2 // System.Web.Security.RoleManagerModule
5 // Ben Maurer (bmaurer@users.sourceforge.net)
11 // Permission is hereby granted, free of charge, to any person obtaining
12 // a copy of this software and associated documentation files (the
13 // "Software"), to deal in the Software without restriction, including
14 // without limitation the rights to use, copy, modify, merge, publish,
15 // distribute, sublicense, and/or sell copies of the Software, and to
16 // permit persons to whom the Software is furnished to do so, subject to
17 // the following conditions:
19 // The above copyright notice and this permission notice shall be
20 // included in all copies or substantial portions of the Software.
22 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
23 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
24 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
25 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
26 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
27 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
31 using System.ComponentModel;
32 using System.Collections;
33 using System.Collections.Specialized;
34 using System.Security.Principal;
36 using System.Threading;
37 using System.Web.Configuration;
39 namespace System.Web.Security {
40 public sealed class RoleManagerModule : IHttpModule
42 static readonly object getRolesEvent = new object ();
44 RoleManagerSection _config = null;
45 EventHandlerList events = new EventHandlerList ();
47 public event RoleManagerEventHandler GetRoles {
48 add { events.AddHandler (getRolesEvent, value); }
49 remove { events.RemoveHandler (getRolesEvent, value); }
52 public void Dispose ()
56 void ClearCookie (HttpApplication app, string cookieName)
58 HttpCookie clearCookie = new HttpCookie (_config.CookieName, "");
60 clearCookie.Path = _config.CookiePath;
61 clearCookie.Expires = DateTime.MinValue;
62 clearCookie.Domain = _config.Domain;
63 clearCookie.Secure = _config.CookieRequireSSL;
64 app.Response.SetCookie (clearCookie);
67 void OnPostAuthenticateRequest (object sender, EventArgs args)
69 HttpApplication app = (HttpApplication)sender;
71 /* if we're disabled, bail out early */
72 if (_config == null || !_config.Enabled)
75 /* allow the user to populate the Role */
76 RoleManagerEventHandler eh = events [getRolesEvent] as RoleManagerEventHandler;
78 RoleManagerEventArgs role_args = new RoleManagerEventArgs (app.Context);
82 if (role_args.RolesPopulated)
86 RolePrincipal principal;
88 HttpCookie cookie = app.Request.Cookies [_config.CookieName];
90 IIdentity currentIdentity = app.Context.User.Identity;
91 if (app.Request.IsAuthenticated) {
93 if (!_config.CacheRolesInCookie)
95 else if (_config.CookieRequireSSL && !app.Request.IsSecureConnection) {
97 ClearCookie (app, _config.CookieName);
102 if (cookie == null || String.IsNullOrEmpty (cookie.Value))
103 principal = new RolePrincipal (currentIdentity);
105 principal = new RolePrincipal (currentIdentity, cookie.Value);
108 /* anonymous request */
110 if (cookie != null) {
111 ClearCookie (app, _config.CookieName);
114 principal = new RolePrincipal (currentIdentity);
117 app.Context.User = principal;
118 Thread.CurrentPrincipal = principal;
121 void OnEndRequest (object sender, EventArgs args)
123 HttpApplication app = (HttpApplication)sender;
125 /* if we're not enabled or configured to cache
126 * cookies, bail out */
127 if (_config == null || !_config.Enabled || !_config.CacheRolesInCookie)
130 /* if the user isn't authenticated, bail
132 if (!app.Request.IsAuthenticated)
135 /* if the configuration requires ssl for
136 * cookies and we're not on an ssl connection,
138 if (_config.CookieRequireSSL && !app.Request.IsSecureConnection)
141 RolePrincipal principal = app.Context.User as RolePrincipal;
142 if (principal == null) /* just for my sanity */
145 if (!principal.CachedListChanged)
148 string ticket = principal.ToEncryptedTicket ();
149 if (ticket == null || ticket.Length > 4096) {
150 ClearCookie (app, _config.CookieName);
154 HttpCookie cookie = new HttpCookie (_config.CookieName, ticket);
156 cookie.HttpOnly = true;
157 if (!string.IsNullOrEmpty (_config.Domain))
158 cookie.Domain = _config.Domain;
159 if (_config.CookieRequireSSL)
160 cookie.Secure = true;
161 if (_config.CookiePath.Length > 1) // more than '/'
162 cookie.Path = _config.CookiePath;
163 app.Response.SetCookie (cookie);
166 public void Init (HttpApplication app)
168 _config = (RoleManagerSection) WebConfigurationManager.GetSection ("system.web/roleManager");
170 app.PostAuthenticateRequest += OnPostAuthenticateRequest;
171 app.EndRequest += OnEndRequest;