When the site is first launched, the custom role provider is initialized, in fact both the constructor and the overridden Initialize method are invoked, however no other method is invoked and of course even though the user has the correct role he can not
access the secured page. He gets an Access Denied.
I have tested the role provider in a very direct way: with the application in debug mode, I break in the Session_Start method of the Global.asax and from the Immediate Window I invoke the method System.Web.Security.Roles.GetRolesForUser(), which correctly
invokes the GetRolesForUser(username) of my provider passing it the correct username, and the returns the correct roles.
The web site uses Windows Identity Foundation for the authentication of the users. We have a custom STS, which is just another web site with windows authentication.
You were right, the order of the rules is important, I didn't know that.
However, that was one part of the problem, the other part being the claims authentication. I had to add this code to the Application_AuthenticateRequest method of the global.asax (credits).
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
if (HttpContext.Current.User != null)
{
var claimsIdentity = ((ClaimsIdentity)HttpContext.Current.User.Identity);
if (claimsIdentity.IsAuthenticated)
{
var roles = Roles.GetRolesForUser();
claimsIdentity.Claims.AddRange(roles.Select(r => new Claim(ClaimTypes.Role, r)));
}
}
}
Apparently, if the web site uses the claim based authentication, the roles won't be automatically retrived. Probably because the application expects to find them in the claims collection.
Ainas
Member
1 Points
7 Posts
Custom role provider not invoked
May 04, 2012 01:23 PM|LINK
Hello. I have a very simple custom role provider that retrives the roles from a SQL Server database, with a custom schema.
Here's the configuration in the web.config:
<roleManager defaultProvider="CustomRoleProvider" enabled="true"> <providers> <clear /> <remove name="AspNetSqlRoleProvider"/> <add name="CustomRoleProvider" type="MyApp.Web.Infrastructure.Security.CustomRoleProvider" connectionStringName="MyConnectionString" applicationName="/MyApp" writeExceptionsToEventLog="false" /> </providers> </roleManager>The configuration secures some sections of the site:
<location path="UnitManagement.aspx"> <system.web> <authorization> <deny users="*"/> <allow roles="SuperUser"/> </authorization> </system.web> </location>When the site is first launched, the custom role provider is initialized, in fact both the constructor and the overridden Initialize method are invoked, however no other method is invoked and of course even though the user has the correct role he can not access the secured page. He gets an Access Denied.
I have tested the role provider in a very direct way: with the application in debug mode, I break in the Session_Start method of the Global.asax and from the Immediate Window I invoke the method System.Web.Security.Roles.GetRolesForUser(), which correctly invokes the GetRolesForUser(username) of my provider passing it the correct username, and the returns the correct roles.
The web site uses Windows Identity Foundation for the authentication of the users. We have a custom STS, which is just another web site with windows authentication.
Could this be the issue?
Thank for your help
sukumarraju
All-Star
16951 Points
2999 Posts
Re: Custom role provider not invoked
May 04, 2012 01:58 PM|LINK
Change the authorization rules such a way allow roles comes first, then deny follows that
http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx
Please post the progress.
Thanks,
Application Architecture Guide 2.0
My Blog
Twitter
Ainas
Member
1 Points
7 Posts
Re: Custom role provider not invoked
May 04, 2012 02:24 PM|LINK
You were right, the order of the rules is important, I didn't know that.
However, that was one part of the problem, the other part being the claims authentication. I had to add this code to the Application_AuthenticateRequest method of the global.asax (credits).
protected void Application_AuthenticateRequest(object sender, EventArgs e) { if (HttpContext.Current.User != null) { var claimsIdentity = ((ClaimsIdentity)HttpContext.Current.User.Identity); if (claimsIdentity.IsAuthenticated) { var roles = Roles.GetRolesForUser(); claimsIdentity.Claims.AddRange(roles.Select(r => new Claim(ClaimTypes.Role, r))); } } }Apparently, if the web site uses the claim based authentication, the roles won't be automatically retrived. Probably because the application expects to find them in the claims collection.
Thanks for your help.
Best regards