Click here to Skip to main content
Click here to Skip to main content

Extending Forms Authentication - Windows or Custom Authentication

, 28 May 2004
Rate this:
Please Sign up or sign in to vote.
Combines Forms Authentication with Windows or Custom Authenticator.

Sample Image - screenshot.jpg

A working demo of this code can be found here. This only uses the Custom authentication. However, the demo allows you to simply move to Windows authentication.

Introduction

I've been developing a website where I wanted to use Windows authentication but had to cater for browsers that didn't support it. I looked for a possible solution and realized that you could merge Forms and Windows authentication. However, I didn't find a solution that fully met my needs, so I decided to develop my own solution.

How it works

Configuration

The XML code below is placed in the project's web.config file. This is the standard method of configuring the project for Forms authentication.

<authentication mode="Forms">
      <forms name="forms" loginUrl="login.aspx" timeout="15"></forms>
</authentication>

To set the permissions of a sub directory or file within the web project, the authorization information is enclosed within location tags. The example below is the code used within the demo project supplied. It sets the authorization for the 3 private pages denying all users except for those who are grouped within the stated roles. You can also specify individual users by using the name attribute.

<location path="Private1.aspx">
      <system.web>
            <authorization>
                  <allow roles="low, medium, high" />
                  <deny users="*" />
            </authorization>
      </system.web>
</location>
      
      
<location path="Private2.aspx">
      <system.web>
            <authorization>
                  <allow roles="medium, high" />
                  <deny users="*" />
            </authorization>
      </system.web>
</location>
      
      
<location path="Private3.aspx">
      <system.web>
            <authorization>
                  <allow roles="high" />
                  <deny users="*" />
            </authorization>
      </system.web>
</location>

IUserAuthenticator

All authenticators must implement the IUserAuthenticator interface in order to be used by the solution. A base authenticator class is implemented and the WindowsUserAuthenticator is also implemented. All you have to do is extend these classes and add your custom authentication and roles, or if you are using Windows authentication, just add your custom roles. In order to allow the Windows authenticated code to have custom roles, the WindowsPrincipal object is extended and a StringCollection is used to hold the roles.

public interface IUserAuthenticator
{ 
    UserAuthenticationData Authenticate(string username, string password); 
    UserAuthenticationData Authenticate(string username, 
                                          string password, string domain); 
    void AddRoles(UserAuthenticationData uad); 
    string Type{get;}
}

The Authenticate method returns a UserAuthenticationData object which holds all the required data to re-authenticate the user on the next server round trip. This includes:

  • Name
  • Domain
  • Custom Roles
  • If the user is successfully authenticated
  • If Windows authentication is being used
  • User's Windows authentication token

This UserAuthenticationData is serialized and saved within the Forms cookie.

Re-Authentication

Within the project's Gobal.asax FormsAuthentication_Authenticate or Application_AuthenticateRequest methods, the following line of code is required to re-authenticate the user.

ExtendedFormsAuthentication.ReAuthenticate(Context);

If Windows authentication is used, a new identity is created from the UserAuthenticationData token value, and if custom authentication is used then a generic identity is created. The custom roles are also added at this stage.

Code access

As well as restricting access to locations within the web project, this method also allows you to place access security on methods or classes. The demo code below only allows those users that meet the requirements in terms of username or roles to access the method. If the user is not authorized then a SecurityException is thrown.

[PrincipalPermissionAttribute(SecurityAction.Demand, Role="low")]
public static int Do1()
{
      return 1;
}
 
[PrincipalPermissionAttribute(SecurityAction.Demand, Role="medium")]
public static int Do2()
{
      return 2;
}
 
[PrincipalPermissionAttribute(SecurityAction.Demand, Role="high")]
public static int Do3()
{
      return 3;
}
 
[PrincipalPermissionAttribute(SecurityAction.Demand, Name=@"domain\user")]
public static int DoWinUser()
{
      return 4;
}

Update - 30 May 2004

The code now uses a dummy cookie to the timeout value. Removes need for extra appSetting in web.config file.

FormsAuthentication.SetAuthCookie("get_timeout", true);
DateTime expires = 
  FormsAuthentication.GetAuthCookie("get_timeout", true).Expires;

The timeout is placed as you would normally do with Forms authentication - within the forms tag.

<authentication mode="Forms">
      <forms name="forms" loginUrl="login.aspx" timeout="15"></forms>
</authentication>

Mentions

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

McGiv
Web Developer
United Kingdom United Kingdom
I'm a 3rd year student at Uni studing Computing. I've been coding in VB for about 6 years, Java for about 3 and C# for about 2 years.

Comments and Discussions

 
GeneralMissing File ExtFormsAuth.sln PinmemberJeffrey Scott Flesher2-Aug-04 16:43 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web01 | 2.8.140721.1 | Last Updated 29 May 2004
Article Copyright 2004 by McGiv
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid