2 // System.Web.Security.RoleManagerModule
5 // Ben Maurer (bmaurer@users.sourceforge.net)
11 // Permission is hereby granted, free of charge, to any person obtaining
12 // a copy of this software and associated documentation files (the
13 // "Software"), to deal in the Software without restriction, including
14 // without limitation the rights to use, copy, modify, merge, publish,
15 // distribute, sublicense, and/or sell copies of the Software, and to
16 // permit persons to whom the Software is furnished to do so, subject to
17 // the following conditions:
19 // The above copyright notice and this permission notice shall be
20 // included in all copies or substantial portions of the Software.
22 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
23 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
24 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
25 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
26 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
27 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
32 using System.ComponentModel;
33 using System.Collections;
34 using System.Collections.Specialized;
35 using System.Security.Principal;
37 using System.Threading;
38 using System.Web.Configuration;
40 namespace System.Web.Security {
41 public sealed class RoleManagerModule : IHttpModule
43 static readonly object getRolesEvent = new object ();
45 RoleManagerSection _config = null;
46 EventHandlerList events = new EventHandlerList ();
48 public event RoleManagerEventHandler GetRoles {
49 add { events.AddHandler (getRolesEvent, value); }
50 remove { events.RemoveHandler (getRolesEvent, value); }
53 public void Dispose ()
57 void ClearCookie (HttpApplication app, string cookieName)
59 HttpCookie clearCookie = new HttpCookie (_config.CookieName, "");
61 clearCookie.Path = _config.CookiePath;
62 clearCookie.Expires = DateTime.MinValue;
63 clearCookie.Domain = _config.Domain;
64 clearCookie.Secure = _config.CookieRequireSSL;
65 app.Response.SetCookie (clearCookie);
68 void OnPostAuthenticateRequest (object sender, EventArgs args)
70 HttpApplication app = (HttpApplication)sender;
72 /* if we're disabled, bail out early */
73 if (_config == null || !_config.Enabled)
76 /* allow the user to populate the Role */
77 RoleManagerEventHandler eh = events [getRolesEvent] as RoleManagerEventHandler;
79 RoleManagerEventArgs role_args = new RoleManagerEventArgs (app.Context);
83 if (role_args.RolesPopulated)
87 RolePrincipal principal;
89 HttpCookie cookie = app.Request.Cookies [_config.CookieName];
91 IIdentity currentIdentity = app.Context.User.Identity;
92 if (app.Request.IsAuthenticated) {
94 if (!_config.CacheRolesInCookie)
96 else if (_config.CookieRequireSSL && !app.Request.IsSecureConnection) {
98 ClearCookie (app, _config.CookieName);
103 if (cookie == null || String.IsNullOrEmpty (cookie.Value))
104 principal = new RolePrincipal (currentIdentity);
106 principal = new RolePrincipal (currentIdentity, cookie.Value);
109 /* anonymous request */
111 if (cookie != null) {
112 ClearCookie (app, _config.CookieName);
115 principal = new RolePrincipal (currentIdentity);
118 app.Context.User = principal;
119 Thread.CurrentPrincipal = principal;
122 void OnEndRequest (object sender, EventArgs args)
124 HttpApplication app = (HttpApplication)sender;
126 /* if we're not enabled or configured to cache
127 * cookies, bail out */
128 if (_config == null || !_config.Enabled || !_config.CacheRolesInCookie)
131 /* if the user isn't authenticated, bail
133 if (!app.Request.IsAuthenticated)
136 /* if the configuration requires ssl for
137 * cookies and we're not on an ssl connection,
139 if (_config.CookieRequireSSL && !app.Request.IsSecureConnection)
142 RolePrincipal principal = app.Context.User as RolePrincipal;
143 if (principal == null) /* just for my sanity */
146 if (!principal.CachedListChanged)
149 string ticket = principal.ToEncryptedTicket ();
150 if (ticket == null || ticket.Length > 4096) {
151 ClearCookie (app, _config.CookieName);
155 HttpCookie cookie = new HttpCookie (_config.CookieName, ticket);
157 cookie.HttpOnly = true;
158 if (!string.IsNullOrEmpty (_config.Domain))
159 cookie.Domain = _config.Domain;
160 if (_config.CookieRequireSSL)
161 cookie.Secure = true;
162 if (_config.CookiePath.Length > 1) // more than '/'
163 cookie.Path = _config.CookiePath;
164 app.Response.SetCookie (cookie);
167 public void Init (HttpApplication app)
169 _config = (RoleManagerSection) WebConfigurationManager.GetSection ("system.web/roleManager");
171 app.PostAuthenticateRequest += OnPostAuthenticateRequest;
172 app.EndRequest += OnEndRequest;