I created business objects for a web application using CodeSmith and the CSLA 2.0 templates. The generated code contains security checks that involve checking the roles such as that below:
public
static bool CanGetObject(){ //TODO: Define CanGetObject permission in Account return true; //if (Csla.ApplicationContext.User.IsInRole("AccountViewGroup")) // return true; //return false;}
Until recently, I had not uncommented the code to actually check whether the user had the required role. When I finally did, I found that the Csla.ApplicationContext.User object was null even after a successful login. In thinking about it, I realized that I didn't understand how the context is persisted after a successful login and thus how it would be available in a business object that was called after the login. I reread the relevant portions of Rocky's book "Expert C# 2005 Businsess Objects" but I didn't find what I was looking for.
I'm probably missing something very basic but I would really appreciate if someone could help me understand how this should work and what I might be doing wrong. The only thing that I've done a bit different that the examples in the book is that I've added an additional interface "IIdentityPlus" in my Identity class that includes several more properties about the user that I needed than the normal "IIdentity" interface.
Allen
Remember that ASP.NET is stateless, so nothing (other than Session) survives from page request to page request. This means you must re-establish any global values on each page request - typically in Global.asax.
Check out Chapter 10 in the book, as I directly illustrate there how to re-establish the user's credentials on each page request, so HttpContext.Current.User (and thus ApplicationContext.User) contains a valid value.
Wow!
I didn't expect to get a reply from the guru but thanks! Maybe I'm still confused but I am storing the csla.applicationcontext.user object in session and retrieving it from the session object when I need it in the code on the web page but the code in the business object itself (such as I included in my post) doesn't attempt to retrieve the object from session, it calls the object directly (i.e.
if (Csla.ApplicationContext.User.IsInRole("AccountEditGroup"))
How could this code interact with the session object?
Does your Princiapl class (MyUser) have code like this:
Public Shared Function Login(ByVal username As String, ByVal password As String) As BooleanJoe
Yes and it works.
public
static bool Login(string username, string password){
ePOIdentity identity = ePOIdentity.GetIdentity(username, password); if (identity.IsAuthenticated){
ePOPrincipal principal = new ePOPrincipal(identity);Csla.
ApplicationContext.User = principal;}
return identity.IsAuthenticated;}
I think your missing something, in the example of Rocky's PTWeb, look at the Global.asax. That's how it was being persisted on Rocky's example.
if (identity.IsAuthenticated)
What happens if you are NOT authenticated?
Nothing is added to ApplicationContext.
That is why I removed the IF from my code.
I want my principal added no matter what.
Joe
Copyright (c) Marimer LLC