ASP.NET Security Integration

   Currently, the default ASPAuthenticatingLoginManager used by DevForce does not throw a LoginException when the user/password is invalid, instead the returned UserBase.IsAuthenticated property is false.  This was mostly done for legacy purposes and we are looking at modifying this behavior.  For right now, you can easily work around this by creating a custom LoginManager which extends the DevForce ASPAuthenticatingLoginManager and overriding  a single method.  Here's a complete sample:

using System;
using System.Web.Security;
using IdeaBlade.EntityModel;
namespace Sample {
  /// <summary>
  /// A custom LoginManager extending the DevForce AspAuthenticatingLoginManager.
  /// The DevForce implementation currently allows non-authenticated users to be logged in,
  /// so this class overrides user validation and throws a LoginException
  /// when the user is not authenticated.
  /// </summary>
  public class LoginManager : IdeaBlade.EntityModel.Web.AspAuthenticatingLoginManager {
    protected override bool ValidateUserCore(ILoginCredential credential) {
      // Base class calls Membership.ValidateUser, and returns t/f based on whether
      // the user is authenticated.  If not authenticated, we don't actually know why.
      // The base class does not throw a LoginException if the user is not authenticated,
      // so we do here.
      bool isAuthenticated = base.ValidateUserCore(credential);
      if (isAuthenticated) return isAuthenticated;
      var members = Membership.FindUsersByName(credential.UserName);
      if (members.Count == 0) {
        throw new LoginException(LoginExceptionType.InvalidUserName, "Invalid username");
      } else {
        throw new LoginException(LoginExceptionType.InvalidPassword, "Invalid password");
      }
    }
  }
}

Put the class in a server-side assembly, and add the name of this assembly to the top-level (non-key specific) <probeAssemblyNames> in the config file.