role-based authorization -- user role part is not working

Hi, I followed this link http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp to setup role based authorization. However the 'isinrole' part didn't work. 'user.Identity.Name' works correctly. I set a few breakpoints and started debug. In the 'locals' window, under 'Me-User-..-ticket', there is nothing for 'UserData'. What did I do wrong? 

here is how I created the ticket. During the debug, I can see value for roles is correct ("0"). i used numbers for the roles not words.

authTicket = New FormsAuthenticationTicket(1, username, DateTime.Now, DateTime.Now.AddHours(3), False, roles)

What can I do? Please help!

Thanks.
Ming

0
ming2005
10/13/2005 10:08:15 PM
asp.net.security 27051 articles. 1 followers. Follow

6 Replies
676 Views

Similar Articles

[PageSpeed] 36
Get it on Google Play
Get it on Apple App Store

Post the Code for Authenticate_Request event in Global.asax.cs ....
It must have the line ....

  // This principal will flow throughout the request.
  GenericPrincipal principal = new GenericPrincipal(id, roles);
  // Attach the new principal object to the current HttpContext
    object
  Context.User = principal;

and you should be checking in your code Context.User.IsInRole ......

Also you should put a break point and check what is the value of principal and does it contain all roles before assigning to Context.User
ASP.Net Tips & Tricks - Jawad's Blog
0
JawadKhan
10/14/2005 10:15:50 AM
I checked and user data is empty undrt principal. Here are my codes, please help!!!

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
   
Dim cookiename As String = FormsAuthentication.FormsCookieName
   Dim authcookie As HttpCookie = Context.Request.Cookies(cookiename)
   If authcookie Is Nothing Then
         Return
   End If
   Dim authticket As FormsAuthenticationTicket
   Try
      authticket = FormsAuthentication.Decrypt(authcookie.Value)
   
Catch ex As Exception
      
   Throw New Exception(ex.Message
   End Try
   If authticket Is Nothing Then
      Return
  
End If
   
Dim roles() As String = authticket.UserData.Split(New Char() {","})
   
Dim id As FormsIdentity = New FormsIdentity(authticket)
   
Dim principal As GenericPrincipal = New GenericPrincipal(id, roles)
   Context.User = principal
End Sub

here is how cookie is made with user roles:

If user.isAuthenticated() = True Then
      
roles = "manager"         ' to make it easier
      
Dim authTicket As FormsAuthenticationTicket
      authTicket =
New FormsAuthenticationTicket(1, txt1.Text, DateTime.Now, DateTime.Now.AddHours(3), False, roles)
      
Dim encryptedTicket As String = FormsAuthentication.Encrypt(authTicket)
      
Dim authCookie As HttpCookie = New HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
      Response.Cookies.Add(authCookie)
      System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txt1.Text, "false")
end if

Thanks,

BTW, if I want to keep user's other information (which organization it's from) with its role together, how do I do it? Thanks again.

Ming

0
ming2005
10/14/2005 8:40:31 PM

Does it have anything to do with the local machine allowing/disallowing cookies? I put the codes together  under a same function(add a new cookie and retrive user information right after) and I can see the userdata has a value. So the problem could be that in the global.asax.vb file, application_authenticaterequest function couldn't retrive the cookie, but user.identity.name worked. Any ideas?

0
ming2005
10/14/2005 9:24:23 PM
Two things ...when you are using FormsAuthentication.RedirectFromLoginPage then you don't write the following line

Response.Cookies.Add(authCookie)

RedirectFromLogin automatically add the cookie.

Second you are using Split function to split the string tored in Cookie by , . According to you code the string is "manager" i.e. with out any comma. Make sure whats the value or roles in the Authenticate Request before you create a GenericPrincipal from it ...Put a breakpoint and walk through the lines and verify what you assigning ...

  Consult the following article for detaailed explanation ....

How To: Create GenericPrincipal Objects with Forms Authentication
ASP.Net Tips & Tricks - Jawad's Blog
0
JawadKhan
10/14/2005 11:22:31 PM
I am kind of desperate here. I put breakpoints and check each line. The problem is that in Application_AuthenticateRequest function, the authticket contains different information except the username/version are correct. expiration time is not what I designed and user data is empty. What did it go wrong! 
0
ming2005
10/19/2005 7:12:15 PM
YOu should check the size of your cookie too. The maximum size for a cookie can be 64KB. Just try to pust a real small string in the User Data and test it first. Also enable the tracing on and enable the page output for tracing. You should see the Encrypted Cookie value in the tracing output on the page. It seems cookie is not getting set properly. Follow a Sample from a Role based security first then start making your changes in steps.
ASP.Net Tips & Tricks - Jawad's Blog
0
JawadKhan
10/20/2005 3:34:16 PM
Reply:

Similar Artilces:

No roles found... but roles-based security works anyway!!!????
Hello, I wrote a ASP.NET 2.0 application using the Membership framework for security (roles and users). For debugging purposes I wrote some code in the index.aspx page to simply write out a list of all the roles that exist, using the good old Response.Write() method. I then published the site to my domain. However, the behavior of the index page is dependent on the running environment as follows: IN VS 2005 ACCESSING LOCAL SQLSERVER: Runs great, all roles listed. IN VS 2005 ACCESSING REMOTE (i.e. "LIVE") SQLSERVER: Runs great, all roles listed. IN A WEB BROWSER VIEWING THE PUBLI...

Roles, roles, roles
Hey is it posible o have a role for a user to only update the content? I don't want that user to change skins or to make other admin changes... up I think if you allow a role to edit contents on a module level he wont be able to change anything else. Did you try that? cheers, erikErik van Ballegoij, The Netherlands if you allow a role to edit contents in a module lets say discussions module, then that role will be able to edit, delete the threads. so for a role to be able to add new thread only, do we need to write our own code?-keeara g------------------ keeara, see...

Authorization Manager (AzMan) -v- .NET role based security
Comparing Windows Authorization Manager (AzMan) with .NET role based security, consider an application with these requirements: The roles which will exist at run time are completely user-definable. Role/operation assignments are completely user-definable. Need hierarchical role support (create roles from other roles). Users may be assigned different roles for different things. Windows Authorization Manager seems to provide all the above, with user definable roles, operations, role/task/operation assignments, hierarchical roles, "scopes" to give users different roles for differe...

Role Based Security
It appears that role based security is not morphed to certain section types ... Does NOT work for Section Types: - Downloads - Articles - Photos - Links (there may be more ...) Does work just fine for Section Types: - Events - Discussions (others not tested) Is this as expected, a bug or operator error ? Regards ... I've created specific roles and assigned them throughout my site with no problems. Since I don't like to allow anyone who registers access into my pages, I have created a role that is assigned to specific user accounts. I have Links, ...

Role base authorization
I am developing a web app and I need to set the security setting on a role base. I tried to set as follow:<authorization> <allow roles="Admin, Users"></allow> <deny users="?" /> </authorization>Even though I only want to allow roles as Admin or Users, I found whoever has correct username and password would be permitted access. If I changed to <authorization> <allow roles="Admin, Users"></allow> <deny users="*" /> </authorization>It would behave correctly. Does th...

Setting Role cookie in Role Based Authorization
Hi, When using Role Based Authorization, we can set the Roles of a user at the application level by specifying it in the Global.asax's Application_AuthenticateRequest method. As soon as a user is authenticated, it will fetch his roles from the database and assign it to him so that we can use the User.IsInRole("RoleName") to check his role and perform actions based on the same. You can find many resources on the above topic on how to set the roles. However, one disadvantage is that on every page you check the Role, the DB call is made which might affect the performance of ...

Web Part Role Based Security
Do you know if it is possible to dynamically set role based security on Web parts (i.e. only users in the lecturers role will see the StudentMarks user control )? Dim rgc As RoleGroupCollection Dim rg As New RoleGroup   Dim strZone As String = "Zone1" Dim uc1 As UserControl = LoadControl("StudentMarks.ascx") uc1.ID = "Control1" Dim wp As GenericWebPart = WebPartManager1.CreateWebPart(uc1) Dim RoleList(1) As String RoleList(0) = "Lecturers" rg.Roles = RoleList rgc = LoginView1.RoleGroups rgc.Add(rg) WebPartManager1.AddWebP...

Dynamically modify page role permissions in Role Based Security
All, Is it possible to configure page role access within a WebForm. Suppose I have the following section in my web.config:  <system.web> <roleManager enabled="true"/> </system.web> <location path="MyPage.aspx"> <system.web> <authorization> <allow roles="PM"/> <deny users="*"/> </authorization> </system.web> </location>  Is it possible to provide a user interface/webform that allows an "administrator" a person to change t...

Duplicate Security Roles Showing up In Security Roles Manager
Anyone have any ideas?  We have had and instance of 3.0.13 with one child portal running for about a month now.  A few days ago our adminstrator noticed that we have duplicate entries for security roles. For example, the Security Roles Manager shows:Name Description Fee Every Period Trial Every Period Public Auto   Administrators Portal Administration         False False   Administrators Portal Administration         False False  Registered Users Registered Users    &n...

Role based authorization (Based on Location)
I have worked with .net 2.0 Personalization and Authorization but I am wondering if it is possible to customize it (custom provider) to Match a Role to a Location when assigning to a User.  Here is an example....  //*****************************  User ID : 19 (Bob) Bob is an administrator for store 19 but... Bob is a view only user for store 20 and 24. When Bob searches products, he can only search stores 19, 20, 24 (an easy way to return Role and Location associated) (Think a lot of locations (100+) so it does not make sense to create a Role for each Location AdminStore...

Role based security based on Windows authentication
Hello there, A newbie question here.. I am trying to build an application using  role-based security (ie. it would let in only selected users) and I am using Wingdows Authentication as a security model. The problem is that no matter what I do I cannot restrict usage only to specific users. It works on the all or none basis. Ie no matter what I set in the web.config file, it does not effect the security, except setting <deny users="*"/> blocks access altogether..Currently I have the following settings set in the web.config file with no other settings/code set anywhere &nb...

Roles not working without role provider ?
Hallo,i created a web site by using the standard asp.net 3.5 Membership Provider and the Role Manager.I have used a sitemap with securityTrimmingEnabled enabled and i have set the roles i need for each seperate folder. Everything worked perfectly. Now, i changed my authorization procedure and i removed the memberhip provider, as long as i needed some functionallity it didn;t provide me.I builded a "default" authorization procedure by using a login button, creating the Cookie and the ticket and also i do handle the  Application_AuthenticateRequest.The sitempap seems to be ...

Forms Security for Role base security. Nirdesh Puri
Hi,I am using IBuySpy portal framwork and using Role based security. But I got some security problem in this type of security.Can you solve my problem.Role base security: Role is based on Task Group and Task Group based on Task and Task based on pages url.Create Two different roles: A and BCreate one user User1User1 assign role Aif User1 login on site and get the menu of Role A. But any how he get the url of Role B page. How we prevent Role B pages from this user.Warm Regards,Nirdesh Puri...

Login with form based authentication and roles based security
Hi, I've develop Sign In pages apply Forms Authentication and Roles Based Security. It means, 1 user can have many roles (HttpContext.Current.User = New GenericPrincipal(fi, astrRoles)). Let's say User ID: sr102, then it roles is Sales, Marketing and Logistic. Im using User.IsInRole("Sales") to control the applications modules. My application like as follow 1. After login success, application show all the application modules such as Logistic, Sales, Marketing, IT, Human Resource and Warehouse. From user id, application will know the roles assigned. How to enable and di...

Role Based Security
I would be interested in role based security for the following scenario: In an NT envrionment I want to rely on integrated login based on group membership. When user_X runs App1, App2, App3 ...or AppN, I want the user to have the minimum set of permissions necessary for each application to function. I don't see that this is possible in the current product. The best that I can do is map the NT group to a Db login that has the maximum set of permissions that will allow App1, App2...or AppN to function. Do all of those applications use the same database or do they use sep...

Web resources about - role-based authorization -- user role part is not working - asp.net.security

National Defense Authorization Act for Fiscal Year 2012 - Wikipedia, the free encyclopedia
in funding, among other things "for the defense of the United States and its interests abroad." In a signing statement , President Obama described ...

Prize Promotion App Authorization Request - Facebook
Desktop-Hilfe Deutsch Prize Promotion App Authorization Request Please fill out the following to request permission to administer a promotion ...

Authorization Failed - LinkedIn
Sorry you are not authorized to perform this action. To find out more please contact LinkedIn customer service .

NDAA (National Defense Authorization Act)
Signed by Obama, December 31, 2011.

YouTube - Sen. Franken's Floor Speech on the Defense Authorization Bill
You are using an outdated browser, which YouTube no longer supports. Since some features on YouTube may not work, you are viewing a lightweight ...

Online security: your two-factor authorization checklist
Twitter reportedly is getting ready to roll out two-factor authentication in the coming weeksa development that comes not a moment too soon as ...

China firmly opposes US congress defense authorization bill
China firmly opposes US congress defense authorization bill People's Daily Online 23, ( People's Daily Online) China voiced firm opposition ...

President Obama Signs 2-Year Budget Deal and Defense Authorization Act
Politico President Obama Signs 2-Year Budget Deal and Defense Authorization Act In The Capital President Obama on Thursday signed the two-year ...

VMWARE, INC. : VMware Announces Authorization of Stock Repurchase Program
PALO ALTO, CA 11/29/12 VMware, Inc. , the global leader in virtualization and cloud infrastructure, today announced that its Board of Directors ...

Google Play Store gets major redesign, adds fingerprint authorization in Android 6.0
A short while ago, Google revealed a new redesign for its mobile Play Store which, among other changes, would separate apps and entertainment ...

Resources last updated: 12/1/2015 6:21:20 PM