Home/ Questions/Q 523803
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T08:30:01+00:00

I want to use the the AuthorizeAttribute to control which users are allowed access

  • 0

I want to use the the AuthorizeAttribute to control which users are allowed access to my actions. I just want to clarify that my logic is in order.

  1. I create my own implementation of IPrincipal
  2. I post a user’s credentials to a login action of a security controller.
  3. I validate the credentials with a UserService class and assign the IPrincipal returned from my UserService class to HttpContext.User
  4. My WebAuthorizeAttribute, which inherits AuthorizeAttribute, checks the current HttpContext.User.Identity.IsAuthenticated and HttpContext.User.IsInRole to determine if the user has access to the action.

Is the the normal flow of things? I know I could inherit MembershipProvider, but I don’t need all of the functionality there, really just the ability to login with two different roles.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’ll have to store IPrincipal somewhere and restore it with every request. If you’ll use FormsAuthentication, this is good solution:

    ASP.NET 2.0 Forms authentication – Keeping it customized yet simple

    you can find other solutions here:

    Where to store logged user information on ASP.NET MVC using Forms Authentication?

    and propably in many other StackOverflow questions:)

    EDIT

    About MyBusinessLayerSecurityClass.CreatePrincipal(id, id.Name):

    You should read this page:

    http://msdn.microsoft.com/en-us/library/aa480476.aspx

    Specially this:

    The
    FormsAuthenticationModule
    class constructs a
    GenericPrincipal
    object and stores it in the HTTP
    context. The
    GenericPrincipal
    object holds a reference to a
    FormsIdentity
    instance that represents the currently
    authenticated user. You should allow
    forms authentication to manage these
    tasks for you. If your applications
    have specific requirements, such as
    setting the User
    property to a custom class that
    implements the
    IPrincipal interface,
    your application should handle the
    PostAuthenticate
    event. The
    PostAuthenticate
    event occurs after the
    FormsAuthenticationModule
    has verified the forms authentication
    cookie and created the
    GenericPrincipal and
    FormsIdentity
    objects. Within this code, you can
    construct a custom
    IPrincipal object
    that wraps the
    FormsIdentity object,
    and then store it in the
    HttpContext. User
    property.

    FormsIdentity is managed automatically after you set authentication cookie. All you have to do is wrap it up in your IPrincipal. All this happens when HttpContext.Current.User property is not null (it is GenericPrincipal, which you replace shortly after). When HttpContext.Current.User is null then there was no authentication cookie created earlier and user is not authenticated.

    • 0