c# - System.Web.Http.AuthorizeAttribute not recognizing custom role provider -
in mvc 4 web api project, have custom role provider works designed via system.web.mvc.authorize attribute on home system.web.mvc.controller.
on system.web.http.apicontroller system.web.http.authorize custom role provider never gets called, returning false. there way specify web api authorizeattribute pick custom role provider mvc authorizeattribute?
role provider:
public class customroleprovider : roleprovider { //overriden methods public override string[] getrolesforuser(string username) { //always homecoming "master" testing purposes homecoming new string[] { "master" }; } public override bool isuserinrole(string username, string rolename) { //always homecoming true testing purposes homecoming true; } //other overridden method stubs... } web.config:
<rolemanager defaultprovider="customroleprovider" enabled="true" cacherolesincookie="false" > <providers> <clear /> <add name="customroleprovider" type="myapp.securityextensions.customroleprovider, myapp" /> </providers> </rolemanager>
this not answer, might help:
both attributes work querying current pricipal. mvc attribute uses httpcontent.user, while system.web.http version uses thread.currentprincipal, difference minor.
i'm not familar web api, suspect rolemanagermodule not running time attribute fires, or have not yet reached postauthenticaterequest event, because in event module replaces pricipal.
are sure have form of asp authentication required webapi usage? if don't have webapi project configured require form of authentication, never reach postauthenticaterequest event, , rolemanagermodule never kick-in.
the lastly possibility comes mind someting else replacing principal after rolemanagermodule so. if possible, temporarally remove system.web.http.authorizeattribute, set breakpoint in controller, , detemine class thread.currentprincipal has. might give hint went wrong.
c# asp.net asp.net-mvc asp.net-web-api
No comments:
Post a Comment