Re: Need help improving authorization

From: Joe Fallon (jfallon1_at_nospamtwcny.rr.com)
Date: 07/22/04

• Next message: Joe Fallon: "Re: Session State not working"
• Previous message: Craig Deelsnyder: "Re: Why i get this error: Response is not available in this context"
• In reply to: AndiV: "Need help improving authorization"
• Next in thread: AndiV: "Re: Need help improving authorization"
• Messages sorted by: [ date ] [ thread ]

---

Date: Wed, 21 Jul 2004 23:34:41 -0400

The Principal and Identity objects are supposed to implement IsInRole so
that you can always have that information handy for each user.
===========================================
In my Principal class I have:
   'Implements the IsInRole property defined by IPrincipal.
    Public Function IsInRole(ByVal Role As String) As Boolean Implements
IPrincipal.IsInRole
       Return mIdentity.IsInRole(Role)
    End Function
===========================================
In my Identity class I have code like this (air code)

Private mRoles As New ArrayList

 Friend Function IsInRole(ByVal role As String) As Boolean
      Return mRoles.Contains(role)
  End Function

'get user roles
dr = DAL.ExecuteReader(myDAO.GetRoles())
While dr.Read
     mRoles.Add(dr.GetString(dr("role")))
End While
==============================

In Global.asax AcquireRequestState you attach your Principal to the thread
and you now have th Roles available through your User object. If you cast it
to your custom Principal object you have any other data you extracted that
is useful (like Name, UserID, etc.)

Private Sub Global_AcquireRequestState(ByVal sender As Object, ByVal e As
System.EventArgs) Handles MyBase.AcquireRequestState

    If Not Session("myPrincipal") Is Nothing Then
      Thread.CurrentPrincipal = CType(Session("myPrincipal"),
MyCustomPrincipal)
      HttpContext.Current.User = CType(Session("myPrincipal"),
MyCustomPrincipal)
    Else
       If Thread.CurrentPrincipal.Identity.IsAuthenticated = True Then
          Web.Security.FormsAuthentication.SignOut()
          Server.Transfer(Request.ApplicationPath + "/Login.aspx")
       End If
    End If

  End Sub

-- 
Joe Fallon
"AndiV" <andiv@yahoo.com> wrote in message
news:ubyzj40bEHA.2840@TK2MSFTNGP11.phx.gbl...
> Each of my intranet page (windows authentication) needs to validate user's
> roles stored in the database. Currently, I retrieve the the
> User.Identity.Name property, then query the database for user's roles
> everytime a page is loaded, which is very inefficient.
>
> I think a more efficient approach would be to query the database only once
> for each user, the application_start event is probably the best place?
Once
> this particular user's roles are retrieved, the roles can be concatenated
as
> a delimied string and stored in cookie or a session variable. Then on each
> page load event, I just have to parse the roles string to apply
> authorization.
>
> I believe this scheme will work. But it seems more like a hack than a
design
> pattern or a best practice. I'm seeking a .NET elegant solution. Please
> advise.
>
> TIA,
> Andi
>
>

---

• Next message: Joe Fallon: "Re: Session State not working"
• Previous message: Craig Deelsnyder: "Re: Why i get this error: Response is not available in this context"
• In reply to: AndiV: "Need help improving authorization"
• Next in thread: AndiV: "Re: Need help improving authorization"
• Messages sorted by: [ date ] [ thread ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)