WCF & ASP.NET Role Provider

Published Friday, February 8, 2008 3:08 PM

So I was talking to Shea Strickland a relatively new starter in readify who is doing some WCF work and asked  about the role provider support in WCF. He pointed me to an article by Dominick Baier who mentioned that the RoleProviderPrincipal in WCF will actually cause a database call each time an IsInRole check is performed.

After some experimentation, this was confirmed by myself to be absolutely true. If a service request comes in, and during the course of that request, you make 3 IsInRole checks (perhaps at various layers of the domain model for example), then the database will get 3 requests to execute a stored proc to check the users role.

By contract, the ASP.NET RolePrincipal will get all the users roles when the first IsInRole check is performed, and then subsequent role checks will not hit the database at all, but rather check against the roles that are in memory.

I was somewhat disappointed by this as it meant that potentially, a lot of extra DB work is being performed, and not exactly what I would call best practice. Luckily, WCF is pretty easy to extend, and again, with the help of an article by Dominick Baier, I created a custom authorisation policy (implements IAuthorizationPolicy) which could be plugged into WCF, and use the standard ASP.NET RolePrincipal, thus getting the behaviour we are after.

To that end, I have created a small library with the authorisation policy code ready for you to download and use.

Simply download the library here, then make a change to your configuration file as shown below.


I would consider this a pretty common requirement if you are using the ASP.NET Role Providers in WCF, so this is why I have made this available. In addition, its a pretty small piece of code, but its still not that easy to discern via just spelunking around WCF (as Dominick already mentioned).

So hopefully this is useful for others.

by Glav
Filed under: , ,


# Robert said on Wednesday, February 13, 2008 8:47 PM

Hi There Glav,

Quick Question about your extended/specialized authorisation policy... Do you also invalidate your in memory cache of roles when a user's profile gets updated?

Let's say myself, Robert is in role Administrator and I get demoted to Support. Would the cache then reflect the fact that I am now in Support or because you ahve stored it in memory would I still be in the Administrator role?



# Gabu said on Thursday, January 7, 2010 5:22 PM


I dont seem to be able to download your zip file.

Please add your sample back.

Appreciate your help.


# Mike DiRenzo said on Wednesday, March 30, 2011 1:02 PM

Where is your example?????


Leave a Comment


This Blog