Pricipal object

  • Thread starter Thread starter Amit Agarwal
  • Start date Start date
A

Amit Agarwal

where is the place to attach pricipall object to identity.

global file
and is it necessary to attach each time user roles to principal object..

amit
 
application_authenticaterequest

and yes each request is a unique by itself. the only way you say that it
belong to this user from a server's prespective is
a. session id
b. principal based on authentication
 
I assume you are talking about doing this along with authentication. Here
is what I've done, and it works great. This was taken from an example on
MSDN.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT04.asp

'in global.asax
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)
' Fires upon attempting to authenticate the user

'Extract the forms authentication cookie
Dim cookieName As String = FormsAuthentication.FormsCookieName
Dim authCookie As HttpCookie = Context.Request.Cookies(cookieName)

If authCookie Is Nothing Then
'There is no authentication cookie.
Return
End If

Dim authTicket As FormsAuthenticationTicket

Try
authTicket = FormsAuthentication.Decrypt(authCookie.Value)
Catch ex As Exception
' Log exception details (omitted for simplicity)
Return
End Try

If authTicket Is Nothing Then
' Cookie failed to decrypt.
Return
End If

Dim roles() As String = {"role1","role2","role3"}

' Create an Identity object
Dim id As FormsIdentity = New FormsIdentity(authTicket)

' This principal will flow throughout the request.
Dim principal As GenericPrincipal = New GenericPrincipal(id, roles)
' Attach the new principal object to the current HttpContext object
Context.User = principal


End Sub

Private Sub Page_Load(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles MyBase.Load
'Put user code to initialize the page here
Dim p As System.Security.Principal.IPrincipal =
HttpContext.Current.User

'username
Response.Write ("Your username " & p.Identity.Name)

If p.IsInRole("role1") Then
Response.Write("User is in role1")
Else
Response.Write("User is not in role1")
End If
End Sub
 
thx for ur reply...
is user.identity.name
accessible in class modules and ascx controls?

i doubt no!

amit
 
yes it is accessible everywhere... even your middle tier components as long
as they get hold of HttpContext Object
if you assigned the userid or the FirstName + " " + LastName to the username
which creating the forms authentication ticket,
then you can read that value anywhere in your code.. be it code behind...
user controls... or even your custom components.
as long as you bind the ticket to the principal in
Applicaiton_AuthenticateRequest
 
Hello
thx for ur reply
have used this implementation on a live site
how is it showing results!!!

yhx amit
 
hi,
my prj manager is saying
not to store roles in ticket i.e on clients m/c(cookie)

instead store it in sesion
then i feel there is mo need to store roles in principal
jus create a method IsInRole() and pass role like admin
and check for specified role in rolearray which is in session

thats it ,,

what do u feel

please comment on it

amit
 
this concept can work for cookieless mode:?
i guess not
then are we handicapped..?

please reply

amit
 
but if you are encrypting the ticket before writing the ticket to the cookie
whats the problem ?
 
here
security is not the issue
issue is if in futiure we want out site to
change to cookieless mode
then also our site shud work seemlessly.

amit
 
oh well, don't know much about cookieless forms authentication.. but if you
do get anywhere (ie get it working)... please do drop in a line...
 
Back
Top