Print Page | Close Window

ASP.NET Security Integration

Printed From: IdeaBlade
Category: DevForce
Forum Name: DevForce 2009
Forum Discription: For .NET 3.5
URL: http://www.ideablade.com/forum/forum_posts.asp?TID=1529
Printed Date: 28-Mar-2024 at 6:18am


Topic: ASP.NET Security Integration
Posted By: cjohnson84
Subject: ASP.NET Security Integration
Date Posted: 23-Oct-2009 at 11:12am
I am attempting to build a simple Silverlight application that integrates DevForce with ASP.NET Security.  I have a simple login page with two text boxes and a "Login" button.  I want to authenticate the username and password entered by the user against my SQL Server database.  I have run aspnet_regsql.exe against the database and used the ASP.NET Configuration website to create a couple users and roles in the database.
 
In separate assemblies I have created an entity framework model of my database (excluding the asp.net authentication table) and the dev force model of my database using the DevForce object mapper.  I have modified the web.config of the web application by setting the authentication mode to "Forms" and I have set aspNetCompatibilityEnabled = true.  I have also added the connect string to my database:
 
<connectionStrings>

<remove name="LocalSqlServer"/>

<add name="LocalSqlServer" connectionString="Data Source=UDSSRV1\UDSLAB1;Initial Catalog=DevForceTest;Persist Security Info=True;User ID=sa;Password=sa" providerName="System.Data.SqlClient"/>

</connectionStrings>

Is there anything I'm missing here?  I run my application and I am able to "login" regardless of what i enter in the username and password textboxes.  I get no errors.  What do I need to do to at least see my login fail when I run my application in the development environment?



Replies:
Posted By: kimj
Date Posted: 26-Oct-2009 at 11:30am

Currently, the default ASPAuthenticatingLoginManager used by DevForce does not throw a LoginException when the user/password is invalid, instead the returned UserBase.IsAuthenticated property is false.  This was mostly done for legacy purposes and we are looking at modifying this behavior.  For right now, you can easily work around this by creating a custom LoginManager which extends the DevForce ASPAuthenticatingLoginManager and overriding  a single method.  Here's a complete sample:


using System;
using System.Web.Security;
using IdeaBlade.EntityModel;
namespace Sample {
  /// <summary>
  /// A custom LoginManager extending the DevForce AspAuthenticatingLoginManager.
  /// The DevForce implementation currently allows non-authenticated users to be logged in,
  /// so this class overrides user validation and throws a LoginException
  /// when the user is not authenticated.
  /// </summary>
  public class LoginManager : IdeaBlade.EntityModel.Web.AspAuthenticatingLoginManager {
    protected override bool ValidateUserCore(ILoginCredential credential) {
      // Base class calls Membership.ValidateUser, and returns t/f based on whether
      // the user is authenticated.  If not authenticated, we don't actually know why.
      // The base class does not throw a LoginException if the user is not authenticated,
      // so we do here.
      bool isAuthenticated = base.ValidateUserCore(credential);
      if (isAuthenticated) return isAuthenticated;
      var members = Membership.FindUsersByName(credential.UserName);
      if (members.Count == 0) {
        throw new LoginException(LoginExceptionType.InvalidUserName, "Invalid username");
      } else {
        throw new LoginException(LoginExceptionType.InvalidPassword, "Invalid password");
      }
    }
  }
}
Put the class in a server-side assembly, and add the name of this assembly to the top-level (non-key specific) <probeAssemblyNames> in the config file.
 



Print Page | Close Window