How can user's custom Principal object be rembered ?

dars · May 6th, 2016, 10:31 AM

Hello,

I am implementing a custom HTTPModule to provide authentication/authorization by reading credentials off a smartcard's certificate. The HTTPModule creates a custom implementation of the IPrincipal interface and assigns it to the Context's User object.

The custom principal object looks like this:

Code:

public class SmartCardPrincipal : IPrincipal
    {
        private SmartCardIdentity _identity;
        private Hashtable _roles;
        private bool _rolesLoaded;
       
        public IIdentity Identity
        {
            get
            {
                return this._identity;
            }
        }

        public bool IsInRole(string role)
        {
            if (!_rolesLoaded)
            {

                _roles = new Hashtable();

                //Query SQL Server Database for User's Roles, based on user's email address contained in SmartCardIdentity (read off user's SmartCard)
           
               [ Database Code ]

               _rolesLoaded = true;
                
            }
            return _roles.Contains(role);
        }

        public SmartCardPrincipal(SmartCardIdentity identity)
        {
            this._identity = identity;
            this._rolesLoaded = false;  
        }
    }

SmartCardIdentity is a custom implementation of IIdentity interface and contains the email address and name read off the user's SmartCard.

The problem I am having is the Context's User object is set to null on every postback. So the hashtable of roles is destroyed along with the whole principal object. So the database is being queried for the user's roles every time something is selected in a listbox or a button is pressed. This seems way too inefficient.

Is there any way for the asp.net website to remember the user's custom principal object between postbacks ? Can it be stored in a session variable ? I am thinking for forms authentication, the membership database is queried only once for a user and then the info is stored in a cookie. But I don't want to create a custom cookie.

thanks.

-- Edit: I did some testing it seems the session object is null in the HTTPModule, so doesn't look like session variable can be used. Any other way ?

dars · May 17th, 2016, 11:33 AM

Answered my own question ! (well not really, I found via google)

It turns out that session object is available to HttpModule, just have to wait for the right event to fire. In my case, I was able to get session object from PostAcquireRequestState event, and then store/retrieve my custom Principal object in that event. Something like this...

Code:

  public class SmartCardAuthenticationModule : IHttpModule
    {
        public SmartCardPrincipal  SmartCard { get; set; }

        public void Init(HttpApplication context)
        {
            context.PostAcquireRequestState += new EventHandler(Application_PostAcquireRequestState);

          }

        void Application_PostAcquireRequestState(object source, EventArgs e)
        {
            HttpApplication app = (HttpApplication)source;

            SmartCard = (SmartCardPrincipal)app.Session["UserPrincipal"];
            if (SmartCard == null)
                this.OnAuthenticateRequest(source); //get credentials and make database calls to get roles...
  
            app.Context.User = SmartCard;
            app.Session["UserPrincipal"] = SmartCard;

        }

There's more error trapping to add, like testing for null Session object, but above is general idea..