C# – If authentication ticket also contains information about roles, then why…

asp.netasp.net-membershipauthorizationcforms-authentication

Q1 – Reason as to why native UrlAuthorizationModule doesn’t understand roles is due to the fact that roles information is stored in managed object implementing IPrincipal interface, to which native modules don’t have access to.

A) But if native UrlAuthorizationModule understands authentication ticket, and thus can work in conjunction with FormsAuthenticationModule, then why can’t it also work with Roles module?

Namely, doesn’t this ticket also contain information about the roles user is in? If so, then UrlAuthorizationModule could get all the information about roles from the ticket and thus wouldn’t need to have access to IPrincipal object?!

Q2
The following article http://www.asp.net/learn/security/tutorial-11-vb.aspx claims:

If an anonymous user visits the site, neither the FormsAuthenticationModule nor the RoleManagerModule creates a principal object.

A) If the above claim was true, then wouldn’t then the following code throw an exception, since User property would contain a null reference:

        if (User.Identity.IsAuthenticated)
            Label1.Text = "user is authenticated";
        else Label1.Text = "user is not authenticated";

Label1 displays “User is not authenticated”, which would suggest that User property is assigned object implementing IPrincipal, even if user is not authenticated?!

Thanx

Best Answer

Regarding Q1: What if CacheRolesInCookie would be set to false, then there would not be enough info to determine the roles.

Regarding Q2: quoting from http://msdn.microsoft.com/en-us/library/aa302376.aspx

"The activated authentication module is responsible for creating an IPrincipal object and storing it in the HttpContext.User property. This is vital, because the downstream authorization modules use this IPrincipal object in order to make authorization decisions. In the absence of authentication (for example, where anonymous access is enabled within IIS and ASP.NET is configured with ), there's a special non configured module that puts a default anonymous principal into the HttpContext. User property. As a result, HttpContext.User is always non-null after authentication."