Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

FormsAuthentication_OnAuthenticate Method

394 views
Skip to first unread message

Hemant Sathe

unread,
Aug 17, 2001, 5:15:34 AM8/17/01
to
I need to attach roles to users from my database. I have a method which
connects to the database and checks for valid user. But I need to provide
access to web pages using their category(role) whic also is in database &
currently I am storing it in Session variables. I want to used complete
forms based authentication using the roles of users. I have read that this
can be done using Generic Principal class. Also there is this
FormsAuthentication_OnAuthenticate method. But I dont know where to write
the code for this method and how to assign role to users in this case.
Kindly Help
Thanks
Hemant Sathe


Venkat Chilakala

unread,
Aug 17, 2001, 8:56:47 PM8/17/01
to
Hi Hemanth,
Here is the sample code that may help you.

Thanks
Venkat

This code goes in the global.asax.
(don't forget to import required namespaces)

<script language="vb" runat="server" Debug="true" >


Public sub Application_OnAuthenticateRequest( src as Object, e as EventArgs)
if (not(HttpContext.current.User is Nothing)) then
if Httpcontext.current.User.Identity.AuthenticationType = "Forms" then
Dim id as FormsIdentity
id = httpContext.Current.user.Identity

Dim Roles1(1) As String
Roles1(0) =
getRole(Httpcontext.current.User.Identity.Name.ToString())
HttpContext.Current.User = new GenericPrincipal(id,Roles1)
End if
End if
End sub

public function GetRole(uid as string) as String
Dim SQLCn as SQLConnection
Dim SQLCmd as SQLCommand
Dim SQlDr as SQLDataReader
SQLCn = new
SQLConnection("server=venkatc;uid=sa;pwd=chilakala;database=Pubs;")
SQLCmd = new SQLCommand("Select userRole from users where alias = '" & uid
& "'", SQLCn)
SQLCn.Open()
SQLDr= SQLcmd.ExecuteReader()
while (SQLDr.Read())
GetRole=SQLDr.Item("userRole")
End While
SQLCn.Close()
End function

</script>

Hemant Sathe

unread,
Aug 20, 2001, 2:42:31 AM8/20/01
to
Dear Venkat,
Thanks for the reply but this has not solved the problem. I am sending
snippets of my code.
I am using a login page for all my users. I want to create role based
security as the user is a general user as well as admin or accountant etc.
functionalities exposed are different based on these additional roles.
My Web.Config file
<authentication mode="Forms">
<forms name="LMSUSER" loginUrl="/LMS/Login/Login.aspx" protection="All"
path="/" timeout="5"</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
In my login.aspx page on the btnSubmit_Click
string strUserID="",strCatID="";
//The IsValidUser takes login,password and returns user id and category
(role) for the user
if(Utils.IsValidUser(txtLogin.Text,txtPass.Text,ref strUserID,ref
strCategory))
{
//Session variables are maintened as forms authentication is not working
Session["userid"]=strUserID;
Session["category"]=strCategory;
GenericIdentity lmsIdentity=new GenericIdentity(txtLogin.Text);
String[] strRoles={strCategory,"general"};
GenericPrincipal lmsPrincipal=new GenericPrincipal(lmsIdentity,strRoles);
HttpContext.Current.User=lmsPrincipal;
FormsAuthentication.RedirectFromLoginPage(txtLogin.Text.ToLower(),false);
}
else
{
lblMessage.Text="Incorrect Login!!! Try Again!.";
Session["userid"]=strUserID;
Session["category"]=strCategory;
}
In my Default.aspx page I check for the user name/roles
protected void Page_Load(object sender, EventArgs e)
{
if(HttpContext.Current.User.IsInRole("admin"))
Response.Write("Admin Found");
else
Response.Write("Admin Not Found");
//Following code works but then i can have only one admin :-(
if(User.Identity.Name=="admin")
{
Response.Redirect("/LMS/Admin/Admin.aspx");
AdminHeader.Visible=true;
}
else
{
AdminHeader.Visible=false;
}
...........
}
In login.aspx I get the user role as admin but in next page it is gone. I
think the user gets attached only to current request and with every request
new user is generated.
I also have few more querries....
1. Once again how to handle the FormsAuthentication.Authenticate event?
2. Why the events handling procedures in global.asax are not called?
3. Do I have to write some code to call these handling procedures?
Please reply with C# code if possible.
Thank you
Hemant Sathe

"Venkat Chilakala" <venkat_c...@microsoft.com> wrote in message
news:gAcztC4...@cppssbbsa01.microsoft.com...

Michael Collins

unread,
Aug 20, 2001, 5:09:48 PM8/20/01
to
Venkat was correct in his approach, and it actually does answer your
problem.

The thing to remember here is that the underlying protocol is HTTP and this
is a stateless protocol. This means, in the Microsoft environment, that for
each request, you must rebuild the execution and session environment for
your web application.

Setting the principal in your login page is not going to matter because the
principal is going to be reset in the next request. The
FormsAuthentication.RedirectFromLoginPage() method is going to create an
encrypted cookie with the user name. At the beginning of each request,
ASP.NET will decrypt this cookie and will reset the HttpContext.Current.User
property with the information from the cookie. This means that all of the
role information will be erased.

To implement role-based security, you must implement the
Global.Application_OnAuthenticateRequest() event. ASP.NET will invoke this
event handler prior to executing the request and you can use it to set the
security information. Look at the sample code for the portal at
http://www.ibuyspy.com. What they do is create an encrypted cookie
containing a list of the roles that the user is granted. For each request,
they decrypt the list of roles stored in the cookie, and build a new
GenericPrincipal(), like you are doing in your login page.

After Application_OnAuthenticateRequest() runs, the roles will be set and
you can use role-based security on your web pages.

"Hemant Sathe" <hks...@hotmail.com> wrote in message
news:uEO#yOUKBHA.936@tkmsftngp05...

0 new messages