Authorize attribute not working with roles

c# asp.net asp.net-mvc forms-authentication
15,467

I stumbled upon a similar example of your code: the highest voted answer of MVC - How to store/assign roles of authenticated users.

The AuthorizeAttribute calls the IsInRole method on the IPrincipal instance stored in HttpContext.User. By default IPrincipal has no roles, and in this case IsInRole will always return false. This is why access to your action is denied.

Since you have stored the user's roles into the FormsAuthenticationTicket's UserData property, you must extract the roles from the auth cookie and into a IPrincipal instance yourself. The highest voted answer of MVC - How to store/assign roles of authenticated users provides the code that you can add directly into your global.asax.cs file to do just this. I have repeated it below:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
    HttpCookie authCookie = Context.Request.Cookies[FormsAuthentication.FormsCookieName];
    if (authCookie != null)
    {
      FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
      string[] roles = authTicket.UserData.Split(',');
      GenericPrincipal userPrincipal = new GenericPrincipal(new GenericIdentity(authTicket.Name), roles);
      Context.User = userPrincipal;
    }
}
Share:
15,467

Related videos on Youtube

Jonathan
Author by

Jonathan

Updated on June 05, 2022

Comments

  • Jonathan
    Jonathan almost 2 years

    I'm having trouble in getting the Authorize attribute to work with roles. This is how I've decorated my controller:

    [Authorize(Roles = "admin")]
public ActionResult Index()
{
    ...
}

    and this is how I log a user in:

    string roles = "admin";
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(
    1,
    username,
    DateTime.Now,
    DateTime.Now.AddMinutes(30),
    false,
    roles
);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(authTicket));
HttpContext.Current.Response.Cookies.Add(cookie);

    But my user is still denied access. Where am I going wrong?

  • c-sharp-and-swiftui-devni
    c-sharp-and-swiftui-devni almost 4 years
    Is this on signin I persume ?. Or where should I do this in a asp.net core application.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Getting the current user id (not name) using forms authentication?
Storing more information using FormsAuthentication.SetAuthCookie
MVC5 Where to put authentication forms in web.config?
How to implement authorization checks in ASP.NET MVC based on Session data?
Unable to logout from ASP.NET MVC application using FormsAuthentication.SignOut()
Thread.CurrentPrincipal claims incorrectly to be anynomous
System.Web.HttpContext.Current.get returned null in asp.net mvc controller
What is SignalR's browser compatibility?
Form Builder On the fly With asp.net mvc site
ASP.Net MVC 3 Login and Windows Authentication