https://www.codeproject.com/Articles/36836/Forms-Authentication-and-Role-based-Authorization
Problem Space
Sad, but true, “Forms authentication in ASP.NET does not directly support role based authorization”.
If you have ended up implementing Forms authentication along with configuring authorization rules for “users” and “roles” in the web.config, you are going to see the access rules working fine for “users”, but, not working at all for “roles”.
You might have thought, there must be some way to specify user roles in the famous FormsAuthentication.RedirectFromLoginPage(), or, any other method. But, there isn't!
Background
This is really surprising because, in real life, most applications (if not all) actually require authorization of system resources based upon user roles, not user names.
So, if you are going to use Forms authentication in your upcoming ASP.NET application, and you need to implement role based authorization in your system, you have a problem.
Wait, this is not entirely true(have a problem is not true), because of two reasons:
Reason 1:
Since ASP.NET 2.0, we have Membership.
It includes Membership (User) service, Role service, and Profile (User properties) service.
And, using Membership, you can easily implement Role based authorization in your ASP.NET application.
Reason 2:
Even if you don't use Membership, you can write some code to implement Role based authorization in Forms authentication.
Basically, you need to create the authentication ticket yourself and push the user roles in the “UserData” property after authenticating the user.
Also, you need to retrieve user roles from the same “UserData” property in the authentication ticket and set it in the current User property in the subsequent requests.
This trick works, and many have done this already.
So, What is this Article About?
Well, this article assumes that you did use Forms authentication directly instead of ASP.NET Membership in your application for some good reasons.
Consequently, you implemented Role based authorization as suggested by lots of articles on the web (like this one).
But I tell you, you probably ended up doing an incorrect and incomplete implementation, and you might have problems in the near future.
This article is going to address the problems with the suggested implementation approaches, and provide you a correct, smart, and quick way of implementing Role based authorization in case you are not using ASP.NET Membership in your system.
All you'll need is 5 minutes to implement this!
Please take a look at this article before you proceed, in case you are new to ASP.NET and wondering about Forms Authentication.
OK, So What is the Problem with the Suggested Approaches?
As was said already, the suggested approaches for implementing Role based authorization have some problems, and I realized those while trying to implement them in one of my ASP.NET applications.
I did what was suggested in one of those articles, and found that the authorization was working fine. But, in order to fulfill a client request, I had to increase the cookie timeout property in the <forms> element and set it to “120” (120 minutes), and found that, the timeout value change didn't have any impact on the application. Exploring this, I was surprised to see that the system was never reading the increased value; rather, it was always reading “30”, the default value.
I was curious to investigate this issue and found another problem. I specified cookieless="UseUri" in the <forms> element, to test whether the Forms authentication worked (by writing authentication ticket in the request URL) if cookies are disabled in the client’s browser. Surprise again, now the system stopped authenticating the user!
Besides, I had a quick look at the authentication/authorization code (that was written to implement Role based authorization as suggested), and thought, why do I have to write all these codes? It should be fairly easy for anybody to implement it just by changing one or two lines of code.
So, I decided to write my own code, and share it with you!
How Easy Is It for You to Use my Implementation?
Well, I assume that you already have implemented Forms authentication in your application and configured stuff in the web.config.
So, to implement Role based authorization, now you just need to do following three easy things, requiring a maximum of five minutes in total to implement.
- Add a reference to RoleBasedFormAuthentication.dll (which you can download from this article, along with the source code) in your web site/project.
- Instead of calling the following method after authenticating the user:
Hide Copy Code
FormsAuthentication.RedirectFromLoginPage(userName,createPersistantCookie);
call the following method:
Hide Copy CodeFormsAuthenticationUtil.RedirectFromLoginPage(userName, commaSeperatedRoles, createPersistantCookie); - Add the following code in the Global.asax file, or, change the code if it is already there:
Hide Copy Code
protected void Application_AuthenticateRequest(Object sender,EventArgs e) { FormsAuthenticationUtil.AttachRolesToUser(); }
That’s it, you are done.
Curious? Here are the Details
I created my version of the authentication/authorization code and had overcome the three mentioned issues, as follows:
Solving the “timeout” Problem
While creating the FormsAuthenticationTicketobject, we need to provide five parameters.
Take a look at the following method which creates the authentication ticket: