Home Page

  

Computers

 

Developer

Security: Authentication & Authorization

 

The authentication/authorization concept is based on several key points. Web site contains pages (files) and folders. Web.config file contains the definition of the security model for authentication and the locations to which the model applies for authorization. See Web Config and Zones sections.

When a user tries to access the location for which security is defined, she is presented with a login form. The way to authorize the user is custom. It can be SQL-based, or something else. When the user is authenticated, it needs to be given proper authorization. Authentication cookie is set in code and the user is given an appropriate role.

Web.config contains the following code:

<system.web>
	<authentication mode="Forms">
		<forms loginUrl="FLogin.aspx" name="AuthCookie" timeout="30" path="/">
		</forms>
	</authentication>
<authorization>
	<deny users="?"/>
</authorization>
</system.web>

 

Example definition of zones:

<location path="frmInactive.aspx">
	<system.web>
		<authorization>
			<allow users="*"/>
		</authorization>
	</system.web>
</location>

Then, in code...

Web.config defines frmLogin.aspx as the authorization page. This page has fields for entering authentication info (username, password). The code in the btn_click event calls authentication procedure.

cmd_click

    user_authenticate

        set_ticket

User authenticatation (validation) and Set Ticket are located in UserAuthentication class. There, user is checked against the user database or some other method.

Logout code:

System.Web.Security.FormsAuthentication.SignOut()
'Session.Clear()
Session.Abandon()

Response.Redirect("Welcome.aspx")

This is all that's needed.

Global.asax.vb code:

Assigns a role to the authenticated user. This is technical code and it is incorporated into WebUtil library. The custom role is assigned in SetTicket method.

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)

	'HttpContext currentContext = HttpContext.Current;
	If (Not System.Web.HttpContext.Current.User Is Nothing) Then

	If (HttpContext.Current.User.Identity.IsAuthenticated) Then

	If (HttpContext.Current.User.Identity.AuthenticationType = "Forms") Then

	Dim Id As System.Web.Security.FormsIdentity = CType(HttpContext.Current.User.Identity, System.Web.Security.FormsIdentity)
	Dim Ticket As System.Web.Security.FormsAuthenticationTicket = Id.Ticket
	Dim UserRoles(1) As String

	UserRoles(0) = Ticket.UserData
	HttpContext.Current.User = New System.Security.Principal.GenericPrincipal(HttpContext.Current.User.Identity, UserRoles)

	'// Roles is a helper class which places the roles of the
	'// currently logged on user into a string array
	'// accessable via the value property
	End If
	End If
	End If

End Sub

On session_end, some code can be added to mark a user as logged out.