can I make use of user.IsInRole without using Membership?

Question

I\'m using Forms authentication and I would like to make use of roles, can I somehow set the role of the user without Membership ?

Answer 1

You don't need to implement a whole membership provider.

Create your own Principal (which has the IsInRole method) and Identity.
And then make sure your user object (HttpApplication.Context.User) is populated with your principal on each request.
Done. Now the Authorize attribute will be talking to your principal.

Answer 2

A simple way to do it is to store the list of roles in the authentication ticket when the user is authenticated. Then for every request (Application_AuthenticateRequest method of the global.asax file) you extract the roles, add them to a GenericPrincipal object and set the Httpcontext.User property.

Your User.IsInRole("role") and [AuthorizeAttribute(Roles="role")] will then work as normal.

See this answer for code detailing how to do it.

Answer 3

Yes you can.

The only caveat is that roles will not work with an anonymous user (fairly obvious I would have thought) and you'll need some mechanism to set a user's identity (which can be anything you like).

The MSDN article:

Understanding Role Management

contains the following information:

However, role management does not depend on membership. As long as you have a way in your application to set user identity, you can use role management for authorization.

Answer 4

Do you mean "without using ASP.NET's standard Membership implementation"?

If so, then yes, you can by implementing your own Membership and/or Roles provider. See here and here for details about how to implement a Membership/Roles provider.