server database, with a custom schema.
Here's the configuration in the web.config:
<roleManager defaultProvider="CustomRoleProvider" enabled="true">
The configuration secures some sections of the site:
When the site is first launched, the custom role provider is initialized, in fact both the constructor and the overridden Initialize method are invoked, however no other method is invoked and of course even though the user has the correct role he can not
access the secured page. He gets an Access Denied.
I have tested the role provider in a very direct way: with the application in debug mode, I break in the Session_Start method of the Global.asax and from the Immediate Window I invoke the method System.Web.Security.Roles.GetRolesForUser(), which correctly
invokes the GetRolesForUser(username) of my provider passing it the correct username, and the returns the correct roles.
The web site uses Windows Identity Foundation for the authentication of the users. We have a custom STS, which is just another web site with windows authentication.
Could this be the issue?
Thank for your help
May 04, 2012 01:58 PM|LINK
Change the authorization rules such a way allow roles comes first, then deny follows that
Please post the progress.
May 04, 2012 02:24 PM|LINK
You were right, the order of the rules is important, I didn't know that.
However, that was one part of the problem, the other part being the claims authentication. I had to add this code to the Application_AuthenticateRequest method of the global.asax (credits).
protected void Application_AuthenticateRequest(object sender, EventArgs e)
if (HttpContext.Current.User != null)
var claimsIdentity = ((ClaimsIdentity)HttpContext.Current.User.Identity);
var roles = Roles.GetRolesForUser();
claimsIdentity.Claims.AddRange(roles.Select(r => new Claim(ClaimTypes.Role, r)));
Apparently, if the web site uses the claim based authentication, the roles won't be automatically retrived. Probably because the application expects to find them in the claims collection.
Thanks for your help.