How to authorize users against the ASP.Net Role Provider
Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen
Use the following steps to declaratively authorize users with the ASP.NET role provider:
- Configure the Role provider in the service app.config or web.config file as follows:
<!-- Configure the Sql Role Provider -->
<roleManager enabled ="true"
defaultProvider ="RoleProvider" >
<add name ="RoleProvider"
- Configure the WCF Service to use the ASP.NET role provider:
<!-- Configure role based authorization to use the Role Provider -->
<serviceAuthorization principalPermissionMode ="UseAspNetRoles"
roleProviderName ="RoleProvider" />
- Authorize declaratively by adding the PrincipalPermission attribute above each service method that requires authorization. Specify the Windows user group required to access the method in the Role field.
[PrincipalPermission(SecurityAction.Demand, Role = "accounting")]
public double Add(double a, double b)
return a + b;
- Authorize imperatively by using the Roles.IsUserInRole method to authorize the client. The role can be contained in a variable and changed dynamically if needed, as shown below:
string RequiredGroup = “Administrators”;
if (!Roles.IsUserInRole(User.Identity.Name, “RequiredGroup”))
Msg.Text = "You are not authorized to view user roles.";
UsersListBox.Visible = false;
catch (HttpException e)
Msg.Text = "There is no current logged on user. Role membership cannot be verified.";