XML-driven Roles-Based Security:



1. What is the best way to avoid having to get the roles for the current

user on each page request and recreate the custom IPrinciple Security

object? I thought about putting the roles string in a Session variable, but

then I discovered that I can't access Session variables from the global.vb

(I have the code for associating roles with the user in

Application_AuthenticateRequest). I also considered storing

Contex.User.Identity.Name in the Application State, but am not sure if this

is a good idea. I just wish we could access Session variables from the

global.asax codebehind.



2. I have an XML document which stores SecurityRoles and SitePages (we

adapted the IBuySpy PortalVB Portal.Config and supporting serialization

Classes). It we do not cache the deserialized XML data (that is, we

deserialize on every page request), all works fine. But as soon as we turn

on caching, only the first time that we access the site does everything work

fine. On subsequent hits, things go awry: No errors are thrown, but Roles

don't get processed, page access is typically denied, some links have the

wrong URLs, images don't load properly, etc. Any ideas?



Patrick Barnes

Web Application Developer

Geonetric Technologies

200 1st Avenue NE  Suite 220

Cedar Rapids, Iowa  52401

P:319.221.1667 / F:319.221.1450 / www.geonetric.com