30.2. Role Authorization

So far, you have seen how to enable the client application services, but they haven't really started to add value because the user has already been authenticated by the operating system when you were using Windows authentication for the client application. What isn't handled by the operating system is specifying which roles a user belongs to and thus what parts or functions within an application the user has access to. While this could be handled by the client application itself, it would be difficult to account for all permutations of users and the system would be impractical to manage, because every time a user was added or changed roles a new version of the application would have to be deployed. Instead, it is preferable to have the correlations between users and roles managed on the server, allowing the application to work with a much smaller set of roles through which to control access to functionality.

The true power of the client application services becomes apparent when you combine the client-side application framework with the ASP.NET Application Services. To see this you should add a new project to your solution using the Visual Basic ASP.NET Web Application template (under the Web node in the New Project dialog), calling it ApplicationServices. As we are not going to create any web pages, you can immediately delete the default page, default.aspx, that is added by the template. You could also use the ASP.NET Web Service Application template, as it differs only in the initial item, which is service1.asmx.

Right-clicking the newly created project in Solution Explorer, select Properties to bring up the project properties designer. As we will be referencing this web application from other parts of the solution, it is preferable to use a predefined port and virtual directory with the Visual Studio Development Server. On the Web tab, set the specific port to 12345 and the virtual path to /ApplicationServices.

ASP.NET Application Services is a provider-based model for authenticating users, managing roles, and storing profile (a.k.a. settings) information. Each of these components can be engaged independently, and you can either elect to use the built-in providers or create your own. To enable the role management service for access via client application services, add the following snippet before the <system.web> element in the web.config file in the ApplicationServices project:

<system.web.extensions>
    <scripting>
        <webServices>
            <roleService enabled="true"/>
        </webServices>
    </scripting>
</system.web.extensions>

As we want to perform some custom logic to determine which roles a user belongs to, you will need to create a new class, called CustomRoles, to take the place of the default role provider. Here you can take advantage of the RoleProvider abstract class, greatly reducing the amount of code you have to write. For this role provider we are interested only in returning a value for the GetRolesForUser method; all other methods can be left as method stubs.

Public Class CustomRoles
    Inherits RoleProvider

    Public Overrides Function GetRolesForUser(ByVal username As String) As String()
        If username.ToLower.Contains("Nick") Then
            Return New String() {"All Nicks"}
        Else
            Return New String() {}
        End If
    End Function

You now have a custom role provider and have enabled role management. The only thing missing is the glue that lets the role management service know to use your role provider. You provide this by adding the following roleManager node to the <system.web> element in the web.config file:

<roleManager enabled="true" defaultProvider=" CustomRoles">
    <providers>
        <add name=" CustomRoles" type="AuthenticationServices.CustomRoles"/>
    </providers>
</roleManager>

The last thing to do is to make use of this role information in your application. You can do this by adding a call to IsUserInRole to the Form_Load method:

Private Sub Form1_Load(ByVal sender As System.Object, _
                        ByVal e As System.EventArgs) Handles MyBase.Load
    If Membership.ValidateUser(Nothing, Nothing) Then
        '... Commented out for brevity ...
    End If
    If Roles.IsUserInRole("All Nicks") Then
        MessageBox.Show("User is a Nick, so should have Admin rights....")
    End If
End Sub

In order to see your custom role provider in action, set a breakpoint in the GetRolesForUser method. For this breakpoint to be hit, you have to have both the client application and the web application running in debug mode. To do this, right-click the Solution node in the Solution Explorer window and select Properties. From the Startup Project node, select Multiple Startup Projects and set the action of both projects to start. Now when you run the solution you will see that the GetRolesForUser method is called with the Windows credentials of the current user, as part of the validation of the user.