How can I make accessing my custom IPrincipal easier in ASP.NET MVC?

Asked 12/8, 2011 at 18:7 Answered 23/11, 2012 at 13:48

I've written a custom principal object which contains a few additional fields (email and userid in addition to the username).

In order to access these properties I have to cast the Context.User object as my custom principal.

@Html.GetGravitarImage((User as CustomPrincipal).Email)

This custom principal is created / deserialized via the Application_AuthenticateRequest in my global.ascx. You can see this question I asked here for more information.

private void Application_AuthenticateRequest(Object source, EventArgs e)
{
    var application = (HttpApplication)source;
    var context = application.Context;

    // Get the authentication cookie
    string cookieName = FormsAuthentication.FormsCookieName;
    HttpCookie authCookie = context.Request.Cookies[cookieName];
    if (authCookie == null)
        return;

    var authTicket = FormsAuthentication.Decrypt(authCookie.Value);
    context.User = CustomPrincipal.CreatePrincipalFromCookieData(authTicket.UserData);
}

However, if a user isn't authenticated, then my cast to CustomPrincipal will fail (because it won't be injected in the method above) and the result of the (User as CustomPrincipal) will return null, thus giving me a null reference exception when my method above attempts to get the email.

What would be a clean solution to this problem? I want to make accessing my custom principal easy and having to do the following seems cumbersome:

@Html.GetGravitarIcon((User is CustomPrincipal) ? (User as CustomPrincipal).Email : "Default Email")

Is this the only way to handle this situation?

Circumvent answered 12/8, 2011 at 18:7 Comment(0)

I whipped something together quickly. One possible way of easily introducing a custom IPrincipal in ASP.NET MVC is the following:

1) Create your own descendant of the IPrincipal interface.

public interface IMyPrincipal : IPrincipal
{
    Guid UserId { get; }
    string EmailAddress { get; }
}

2) Let's assume you are using the ASP.NET Membership provider to authenticate your users. Let's quickly build an IMyPrincipal implementation which utilizes the membership API.

public class MyPrincipal : IMyPrincipal
{
    private MembershipUser _user;

    public MyPrincipal()
    {
        this._user = Membership.GetUser();
        var userName = this._user != null ? this._user.UserName : String.Empty;
        this.Identity = new GenericIdentity(userName);
    }

    public Guid UserId
    {
        get 
        { 
            return this._user != null ? (Guid) this._user.ProviderUserKey : 
                                        default(Guid);
        }
    }

    public string EmailAddress
    {
        get 
        { 
            return this._user != null ? this._user.Email : null;
        }
    }

    public IIdentity Identity { get; private set; }
    public bool IsInRole(string role) { return false; }
}

3) Create your own base class type for your controllers. Hide the inherited User member and introduce your own IPrincipal descendant.

public class BaseController : Controller
{
    protected virtual new MyPrincipal User
    {
        get { return HttpContext.User as MyPrincipal; }
    }
}

4) Have all your controllers descend from this new BaseController type.

public class HomeController : BaseController
{
  //...
}

5) Create your own controller factory to make sure your principal is introduced on the HttpContext / Thread.

public class MyControllerFactory : DefaultControllerFactory
{
    protected override IController GetControllerInstance
        (RequestContext requestContext, Type controllerType)
    {
        try
        {
            var controller = base.GetControllerInstance(requestContext, controllerType);
            requestContext.HttpContext.User = Thread.CurrentPrincipal = new 
                                                    MyPrincipal();
            return controller;
        }
        catch (Exception)
        {
            return base.GetControllerInstance(requestContext, controllerType);
        }
    }
}

6) Register the controller factory in the Global.asax's Application_Start() event handler.

var controllerFactory = new MyControllerFactory();
ControllerBuilder.Current.SetControllerFactory(controllerFactory);

Voila, now you can use the new User (IMyPrincipal) anywhere in your controllers.

For example:

public ActionResult Index()
{
    ViewBag.Message = "Welcome to ASP.NET MVC!";

    ViewBag.UserId = User.UserId;
    ViewBag.UserName = User.EmailAddress;

    return View();
}

Colous answered 13/8, 2011 at 15:25 Comment(0)

You could either create a base class and override the "User" property using the "new" keyword or create an extension method like this:

public static class ControllerExtensions
{
    public static CustomPrincipal CustomPrincipal(this Controller controller)
    {
        if(controller.User is CustomPrincipal)
        {
            return controller.User as CustomPrincipal;
        }
        return null; // maybe return an empty object instead to get around null reference...
    }
}

Paediatrician answered 12/8, 2011 at 18:19 Comment(4)

It might just be me, but I find extension methods annoying for common things, unless they're defined in a common namespace. You can't just click Ctrl-. to automatically include it as normal in Visual Studio. – Tourane 12/8, 2011 at 18:29

Personally I love them but each to their own I guess. This could be placed in the System.Web.Mvc namespace or something so it always gets picked up. – Paediatrician 12/8, 2011 at 19:0

I'm trying to get my head around this at the moment and I don't understand what MyUserClass is. Could you please explain? – Charkha 9/5, 2012 at 20:20

It has been a while since I wrote this and I made an incorrect edit. I think it should return CustomPrincipal instead of MyUserClass. – Paediatrician 10/5, 2012 at 17:34

The best way to make your IPrincipal implementation accessible in your Razor pages using ASP.NET MVC, is doing the following:

Implement the System.Security.Principal.IPrincipal interface.
Implement the System.Security.Principal.IIdentity interface.
In Global.asax define a method for: void Application_AuthenticateRequest(Object, EventArgs) that persists your both implementations of IPrincipal and IIdentity.
Create an extension method for IPrincipal to expose your implementation of IIdentity.
Finally, add the namespace for the previous extension method in your web.config file in <system.web.webPages.razor>.

At the end, you will be able to access your custom implementation of IIdentity instead of type casting. You now can access your custom implementation like this:

Hello @User.CustomIdentity().FirstName @User.CustomerIdentity().LastName!

These steps are a concise and brief description of a well detailed article written here: http://rizzo7.blogspot.com/2012/04/mvc-30-razor-custom-principal-and.html

Unyoke answered 23/11, 2012 at 13:48 Comment(0)

You could create some sort of utility method or add a method to one of your services that checks if it's your custom principal. Maybe something like:

public class UserService : IUserService
{
    public CustomPrincipal CurrentUser
    {
        get
        {
            CustomPrincipal user = HttpContext.Current.User as CustomPrincipal;

            if (user == null)
                return GuestUser; // Just some default user object

            return user;
        }
    }
}

Bagehot answered 12/8, 2011 at 18:24 Comment(0)

You could also make extension methods for the Email and UserID in the same fashion as John Kalberer's answer:

public static class CustomPrincipalExtensions
{
    public static string Email(this CustomPrincipal cUser)
    {
        return cUser != null ? cUser.Email : "Default Email"
    }

    public static string UserID(this CustomPrincipal cUser)
    {
        return cUser != null ? cUser.UserID : "Default ID"
    }
}

Polemoniaceous answered 12/8, 2011 at 18:26 Comment(0)

When not authorized, you could set the user object to a specific instance of the custom principal with default values:

if (authCookie == null)
{
    context.User = CustomPrincipal.Default; // Or CreateDefault()
    return;
}

Tourane answered 12/8, 2011 at 18:27 Comment(0)

Recommended topics

Hot tags