Problems using Roles authentication with a custom Principal
I'm having difficulty using roles in my forms authentication in an ASP 2.0 application. I have set up my custom Principal and Identity objects and am persisting them into the CSLA.ApplicationContextUser in the global.asax. I have set the security on the main site with the following in Web.config:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name="CorrespondentWeb"/>
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
In the child path, I have tightened the authentication to only allow "Admin" users to access that portion as follows:
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
I set the SiteMap to use security trimming and that part appears to be working correctly. However, when a user who is in the "Admin" role tries to access one of the files in that directory, they are bumped back to the login page. I have checked the security and the .IsInRole is not being called on page access as I would expect. It is being called by the Menu to check the security trimming properly.
In reading more about role management, I have tried to add a custom RoleProvider. The GetRolesForUser method is called (apparently by the forms authentication). Here is where the fun exists. Instead of just checking the .IsInRole or IsUserInRole method, it requires access to the entire string array of the roles which is not exposed by the Principal or Identity. Thus, I extended Principal and Identity to expose the mRoles as a string array publicly from the Principal and Friend from Identity (so that Principal could pass it on through). Here is what I came up with then for GetRolesForUser:
Public Overrides Function GetRolesForUser(ByVal username As String) As String()
If CSLA.ApplicationContext.User.Identity.Name <> username Then
Dim blank(0) As String
Return blank
Else
Return CType(CSLA.ApplicationContext.User, LarsBo.Security.BusinessPrincipal).Roles
End If
End Function
The catch here, is the CSLA.ApplicationCondext.User which just exposes HttpContext.Current.User has a different underlying datatype than other references to the object. In this case it is holding a System.Web.Security.RolePrincipal containing a System.Web.Security.FormsIdentity object. Apparently, these are populated from a clone of the original Principal/Identity and replaced them at some point. Since they don't have a reference to the original Principal, I can't cast it to my custom BusinessPrincipal which exposed the Roles string array.
I really don't want to have to run back to the database to pull information which is already in memory in order to get this functionality. I have spent the last couple days hitting my head into the wall and could use a little assistance. Please help me get rid of this headache.