14.3. The RoleManagerModule
The RoleManagerModule is an HttpModule that is responsible for two main tasks:
Early during the request lifecycle, it places a RolePrincipal instance on HttpContext.Current.User if the Role Manager feature is enabled. This work occurs during the PostAuthenticateRequest event.
At the end of a request, the module serializes the RolePrincipal into a cookie if cookie caching has been enabled for Role Manager. The module does this during the EndRequest event.
The RoleManagerModule also exposes an extensibility point with the GetRoles event. If you want, you can hook this event and add your own IPrincipal implementation to the context. This event is fired just before the module performs its regular processing during PostAuthenticateRequest.
14.3.1. PostAuthenticateRequest
The RoleManagerModule subscribes to the PostAuthenticateRequest pipeline event because it needs to set up a principal after an authenticated identity has been established but before any authorization occurs. In earlier versions of ASP.NET, doing this was a bit tricky because there were no Post* events. However, ASP.NET 2.0 introduced a set of Post* events for every major pipeline event, and this made it very easy for functionality like Role Manager to inject itself at precisely the right time during the authentication and authorization process in the HTTP pipeline.
If the Role Manager feature is not enabled, the module immediately exits. This is important because if you look at the default ...
Get Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.