[Guest Bloggers] James Kovacs on ASP.NET Role-Based Security and the ImpostorHttpModule

  • Article

James Kovacs (Calgary)

[Guest Bloggers] ASP.NET Role-Based Security and the ImpostorHttpModule

If you've developed any moderately complex web application, you've probably implemented some form of role-based security. For instance, only administrators can access the /Admin directory. Only ContentCreators can update web page content. Only RegisteredUsers can access the site. ASP.NET makes all of this relatively easy through the section of the web.config file(s), programmatic security, and security trimming of site maps. Managing roles is even easier with ASP.NET 2.0 as we now have the role manager (represented by System.Web.Security.Roles) and various RoleProviders. If you're using the SqlRoleProvider, you can test different configurations of your website by adding and removing your user from various roles and not caching role memberships in cookies. (If you cache your role memberships in cookies, you either have to wait for the cookie to expire or clear your browser cookies every time you change your role membership to ensure that you have the correct memberships.) It's tedious, but it can be done. Even more tedious is testing role-based security for an intranet application if you're using Windows groups via the WindowsTokenRoleProvider. Basically your Windows group memberships become your roles. Simple enough – add your user to the appropriate local or domain groups using the Local Users and Groups or Active Directory MMC snap-in and you're good to go. Right? Not quite. Your group memberships in your user token don't get updated until you log out and back in again. (I'm ignoring some advanced security APIs that allow you to invalidate your user token and re-acquire it.) Now this is really tedious and is likely going to result in you doing less testing under different role memberships than you really should. Is there a way that we can improve this? I'm glad you asked. Enter the ImpostorHttpModule.

The ImpostorHttpModule is an ASP.NET HttpModule that re-writes an authenticated user's roles based on a XML file, ~/App_Data/Impostors.xml. In this three-part series, James introduces the ImpostorHttpModule, shows how it can be used to simplify testing of role-based ASP.NET applications, and finally delves deep into the ASP.NET pipeline to show how it all works.

Developing and Testing Role-Based ASP.NET Applications with ImpostorHttpModule
ASP.NET SiteMaps, Menus, and the ImpostorHttpModule
Pulling Back the Covers on ImpostorHttpModule

James Kovacs is an independent architect, developer, trainer, and jack-of-all-trades in Calgary, Alberta specializing in the .NET Framework and Enterprise Application Development. He assist clients in building smart clients, web applications, web services, and even full-fledged servers using the .NET Framework and Microsoft server technologies. James is also a member of the Plumbers at Work podcast.