I'm trying to avoid the use of the Role Provider and Membership Provider since its way too clumsy in my opinion, and therefore I'm trying to making my own "version" which is less clumsy and more manageable/flexible. Now is my question.. is there an alternative to the Role Provider which is decent? (I know that I can do custom Role provier, membership provider etc.)
By more manageable/flexible I mean that I'm limited to use the Roles static class and not implement directly into my service layer which interact with the database context, instead I'm bound to use the Roles static class which has its own database context etc, also the table names is awful..
Thanks in advance.
Best Answer
I'm in the same boat as you - I've always hated the RoleProviders. Yeah, they're great if you want to get things up and running for a small website, but they're not very realistic. The major downside I've always found is that they tie you directly to ASP.NET.
The way I went for a recent project was defining a couple of interfaces that are part of the service layer (NOTE: I simplified these quite a bit - but you could easily add to them):
Then your users could have a
Roles
enum:For your
IAuthenticationService
, you could have a base implementation that does standard password checking and then you could have aFormsAuthenticationService
that does a little bit more such as setting the cookie etc. For yourAuthorizationService
, you'd need something like this:On top of these base services, you could easily add services to reset passwords etc.
Since you're using MVC, you could do authorization at the action level using an
ActionFilter
:Which you can then decorate on your controller actions:
The advantage of this approach is you can also use dependency injection and an IoC container to wire things up. Also, you can use it across multiple applications (not just your ASP.NET one). You would use your ORM to define the appropriate schema.
If you need more details around the
FormsAuthorization/Authentication
services or where to go from here, let me know.EDIT: To add "security trimming", you could do it with an HtmlHelper. This probably needs a little more... but you get the idea.
And then inside your view (using Razor syntax here):
EDIT: The
UserSession
would look something like this:This way, we don't expose the password hash and all other details inside the session of the current user since they're really not needed for the user's session lifetime.