3

I'm using Forms authentication and I would like to make use of roles, can I somehow set the role of the user without Membership ?

Omu
  • 69,856
  • 92
  • 277
  • 407

4 Answers4

5

A simple way to do it is to store the list of roles in the authentication ticket when the user is authenticated. Then for every request (Application_AuthenticateRequest method of the global.asax file) you extract the roles, add them to a GenericPrincipal object and set the Httpcontext.User property.

Your User.IsInRole("role") and [AuthorizeAttribute(Roles="role")] will then work as normal.

See this answer for code detailing how to do it.

Community
  • 1
  • 1
David Glenn
  • 24,412
  • 19
  • 74
  • 94
1

Do you mean "without using ASP.NET's standard Membership implementation"?

If so, then yes, you can by implementing your own Membership and/or Roles provider. See here and here for details about how to implement a Membership/Roles provider.

M4N
  • 94,805
  • 45
  • 217
  • 260
  • actually, I would like to do that without implementing asp.net Membership, I just need one simple thing: to set the user's role, but Membership has a lot of stuff – Omu Feb 17 '10 at 16:21
  • @Omu: IIRC you only have to implement the methods you are actually using. Simply leave the other methods empty. – M4N Feb 17 '10 at 16:43
1

Yes you can.

The only caveat is that roles will not work with an anonymous user (fairly obvious I would have thought) and you'll need some mechanism to set a user's identity (which can be anything you like).

The MSDN article:

Understanding Role Management

contains the following information:

However, role management does not depend on membership. As long as you have a way in your application to set user identity, you can use role management for authorization.

CraigTP
  • 44,143
  • 8
  • 72
  • 99
  • so I need to implement RoleProvider and set my custom role provider in web.config, after use Roles.AddUserToRole("username", "rolename") , is that correct ? – Omu Feb 17 '10 at 16:34
  • @Omu - Yes, that's what you would have to do. Bear in mind though, that you'll need to persist both the roles and the user object between page requests (as per the comments/conversation on çağdaş's answer) and for the lifetime of the application. This is especially true if your user objects are created purely within code. If you are using a custom role provider (rather than the "built-in" SQL one for example) it may be best to also implement your own custom Membership provider. See: http://www.devx.com/asp/Article/29256 for an example of that. – CraigTP Feb 17 '10 at 21:42
1

You don't need to implement a whole membership provider.

Create your own Principal (which has the IsInRole method) and Identity.
And then make sure your user object (HttpApplication.Context.User) is populated with your principal on each request.
Done. Now the Authorize attribute will be talking to your principal.

Çağdaş Tekin
  • 16,592
  • 4
  • 49
  • 58
  • but I'm going to need to store somewhere the logged user like in session and set it on each request (action executing) – Omu Feb 17 '10 at 16:31
  • @Omu, Yes, of course. You're going to have to persist that information somehow. – Çağdaş Tekin Feb 17 '10 at 16:34
  • well, I could just not use the User.IsInRole at all, and just set Session["role"] ="admin" when I authenticate the user and get it whenever I need it – Omu Feb 17 '10 at 16:37
  • @Omu I guess. I suggested this way because it should work nicely with the built-in Authorize attribute. But of course, if it's going to be too much hassle to make sure this works well with the rest of your application, then obviously this is not the best solution. – Çağdaş Tekin Feb 17 '10 at 16:45
  • @Omu you can store the roles and the user ID in the authentication cookie. It's quite simple, see my answer. – David Glenn Feb 17 '10 at 16:58