simple question with respect to roles

Topics: Web Client Software Factory
Jun 29, 2010 at 6:24 PM
Edited Jun 29, 2010 at 6:28 PM

I'm using the asp.net 2.0 roles provider as my authentication mechanism and have pre-defined roles already in the database.

In the MVP pattern I see RegisterSiteMapInformation and I don't see a clear way to do the following...

if (HttpContext.Current.User.IsInRole(roleName) == true) {

// register site map nodes base on role

}

is there a section in the guidance documentation I'm overlooking?

when I look at Microsoft.Practices.CompositeWeb.Web.HttpContext I don't see much...

I'm in my shell module initializer btw...so it would probably check to see if you are authenticated

then what you are authorized to see with respect to the site map nodes...

 

 

Jul 1, 2010 at 8:42 PM
Edited Jul 1, 2010 at 8:42 PM

does anybody have the answer I'm looking for?  it's a really simple concept....based on your role you see certain links.  in the links you don't see (if you know the page name for example 'Admin/AddUser.aspx' we add a role check in the OnViewInitialized and display access denied if not in the proper role) we are going to check your role assignment...

 

ms-help://MS.VSCC.v90/MS.VSIPCC.v90/ms.practices.wcsf.2008feb/WCSF/html/5683d830-8ed4-470e-8a71-5256328aeb11.html is not what I'm looking for.  i'm looking for user.IsInRole(rolename) == true....

Jul 2, 2010 at 7:55 PM
Edited Jul 2, 2010 at 7:56 PM

Hi,

One of the possibilities for accessing the HttpContext in a Web Client application is using the HttpContextLocatorService. But you would run into a problem when accessing the user because when the ShellModuleInitializer is instantiated, the authentication process wouldn't be performed yet in the pipeline, so the user would still be null. Anyways, the code would look like this:

private readonly IHttpContext httpContext;
public ShellModuleInitializer([ServiceDependency] IHttpContextLocatorService httpContextService)

       this.httpContext = httpContextService.GetCurrentContext();
}

For more information about how to access to the HttpContext you could take a look at this forum thread.

That said, as WCSF uses EntLib you could secure your application by using EntLib Security App Block, which allows you to get the same result by configuring authorization rules (for further information visit this page). As for how to configure it, first you have to add rules in your main web configuration file as shown below:

<securityConfiguration defaultAuthorizationInstance="RuleProvider" defaultSecurityCacheInstance="">
      <
authorizationProviders>
          
<add type="Microsoft.Practices.EnterpriseLibrary.Security.AuthorizationRuleProvider...">
               <
rules>
                   
<add expression="R:Manager" name="AllowViewManagersList"/>
               </
rules>
           </
add>
      </
authorizationProviders> </securityConfiguration>

And then you have to add an entry in configuration files of your modules for a particular rule. For example like the following one:

 <compositeWeb>
    <
modules> ... </modules>
    <
authorization>
          <
rule Url="~/HRModule/ManagersList.aspx" Rule="AllowViewManagersList" /> 
    </
authorization>
</
compositeWeb>

Additionally, you can take a look at the Global Bank Reference Implementation (see User profile based UIs the section), as this has been secured with EntLib Security Application Block .

Please let me know if this helps.

Fernando Antivero
http://blogs.southworks.net/fantivero

 

Jul 3, 2010 at 3:23 AM

Thanks Fernando,

it actually doesn't help - but thank you for your reply.  You should be able to fit into any authorization/authentication process in the shell.  I'll probably not propose using wcsf as the base for MVP in our development strategy.  We have an existing database that uses ASP.NET 2.0 Roles providers and initializing in the shell module based on what the current user's role is is important.