Role Providers
Role providers are classes that derive from the abstract class System.Web.Security.RoleProvider. That class has the interface shown in Listing 1.1. It defines ten simple methods for managing roles, including ascertaining whether a given user has been assigned a particular role. Role providers, in implementing those abstract methods, will read and write a particular store of role information. For example, one of the concrete implementations of System.Web.Security.RoleProvider included in the .NET Framework 2.0 is System.Web.Security.AuthorizationStoreRoleProvider, which uses an Authorization Manager Authorization Store as its repository of role information. Another concrete implementation, System.Web.Security.SqlRoleProvider, uses a SQL Server database as its store. However, because the System.Web.Security.RoleProvider has such a simple set of methods for managing roles, if none of the role providers included in the .NET Framework 2.0 is suitable, you can readily provide your own implementation to use whatever store of role information you prefer. Role providers hide the details of how role data is stored behind a simple, standard interface for querying and updating that information. Although System.Web.Security.RoleProvider is included in the System.Web namespaces of ASP.NET, role providers can be used in any .NET 2.0 application.
Listing 1.1. System.Web.Security.RoleProvider
public abstract class RoleProvider : ProviderBase { protected RoleProvider(); public abstract string ApplicationName { get; set; } public abstract void AddUsersToRoles( string[] usernames, string[] roleNames); public abstract void CreateRole( string roleName); public abstract bool DeleteRole( string roleName, bool throwOnPopulatedRole); public abstract string[] FindUsersInRole( string roleName, string usernameToMatch); public abstract string[] GetAllRoles(); public abstract string[] GetRolesForUser( string username); public abstract string[] GetUsersInRole( string roleName); public abstract bool IsUserInRole( string username, string roleName); public abstract void RemoveUsersFromRoles( string[] usernames, string[] roleNames); public abstract bool RoleExists(string roleName); }
The static class, System.Web.Security.Roles, provides yet another layer of encapsulation for role management. Consider this code snippet:
if (!Roles.IsUserInRole(userName, "Administrator")) { [...] }
Here, the static System.Web.Security.Roles class is used to inquire whether a given user has been assigned to the Administrator role. What is interesting about this snippet is that the inquiry is made without an instance of a particular role provider having to be created first. The static System.Web.Security.Roles class hides the interaction with the role provider. The role provider it uses is whichever one is specified as being the default in the configuration of the application. Listing 1.2 is a sample configuration that identifies the role provider named MyRoleProvider, which is an instance of the System.Web.Security.AuthorizationStoreRoleProvider class, as the default role provider.
Listing 1.2. Role Provider Configuration
<configuration> <connectionStrings> <add name="AuthorizationServices" `connectionString="msxml://~\App_Data\SampleStore.xml" /> </connectionStrings> <system.web> <roleManager defaultProvider="MyRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES" cookieTimeout="30" cookiePath="/" cookieRequireSSL="false" cookieSlidingExpiration="true" cookieProtection="All" > <providers> <clear /> <add name="MyRoleProvider" type="System.Web.Security.AuthorizationStoreRoleProvider" connectionStringName="AuthorizationServices" applicationName="SampleApplication" cacheRefreshInterval="60" scopeName="" /> </providers> </roleManager> </system.web> </configuration>