We are working with an old designed system that is Role-Based and reads users roles from webconfig as follows:
<authentication mode="Forms">
<forms loginUrl="/UserMgmt/login" timeout="2880" defaultUrl="~/Transaction/Index" enableCrossAppRedirects="true" />
</authentication>
<authorization>
<allow roles="Admin" />
<allow roles="VicePres" />
<deny users="*"/>
</authorization>
I'm looking for a way to remove roles from webconfig and just have them in my database table.
I know it is somehow related to IPrincipal and IsInRole method, but after hours of googling could not wrap my head around that.
Where exactly webconfig roles are bind to security context and how should I change it?
Base on Microsoft article:
When using role-based URL authorization rules the RolePrincipal's IsInRole method will be called on every request to a page that is protected by the role-based URL authorization rules
I've implemented IsInRole and its looking for roles in database query object and working fine, but when roles are removed from Web Config, user login is failed.