RolePrincipal vs. RoleProviderPrincipal

WCF supports the ASP.NET role manager feature to assign roles to clients. However the semantics how role providers are used from both stacks differs slightly. You may run into that when you want to re-use an existing role provider. Here are the details.

ASP.NET
When the role manager features is enabled, the RoleManagerModule in ASP.NET 2.0 creates a RolePrincipal (System.Web.Security.RolePrincipal) in the PostAuthenticateRequest pipeline event. The RolePrincipal is set on Thread.CurrentPrincipal and Context.User. Initially RolePrincipal does not know the roles of the user, but on the first call to IsInRole, RolePrincipal calls the role provider’s GetRolesForUser() method. This method returns all roles for the user and RolePrincipal caches the role list internally. All subsequent calls to IsInRole go against the cached version of the role list.

The ASP.NET role manager also has some more features like de/serializing the role list and caching it in a cookie.

WCF
When you set the principalPermissionMode to UseAspNetRoles in the serviceAuthorization service behavior, WCF creates a RoleProviderPrincipal (System.ServiceModel.Security.RoleProviderPrincipal) passing in the configured role provider name and sets it on Thread.CurrentPrincipal.

Instead of calling GetRolesForUser(), RoleProviderPrincipal forwards all calls to IsInRole() to the role provider’s IsUserInRole() method. This has some implications.

The minimum requirement for an ASP.NET role provider is to implement GetRolesForUser(). To use the same provider in WCF you also have to implement IsUserInRole().
In WCF, every call to IsInRole or a PrincipalPermission will result in a round-trip to the role store. In ASP.NET only the first call to IsInRole() accesses the role store. The number of roles and the number of role checks in your application decide which approach performs better. Just be aware of that.

To get the same caching behavior in WCF as the RolePrincipal in ASP.NET you would have to use a custom principalPermissionMode and provide your own principal implementation that does its own caching.

This entry was posted in ASP.NET, WCF. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s