RoleManagerModule and RolePrincipal object
-
22-08-2019 - |
Question
According to my book, if role management is enabled, then RoleManagerModule
creates the security context of the user by assigning RolePrincipal
object to the HttpRequest.User
. But isn’t security context already created (thus principal object being assigned to HttpContext.User
) by FormsAuthenticationModule
, which is called prior to RoleManagerModule
being called?
I’m asking this, because in the following code principal object assigned to HttpRequest.User
already exists, even though RoleManagerModule
has not yet been called:
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated && Roles.Enabled)
{
//here we subscribe user to a role via Roles.AddUserToRole()
}
}
So is principal object, created by FormsAuthenticationModule
and assigned to HttpRequest.User
, later replaced by RolePrincipal
object (created by RoleManagerModule
)?
Solution
According to this article:
If the Roles framework is enabled, the RoleManagerModule HTTP Module steps in after the FormsAuthenticationModule and identifies the authenticated user’s roles during the PostAuthenticateRequest event, which fires after the AuthenticateRequest event. If the request is from an authenticated user, the RoleManagerModule overwrites the GenericPrincipal object created by the FormsAuthenticationModule and replaces it with a RolePrincipal object. The RolePrincipal class uses the Roles API to determine what roles the user belongs to.
So you're right.