ASP.Net 2.0 Form Authentication
When we tried to use existing business library originally developed for the Windows application in an ASP.Net project, we found that there is a problem in using our security library. The problem was loosing the Identity object in the CurrentPrincipal every time that I the web site does the post back. I posted following question to the ASP.Net forum:
I have a problem with custom authentication on ASP.Net. The website check the login user and password then set the System.Threading.Thread.CurrentPrincipal to an instance of a Principal object implemented IPrincipal Interface.
System.Threading.Thread.CurrentPrincipal = New BusinessPrincipal (“user”, “pass”)
After this stage the System.Threading.Thread.CurrentPrincipal will hold the new user identity:
However, on the next post back the System.Threading.Thread.CurrentPrincipal gets rest, and no longer hold the identity object that has been set in the previous postback
I tested both “Forms” and “Windows” Authentication modes and made no difference:
I will appreciate any comment which can help me to work around this problem.
From the replies to my post I learn that there is much more in to ASP.Net authentication that what I thought. One of the moderators of the forum explained to me that:
Remember that a Windows application actually has a session, ASP.NET just fakes it. Each and every request to an ASP.NET application starts life as a blank sheet. Some parts are filled in by ASP.NET to partially create the illusion of a session, but…
I did further study in ASP.Net authentication and it seems the problem can be solved very easily by using built-in FORM authentication in ASP.Net 2.0
In order to validate the user against a custom table in your database or any similar method you can simple use the Login control in ASP.Net required following steps:
STEP1: Set the authentication mode to FORM
STEP2: Use Login component in ASP page
<asp:Login ID=”Login1″ runat=”server” FailureAction=”RedirectToLoginPage” />
STEP3: On the authenticate event of the Login object validate the user and if user is valid use FormsAuthentication.RedirectFromLoginPage to reflect the result in ASP authentication engine.
Protected Sub Login1_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles Login1.Authenticate With Login1 If .UserName.ToUpper = "TOM".ToUpper and .Password = "pass" Then FormsAuthentication.RedirectFromLoginPage(.UserName, .RememberMeSet) End If End With End Sub
From this moment System.Threading.Thread.CurrentPrincipal.Identity.Name will held the user name, and all the business layer codes can use System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated as the basic security check.
What still remains is the Role base authentication. We do not need it in this project, but I guess we will come across this very soon.