According to my book, if role management is enabled, then RoleManagerModule
creates the security context of the user by assigning RolePrincipal
object to the HttpRequest.User
. But isn’t security context already created (thus principal object being assigned to HttpContext.User
) by FormsAuthenticationModule
, which is called prior to RoleManagerModule
being called?
I’m asking this, because in the following code principal object assigned to HttpRequest.User
already exists, even though RoleManagerModule
has not yet been called:
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated && Roles.Enabled)
{
//here we subscribe user to a role via Roles.AddUserToRole()
}
}
So is principal object, created by FormsAuthenticationModule
and assigned to HttpRequest.User
, later replaced by RolePrincipal
object (created by RoleManagerModule
)?
Best Answer
According to this article:
So you're right.