Q1. The reason why the native UrlAuthorizationModule does not understand the role is because the role information is stored in a managed object that implements the IPrincipal interface, which native modules cannot access.
A) But if your own UrlAuthorizationModule understands the authentication ticket and thus can work together with the FormsAuthenticationModule, then why does it not work with the Roles module?
Namely, does this ticket contain information about the roles the user is in? If so, then the UrlAuthorizationModule can get all the role information from the ticket and therefore will not need to have access to the IPrincipal object ?!
Q2 The following article http://www.asp.net/learn/security/tutorial-11-vb.aspx states:
If an anonymous user visits the site, neither the FormsAuthenticationModule module nor the RoleManagerModule module create the main object.
A) If the above requirement was true, then the following code would not throw an exception, since the User property would contain a null reference:
if (User.Identity.IsAuthenticated)
Label1.Text = "user is authenticated";
else Label1.Text = "user is not authenticated";
Label1 displays "User is not authenticated", which assumes that an object that implements IPrincipal is assigned to the User property, even if the user is not authenticated ?!
Thanx
source
share