Role-based Security without Forms Authentication in ASP .NET

Question

I would like to take advantage of:

        Page.User.IsInRole("CustomRole");
        Page.User.Identity.IsAuthenticated

when working inside Page methods, as well as authorization section in web.config:

<authorization>
    <allow roles="Administrators, Supervisors" />
    <deny users="*" />
</authorization>

and also apply rules on classes and methods level:

[PrincipalPermission(SecurityAction.Demand, Role = "Administrators")] 

In my application I authenticate with ... custom mechanism that provides me user identity in ... http header. I get users PIN number (some kind of ID) + roles. But that is a side plot. It doesn't matter.

What I actually want to achieve is to take advantage of ASP .NET build in Authorization features but having my custom authentication mechanism. I guess I have to implement IPrincipal and IIdentity, is that right? I saw plenty of samples on the web but all of them include web.config configuration that specifies providers, and also FormsAuthentication like classes, that I guess I don't need. I just need to inject my user object (which is prepared by me) into request and that's it.

So:

• what's the easiest way to achieve it?
• what is the difference between GenericPrincipal / IPrincipal?

• how to get/create IIdentity object? I saw samples with:

  var id = new FormsIdentity(authTicket);

but I'm not using FormsAuthentication.

Thanks

Answer 1

In short, you have to implement your own authentication module.

An authentication module is just an ASP.NET module but having special purpose. Its AuthenticateRequest method should populate HttpContext.Current.User property with an instance of IPrincipal.

Answering your other questions: IPrincipal is just an interface while GenericPrincipal is one of its implementations. You can use it, as the name suggests it's just a generic implementation which means that it should suit you. Since IPrincipal is just IIdentity plus roles, you probably will also need GenericIdentity.

Other implementations, like RolePrincipal + FormsIdentity are designed for specific purposes, these two for example are used by the Forms Authentication Module.

There are some good examples available, just google for "custom authentication module".

Answer 2

Before you do (create/implement your own), have you tried/considered adapting Forms Authentication to your existing auth scheme?

I think you're "almost there" (using all of the built-in ASP.net auth/membership/profiles/roles), and it maybe easier/simpler to just "plug in" your existing auth scheme into Forms Authentication.

This snippet of code should give you an idea of how flexible Forms Authentication can be:

if ((UserEmail.Text == "[email protected]") && (UserPass.Text == "37Yj*99Ps"))
{
      FormsAuthentication.RedirectFromLoginPage 
         (UserEmail.Text, Persist.Checked);
}
else
{ ... }

So, it works with a hard coded "auth scheme" (not that you should, but gives you an idea of the possibilities), or even a list in web.config - again, just a sample:

<authentication mode="Forms">
  <forms name=".FUBAR">
    <credentials passwordFormat="MD5">
      <user name="foo" password="b7ab5072e8fba7bed20384cc42e96193"/>
      <user name="bar" password="1c42e49a360aa7cc337a268a1446a062"/>
      <user name="john" password="5f4dcc3b5aa765d61d8327deb882cf99"/>
      <user name="jane" password="7c6a180b36896a0a8c02787eeafb0e4c"/>
    </credentials>
  </forms>
</authentication>

Just a thought - hth....