My friend Dominick responded to my query by pointing to this post where he's shared his thinking:
ASP.NET 2.0 ships with three role providers - one for SQL Server, one for AzMan and one for Windows tokens...
The Windows token provider is special - it only works with Windows authentication whereas all the other providers seem to be more targeted at Forms Authentication (the AzMan provider supports both).
Why do I need a role provider for Windows accounts? You don't have to take care of getting roles for Windows users as they come packaged in the token that gets procuced during authentication in IIS.
Well - the WindowsTokenRole provider can do some optimizations to Windows authentication
- Instead of a WindowsPrincipal you get a RolePrincipal which features a method called GetRoles() that returns all roles as a string array. This is more straightforward than using the code I showed here. You still have access to the underlying WindowsIdentity (Context.User.Identity) and can create a WindowsPrincipal if you have to.
- RoleManager can cache the roles. The first time you call IsInRole, RolePrincipal will fetch all roles from the token (which requires round trips to the DC to translate the SIDs to "human-readable" names. These names can get cached in the roles cookie (.aspxroles). This saves the roundtrip to the DC on subsequent requests.
So this is really just an (optional) optimization for Windows authentication based web apps. If you want to use role caching make sure to set reasonable timeouts (e.g. 30mins) - otherwise group membership changes for the user will have a high latency in your application.
Given that the LSA already caches SID to name mappings, I dont think the second argument holds much water. Maybe the first might make sense, but this seems like a microoptimization, not a *compelling* reason to use WindowsTokenRoleProvider.
I'm still not convinced we need this class. I was originally thinking perhaps it might be useful as a polymorphic meeting place if you happened to be using both forms and integrated auth, which is pretty esoteric - not many people do this sort of thing (it's not obvious to many that it's even possible).
Posted
May 31 2006, 03:20 PM
by
keith-brown