Geek Answers Handbook

Does the cache server provide the service provider upon request?

My MVC application uses the user role in several places during separate page requests. My question is, does SqlRoleProvider cache the current user roles for the page request lifetime by default?

For example, I use Roles in attributes in controller methods:

[Authorize(Roles = "Admin")]

and custom code

 if (user.IsInRole(MembershipRole.Admin)) { // Do something } else if (user.IsInRole(MembershipRole.Printer)) { // Do something else }

If the role provider does not cache roles, is the best solution for writing a custom role provider that inherits from the standard one and overrides the methods to get the Roles once and cache them for the duration of the Request? Can this be done so that both the Authorize attribute and my own code use cached roles?

(If you're interested, I don't want to use the cacheRolesInCookie web.config parameter to cache roles in cookies).

Thanks in advance for any suggestions.

[Edit to include details invoked from Joe’s response]

I decompiled System.Web.Mvc.AuthorizeAttribute and the AuthorizeCore method calls the following method for each role being checked:

 httpContext.User.IsInRole

Then, peering into System.Web.Security.RolePrincipal (this is what the β€œUser” is above), both methods below actually use a cached copy of the user roles (or populate the cache if they are empty):

 public string[] GetRoles() public bool IsInRole(string role)

The cache is stored as a user field, so its lifetime is throughout the request.

Methods will find roles using:

 Roles.Providers[this._ProviderName].GetRolesForUser(this.Identity.Name)

therefore, it will use any role provider that you have selected for the application (default or custom).

+8
asp.net-mvc roleprovider
source share
1 answer

If you use RoleProvider in an ASP.NET or ASP.NET MVC application, then HttpContext.User will refer to RolePrincipal , which acts as a cache for the request lifetime.

However, in a WCF service that uses ASP.NET roles:

 <behavior ...> <serviceAuthorization principalPermissionMode ="UseAspNetRoles" roleProviderName ="MyRoleProvider" /> </behavior>

this is not true: instead, HttpContext.User will refer to the internal class System.ServiceModel.Security.RoleProviderPrincipal , which does not cache roles: instead, it always calls RoleProvider.IsUserInRole .

Malicious RoleProviders do not perform caching, so this may result in reconnections to the underlying data store. It seems to me that this is a drawback: it would be easy to cache roles on first access.

- the best solution for writing a custom role provider that inherits from the standard one and overrides the methods for getting Roles once and caches them for the duration of the Request?

ASP.NET or ASP.NET MVC is not required, but can be provided for WCF. Caching for the duration of the Request will presumably use HttpContext.Items , therefore it will introduce a dependency on the existence of HttpContext , but this is not necessarily a problem, except for more complex unit testing.

Can this be done so that both the Authorize attribute and my own code use cached roles?

If you configure your own RoleProvider in web.config, you have nothing more to do for the Authorize attribute to use it.

+6
source share

More articles:


All Articles