I have a web app that I want to add role based security to.

I have added this line to my login function:
Thread.CurrentPrincipal = new GenericPrincipal(identity, roles);

To test that it is working I print this:
Thread.CurrentPrincipal.IsInRole("TripAdmin").ToString();

I get true for the IsInRole. So everything seems good up to here.

I add this to my web.config to restrict all users except those chosen role:
<location path="Trips/Admin">
<system.web>
<authorization>
<allow roles="TripAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

... but when I try to access a resource in "Trips/Admin" it won't let me in. It keeps redirecting to my login.aspx page. when I change the web.config to:
<location path="Trips/Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
everything works as expected. From what I could find there seems to a reason to set Thread.CurrentPrincipal = new GenericPrincipal(identity, roles); in the global.asax file. Should I be doing this there instead of in my login function?

Any help would be much appreciated.

Thanks!

Hi ldot,

The reason <deny users="?" /> works is because it is allowing anyone access that isn't Anonymous, which isn't what you want. Instead, in your global.asax.cs file in the Application_AuthenticateRequest event, you should assign your roles as so:

HttpContext.Current.User = new GenericPrincipal(identity, roles);

Hope this helps