User is in role “admin” but [Authorize(Roles=“admin”)] won't authenticate

Question

I found a great answer on SO describing how to set up custom user roles, and I\'ve done the same in my project. So in my Login service I have:

public Action         


        

Answer 1

I would change principal assign at first:

Thread.CurrentPrincipal = userPrincipal;
if (HttpContext.Current != null)
{
    HttpContext.Current.User = userPrincipal;
}

as ASP.NET documentation stands.

Answer 2

I would recommend you use a custom authorize attribute instead of Application_AuthenticateRequest:

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        string cookieName = FormsAuthentication.FormsCookieName;

        if (!filterContext.HttpContext.User.Identity.IsAuthenticated ||
            filterContext.HttpContext.Request.Cookies == null ||
            filterContext.HttpContext.Request.Cookies[cookieName] == null
        )
        {
            HandleUnauthorizedRequest(filterContext);
            return;
        }

        var authCookie = filterContext.HttpContext.Request.Cookies[cookieName];
        var authTicket = FormsAuthentication.Decrypt(authCookie.Value);
        string[] roles = authTicket.UserData.Split(',');

        var userIdentity = new GenericIdentity(authTicket.Name);
        var userPrincipal = new GenericPrincipal(userIdentity, roles);

        filterContext.HttpContext.User = userPrincipal;
        base.OnAuthorization(filterContext);
    }
}

and then:

[CustomAuthorize(Roles = "admin")]
public ActionResult DoAdminStuff() 
{
    ...
}

Also a very important thing is to ensure that when you login an authentication cookie is emitted because you return an XML file. Use FireBug to inspect whether the authentication cookie is properly sent when you try to access the url /services/doadminstuff.