How to Authorize Users against the ASP.Net Role Provider

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

If you use windows groups for authorization, consider using the ASP.NET Role Provider with the AspNetWindowsTokenRoleProvider name. This allows you to separate the design of the authorization from the implementation inside your service. If you decide to change the role provider, it will not affect the code needed to perform the authorization. Also consider using imperative checks using the role manager API instead of performing authorization checks with WindowsPrincipal.IsInrole.

Use the following steps to declaratively authorize users with the ASP.NET role provider:
  1. Configure the SQL Role provider in the service app.config or web.config file as follows:
  <system.web>
    <!-- Configure the Sql Role Provider -->
    <roleManager enabled ="true" 
                 defaultProvider ="SqlRoleProvider" >
      <providers>
        <add name ="SqlRoleProvider" 
             type="System.Web.Security.SqlRoleProvider" 
             connectionStringName="SqlConn" 
             applicationName="MembershipAndRoleProviderSample"/>
      </providers>
    </roleManager>
  </system.web>
  1. Configure the ASP.NET role provider to use roles that are stored in the SQL Role provider database:
    <behaviors>
      <serviceBehaviors>
        <behavior name="CalculatorServiceBehavior">
          <!-- Configure role based authorization to use the Role Provider -->
          <serviceAuthorization principalPermissionMode ="UseAspNetRoles"
                                roleProviderName ="SqlRoleProvider" />
          <serviceCredentials>
            <!-- Configure user name authentication to use the Membership Provider -->
            <userNameAuthentication userNamePasswordValidationMode ="MembershipProvider" 
                                    membershipProviderName ="SqlMembershipProvider"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  1. Authorize windows groups declaratively by adding the PrincipalPermission attribute above each service method that requires authorization. Specify the Windows user group required to access the method in the Role field.
[PrincipalPermission(SecurityAction.Demand, Role = "accounting")]
public double Add(double a, double b)
{
    return a + b;
}

Use the following steps to imperatively authorize users with the ASP.NET role provider:
  1. Configure the SQL Role provider in the service app.config or web.config file as follows:
  <system.web>
    <!-- Configure the Sql Role Provider -->
    <roleManager enabled ="true" 
                 defaultProvider ="SqlRoleProvider" >
      <providers>
        <add name ="SqlRoleProvider" 
             type="System.Web.Security.SqlRoleProvider" 
             connectionStringName="SqlConn" 
             applicationName="MembershipAndRoleProviderSample"/>
      </providers>
    </roleManager>
  </system.web>
  1. Configure the ASP.NET role provider to use roles that are stored in the SQL Role provider database:
    <behaviors>
      <serviceBehaviors>
        <behavior name="CalculatorServiceBehavior">
          <!-- Configure role based authorization to use the Role Provider -->
          <serviceAuthorization principalPermissionMode ="UseAspNetRoles"
                                roleProviderName ="SqlRoleProvider" />
          <serviceCredentials>
            <!-- Configure user name authentication to use the Membership Provider -->
            <userNameAuthentication userNamePasswordValidationMode ="MembershipProvider" 
                                    membershipProviderName ="SqlMembershipProvider"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  1. Authorize windows groups imperatively by using the Roles.IsUserInRole method to authorize the client. The role can be contained in a variable and changed dynamically if needed, as shown below:
  string RequiredGroup = “Administrators”;
  try
  {
    if (!Roles.IsUserInRole(User.Identity.Name, “RequiredGroup”))
    {
      Msg.Text = "You are not authorized to view user roles.";
      UsersListBox.Visible = false;
      return;
    }
  }
  catch (HttpException e)
  {
    Msg.Text = "There is no current logged on user. Role membership cannot be verified.";
    return;
  }

Additional Resources

Last edited Jun 13, 2008 at 7:18 PM by prashantbansode, version 1

Comments

No comments yet.