ASP.NET MVC Custom Principal not using ASPNETDB.MDF

Question

I am working on an ASP.NET MVC 3 application.

I have implemented custom Principal and Identity classes that I am using for user authentication and authorization. I am using Forms Authentication.

In all of my controllers I am using the AuthorizeAtribute to check if the user is in one of my custom roles to restrict or grant access to features according to the user's permissions.

When I created the project I used the "ASP.NET MVC 3 Web Application" template which included default models and controllers for a user's Account.

I have added significant functionality to the project and have modified it to work the the custom Principal and Identity classes which do not utilize the built in ASPNETDB database at all.

Everything is working fine on my development machine; however, when I deploy the project to the beta web server I am experiencing an error when the user is not authenticated and they attempt to go directly to a feature.

The error message is Access to the path '...\App_Data' is denied.'.

The Stack Trace is as follows:

at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)
   at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)
   at System.IO.Directory.CreateDirectory(String path)
   at System.Web.DataAccess.SqlConnectionHelper.CreateMdfFile(String fullFileName, String dataDir, String connectionString)
   at System.Web.DataAccess.SqlConnectionHelper.EnsureDBFile(String connectionString)
   at System.Web.DataAccess.SqlConnectionHelper.GetConnection(String connectionString, Boolean revertImpersonation)
   at System.Web.Security.SqlRoleProvider.GetRolesForUser(String username)
   at WebMatrix.WebData.SimpleRoleProvider.GetRolesForUser(String username)
   at System.Web.Security.RolePrincipal.IsInRole(String role)
   at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate)
   at System.Web.Mvc.AuthorizeAttribute.AuthorizeCore(HttpContextBase httpContext)
   at System.Web.Mvc.AuthorizeAttribute.OnAuthorization(AuthorizationContext filterContext)

The reason the error is occurring is because there is no App_Data folder, nor is there an ASPNETDB.MDF file because the application is supposed to be using the custom Principal class.

This error seems to occur when the AuthorizeAtribute attempts to check permissions but the custom Principal type was not applied to the current thread because the user is no longer logged in.

For example, if the user typed the URLhttp://theWebsite/theContoller/theRestrictedFeature/ into their web browser the web server would crash when it executed the line <Authorize(Roles:=("Has007Access")> for the theRestrictedFeature function in my controller.

I'm really not sure how to fix this problem and would like some advice on how to proceed.

Answer 1

The problem was that I had used the "Add Deployable Dependencies" tool which added "Web Matrix" components to my project.

These components were attempting to create the ASPNETDB database in the App_Data folder when the AuthorizeAttribute was checking the roles of the current principal.

The crazy thing about this is that most web servers are locked down with permissions and the Web Matrix tools would never be able to accomplish this.

All I had to do was remove these components from my project and everything works fine now.

I also had to clear all memberships, role managers, and profile providers in the web config as well like this:

<membership>
    <providers>
        <clear />       
    </providers>
</membership>
<roleManager enabled="false">
    <providers>
        <clear />       
    </providers>
</roleManager>
<profile>
    <providers>
        <clear />       
    </providers>
</profile>

Lastly, I had to remove all usage of the AuthorizeAttribute. I replaced with a custom class that inherits from AuthorizeAttribute and takes appropriate steps to determine if the user is authorized to access a particular feature by overriding the OnAuthorization method.

Answer 2

You seem to have some fundamental misunderstandings of how Principals, Identity, and Roles work in Asp.net.

First, none of them "utilize the built in ASPNETDB database". The whole point of these systems is that they are interface based mechanisms that provide no implementation whatsoever. You can plug in any implementation you want. Asp.net does supply several implementations you can use, and some templates configure these implementations by default, but they are just providers and can be added or removed.

Make sure you clear your providers list before you add your customer providers. This will ensure that default providers don't get used by accident.

Also, you must be doing something wrong. If the user is not logged in, then the users role should not be checked. You must have code that is checking the role without first checking to see if request is authorized.