Re: Role-based authentication and Forms and System.UnauthorizedAccessException

From: wrecker (wrecker_at_wrecked.com)
Date: 08/19/05


Date: Fri, 19 Aug 2005 13:31:56 -0400

Hi Dominick,

Thanks for you help. Now I'm wondering if there is anyway to access a users roles if they have
cookies disabled? I suppose that I could pass roles on the query string and check them on page load
but there must be a more elegant way. For now I'll follow your suggestion and store the roles in a
cookie.

Thanks again

On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
<dbaier@pleasepleasenospamdevelop.com> wrote:

>Hello wrecker,
>
>i doubt your code is working fine. In AuthenticateRequest you don't have
>access to the Session as the SessionModule runs after this event....
>
>The common approach is to store the roles in the cookie. I have a sample
>on my blog for doing this:
>http://www.leastprivilege.com/DevWeek2005PostConference.aspx
>
>---------------------------------------
>Dominick Baier - DevelopMentor
>http://www.leastprivilege.com
>
>> Hi all,
>>
>> I'm trying to implement role-based authentication for the following
>> directory structure in my ASP.NET app.
>>
>> login.aspx
>> Admin/
>> Members/
>> The web.config in my Admin directory is as follows
>>
>> <configuration>
>> <system.web>
>> <authorization>
>> <allow roles="Admin"/>
>> <deny users="*"/>
>> </authorization>
>> </system.web>
>> </configuration>
>> When the user logs in using authentication mode set to Forms, they are
>> authenticated against a SQL table and then assigned a role
>>
>> Dim roles() As String
>> If CurrentUser.IsAdministrator Then
>> roles = New String() {"Admin", "Member"}
>> Else
>> roles = New String() {"Member"}
>> End If
>> Where the roles string array is stored in the Session (although I've
>> also tried storing it in the cache object as well to try and solve my
>> problem)
>>
>> In Global.asax Application_AuthenticateRequest I have
>>
>> If (Not (HttpContext.Current.User Is Nothing)) Then
>> If HttpContext.Current.User.Identity.AuthenticationType =
>> "Forms" Then
>> Dim id As System.Web.Security.FormsIdentity
>> id = HttpContext.Current.User.Identity
>> HttpContext.Current.User = New _
>>
>> System.Security.Principal.GenericPrincipal(id, roles)
>> ' roles extracted from session
>> End If
>> End If
>> My problem is that after a user having Administrator privelages logs
>> in and they try to access a page in the Admin directory they get a
>> System.UnauthorizedAccessException exception. I've debugged this and
>> the roles array does indeed have "Admin" and "Members" in it, but the
>> HttpContext.Current.User doesn't seem to contain this information,
>> even after assigning it the new principal (I can't find it in any
>> fields that are visible to the debugger) I've checked the permissions
>> on the directory and the ASP machine account has access to this
>> directory. I've been reading quite a few articles on role based
>> security (expecially the ones from the Rolla guys) and they all seem
>> to use this approach. Why is this not working???
>>
>> My test system is IIS5.1 on XP Pro using version 1.1 of the framework.
>>
>> Thanks
>>
>
>