CodeProject: Custom Authentication provider by implementing IHttpModule, IPrincipal and IIdentity. Free source code and programming help

Report Article

Discuss

Send to a friend

26 votes for this Article.

Popularity: 5.44 Rating: 3.85 out of 5

Introduction

For a real-world Enterprise application, security plays an important role. Forms-based authentication is a popular technique used by many Web sites. With ASP.NET, writing forms authentication is like a breeze. Forms Authentication provider in ASP.NET exposes cookies-based authentication services to applications. But for some of the applications due to the nature of the security requirements, Forms Authentication provider is not a very good fit. Writing your own Custom Authentication provider offers a solution for such applications. With very little code and effort, you can have a role-based authentication system that is platform-agnostic.

Background: Forms Authentication provider - Not a good fit

Lets take a scenario - An application wants to store the following information for a User:

Username
User Primary key (primary Key of the User table)
E-mail
User Full name
Is user an Administrator
Is user authenticated
Roles for the User

Forms Authentication provider uses the FormsAuthenticationModule, FormsIdentity, FormsAuthenticationTicket and GenericPrincipal classes. The application can store the UserName and roles information in the FormsAuthenticationTicket. But this application needs to store other information, which cannot be done using FormsAuthenticationTicket or FormsIdentity class. To achieve this we can create a custom Identity class by implementing IIdentity interface. However, on each Request application needs to get the User's data from the underlying data source (SQL Server, XML , LDAP ) and create a CustomIdentity object with all the details. The code in Login page will be something like this (Listing 1):

Listing 1 - Login.aspx

//Validate User

//SecurityManager is a helper class of your application

if(SecurityManager.ValidateLogin(txtUserName.Text, txtPassword.Text))
{
    //Get a CustomIdentity object with all the details 

    //for the authenticated user

    CustomIdentity identity = SecurityManager.GetUserIdentity(
          txtUserName.Text);
    if(identity != null && identity.IsAuthenticated)
    {
        //Get user Roles

        ArrayList roles = SecurityManager.GetUserRoles(txtUserName.Text);
        //Create a CustomPrincipal object

        CustomPrincipal newUser = new CustomPrincipal(identity, roles);
        Context.User = newUser;
        //Redirect user to the requested page

        FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, False);
    }
}

The code in Global.asax will be something like this (Listing 2):

Listing 2 - Global.asax.cs

//Implement an Authentication Request Handler to Construct

// a GenericPrincipal Object

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
    HttpCookie authCookie = Request.Cookie[
             FormsAuthentication.FormsCookieName];
    if(authCookie != null)
    {
        //Extract the forms authentication cookie

        FormsAuthenticationTicket authTicket = 
               FormsAuthentication.Decrypt(authCookie.Value);
        // Create an Identity object

        CustomIdentity id = SecurityManager.GetUserIdentity(authTicket.Name);
        //Get user Roles

        ArrayList roles = SecurityManager.GetUserRoles(txtUserName.Text);
        //Create a CustomPrincipal object

        CustomPrincipal newUser = new CustomPrincipal(identity, roles);
        Context.User = newUser;
    }
}

For more details on the above example please visit MSDN - How To: Implement Iprincipal

This approach works fine for some applications but think of the unnecessary overhead it has in retrieving the user details on each Request. If your application can live with such a design than be it. But for some of the very interactive, performance savvy applications, this approach is not suitable. Here, writing a Custom Authentication provider serves the purpose.

Custom Authentication module

Implementing the IHttpModule interface allows you to include custom events that participate in every request made to your application. Custom Authentication can be achieved by implementing IHttpModule and writing a Custom HttpModule. I have created a Custom Authentication provider by implementing IHttpModule. My CustomAuthentication provider has the following classes:

CustomIdentity.cs - Implements IIdentity and contains User details (you can change it as per your requirements).
CustomPrincipal.cs - Implements IPrincipal and represents a Custom Principal object (you can change it as per your requirements).
CustomAuthenticationModule.cs - Implements IHttpModule and handles AuthenticateRequest event of the HttpApplication.
CustomAuthentication.cs - Provides static helper methods like creating a encrypted Authentication string etc.
CustomEncryption.cs - Utility class for encrypting and decrypting authentication string (you can change it to implement your own encryption algo).

The Custom Authentication provider needs the following entries in Web.Config appSettings section:

Listing 3 - Web.config

<!-- Entries required for CustomAuthenticationModule -->
<appSettings>
    <!-- Parameter for the Login page URL (Required) -->
    <add key="CustomAuthentication.LoginUrl" value="/Login.aspx" />
    <!-- Parameter for the Authentication cookie Name (Required) -->
    <add key="CustomAuthentication.Cookie.Name" value=".CUSTOM_AUTH" />
    <!-- Parameter for Timeout for Cookie expiration in minutes 
       (Optional- persist cookie across browser sessions) -->
    <add key="CustomAuthentication.Cookie.Timeout" value="2" />
</appSettings>

Sample Application

There is a sample application, which uses this CustomAuthentication module. To add a custom HttpModule, add the following entries to the Web.config file:

Listing 4 - Web.config

<!-- Add a Custom Authentication module -->
<httpModules>
    <add name="CustomAuthenticationModule" 
       type="CustomSecurity.CustomAuthenticationModule, CustomSecurity" />
</httpModules>

Add the required entries for CustomAuthenticationModule as given above in Listing 3. Please see the required code in login page. This is the only code you need to write (Listing 5).

Listing 5 - Login.aspx

//Write your own Authentication logic here

if(this.username.Text != "" && this.password.Text !="")
{
    //Write your own code to get the User Roles

    ArrayList roles = new ArrayList();
    roles.Add("Manager");

    if(this.username.Text == "superuser")
        roles.Add("Administrator");

    roles.Add("ITUser");

    //Convert roles into pipe "|" separated string

    System.Text.StringBuilder strRoles = new System.Text.StringBuilder();
    foreach(string role in roles)
    {
        strRoles.Append(role);
        strRoles.Append("|");
    }

    //Create a CustomIdentity object

    CustomIdentity userIdentity = new CustomIdentity(this.username.Text, 
        1, true, true, this.username.Text, 
        "someuser@some.com", strRoles.ToString());
    //Create a CustomPrincipal object

    CustomPrincipal principal = new CustomPrincipal(userIdentity, roles);
    Context.User = principal;
    //Redirect user

    CustomAuthentication.RedirectFromLoginPage(userIdentity);
}

You can access the CustomIdentity and CustomPrincipal object in any aspx page or in any class of middle layer of your application using the following code (Listing 6):

Listing 6 - Home.aspx

//Get the CustomIdentity in aspx pages from the HttpContext

this.user1.Text = ((CustomIdentity)Context.User.Identity).UserFullName;

//Get the CustomIdentity in any class in middle layer from the Thread

this.user2.Text = ((CustomIdentity)
    Thread.CurrentPrincipal.Identity).UserFullName;
role.Text =  Thread.CurrentPrincipal.IsInRole("Administrator").ToString();

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

I Piscean

Occupation:	Web Developer
Location:	United States

Other popular Web Security articles:

Role-based Security with Forms Authentication
Provides insight and tips on using role-based (groups) Forms Authentication in ASP.NET, which has only partial support for roles.
Switching Between HTTP and HTTPS Automatically: Version 2
An article on automatically switching between HTTP and HTTPS protocols without hard-coding absolute URLs
Cookieless ASP.NET forms authentication
They say it is not possible to use cookieless forms authentication in .NET. Well it is, and relatively easy to accomplish!
Single sign-on across multiple applications in ASP.NET
By default, Forms authentication does not support single sing-on accross multiple applications. But is not too complicated to tweak it the appropriate way.
HttpSecureCookie, A Way to Encrypt Cookies with ASP.NET 2.0
Discussing how to encode and tamper-proof text and cookies using the MachineKey, by using reflection.

Article Top

You must Sign In to use this message board.

Msgs 1 to 24 of 24 (Total in Forum: 24) (Refresh)

FirstPrevNext

Subject

Author

Date

AutoPostBack="True"

feifei_2005

17:06 20 Dec '07

Add a Control and AutoPostBack="True", The Exception: [SerializationException: unparsed members "CustomSecurity.CustomPrincipal, CustomSecurity, Version = 1.0.2911.19864, Culture = neutral, PublicKeyToken = null" type. ] If AutoPostBack="false" is OK! AutoPostBack
Sign In·View Thread·PermaLink

don`t download!

feifei_2005

0:52 19 Dec '07

I don`t download! hello
Sign In·View Thread·PermaLink	1.00/5 (2 votes)

Authentication Mode

sergiosulpizio@yahoo.it

1:51 19 Feb '07

I get the following exception: Unable to cast object of type 'System.Security.Principal.WindowsIdentity' to type 'CustomSecurity.CustomIdentity'. I tried to change authentication mode but it doesn't work..
Sign In·View Thread·PermaLink	2.67/5 (3 votes)

Re: Authentication Mode

brharsh

12:13 14 Jun '07

I get the same error - trying to get this going in 2.0 have the same error in another example casting from FormsIdentity to CustomIdentity hey
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

Re: Authentication Mode

Sergio Pereira

7:08 19 Jul '07

I haven't tried this, but check that you do not have FormsAuthentication turned on in your web.config. I think this will turn it off : ... the rest ... ... _______________________ Sergio Pereira
Sign In·View Thread·PermaLink

And Logout?

s.belia

22:56 14 Mar '06

How can I implement the logout function with your customauthentication?
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

Re: And Logout?

boonkerz

10:47 10 Sep '06

I have the same Problem
Sign In·View Thread·PermaLink

Re: And Logout?

BostonIdiot

8:22 4 Oct '08

Wouldn't removing the cookie serve as logging out? I am just guessing....
Sign In·View Thread·PermaLink

IsInRole - no longer working?

luzer

12:58 23 Feb '06

hi

i would like to use the CustomIdentity class, to store a users PK, etc.

but, my code was working with both Windows and Form based auth.

in windows, the Context.User.Identity.IsInRole would work - checking the users AD groups- on the fly.
in Forms, it would check the roles stored in the cookie - that was populated off the DB.

this doesnt work anymore in windows mode.

any suggestion why not?

2.00/5 (1 vote)

extensions caught

Jon Eden

6:13 10 May '05

Hi,

I'm wondering about the extensions captured by this technique. In IIS you set the specific file types that should be caught and handled by the aspnet_isapi.dll. Is there any good reason not to use the wildcard for any unknowns. I'm thinking that if people are uploading pdfs, jpgs, jpegs etc then eventually certain file types will be uploaded that don't get caught and hence a security risk appears....

Any thoughts?

Cheers,

Jon

How does this work with web.config authorization

Jimmy S

0:21 30 Oct '04

Works a treat for authentication, but seems to overide any authorization settings I have in my web.config file. Any ideas on how to make it authenticate only on pages/directories I specify in web.config?
Sign In·View Thread·PermaLink	2.00/5 (3 votes)

Expiration Problem

arulraj007

4:09 25 Aug '04

If I set the CustomAuthentication.Cookie.Expiration = 20 Mins. Application Expires in 20 mins, no matter what you make server calls or not. My understanding is If we make server call cookies expiration should be reset. Can anyone let me know how to fix this problem or am I doing something wrong. Thanks. Arulraj
Sign In·View Thread·PermaLink	1.67/5 (3 votes)

Re: Expiration Problem

SUPER_ZORRO

1:30 27 Jan '06

Try add theis code to CustomAuthenticationModule


public void Init(HttpApplication httpapp)
		{
			this.app = httpapp;
			app.AuthenticateRequest += new EventHandler(this.OnAuthenticate);
			app.BeginRequest+= new EventHandler(this.OnBeginRequest);
		}

		void OnBeginRequest(object sender, EventArgs e)
		{
			app = (HttpApplication)sender;
			HttpRequest req = app.Request;
			HttpResponse res = app.Response;

			if(req.Cookies.Count==0) return; 
		
			string cookieName = ConfigurationSettings.AppSettings[CustomAuthentication.AUTHENTICATION_COOKIE_KEY];
			if(cookieName == null || cookieName.Trim() == String.Empty)
			{
				throw new Exception("CustomAuthentication.Cookie.Name entry not found in appSettings section section of Web.config");
			}

			string cookieExpr = ConfigurationSettings.AppSettings[CustomAuthentication.AUTHENTICATION_COOKIE_EXPIRATION_KEY];
			if(cookieExpr == null || cookieExpr.Trim() == String.Empty)
			{
				throw new Exception("CustomAuthentication.Cookie.Timeout entry not found in appSettings section section of Web.config");
			}

			HttpCookie cookie = req.Cookies[cookieName.ToUpper()];
			if(cookie==null) return;
			cookie.Expires = DateTime.Now.AddMinutes(int.Parse(cookieExpr));
		}

Configuration Error

abee-fish

5:58 19 Aug '04

I'm getting an error when trying to run my application. It appear that when trying to load the httpModule it searches in the bin directory. Here's the output:

Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: File or assembly name ChangeControl.CustomSecurity, or one of its dependencies, was not found.

Source Error:

Line 68: 
Line 69:
Line 70: Line 71: name="CustomAuthenticationModule"/>
Line 72: 

Source File: c:\inetpub\wwwroot\ChangeControl\web.config Line: 70

Assembly Load Trace: The following information can be helpful to determine why the assembly 'ChangeControl.CustomSecurity' could not be loaded.

=== Pre-bind state information ===
LOG: DisplayName = ChangeControl.CustomSecurity
(Partial)
LOG: Appbase = file:///c:/inetpub/wwwroot/ChangeControl
LOG: Initial PrivatePath = bin
Calling assembly : (Unknown).
===

LOG: Policy not being applied to reference at this time (private, custom, partial, or location-based assembly bind).
LOG: Post-policy reference: ChangeControl.CustomSecurity
LOG: Attempting download of new URL file:///C:/WINDOWS/Microsoft.NET/Framework/v1.1.4322/Temporary ASP.NET Files/changecontrol/c1cd7e7e/416a3947/ChangeControl.CustomSecurity.DLL.
LOG: Attempting download of new URL file:///C:/WINDOWS/Microsoft.NET/Framework/v1.1.4322/Temporary ASP.NET Files/changecontrol/c1cd7e7e/416a3947/ChangeControl.CustomSecurity/ChangeControl.CustomSecurity.DLL.
LOG: Attempting download of new URL file:///c:/inetpub/wwwroot/ChangeControl/bin/ChangeControl.CustomSecurity.DLL.
LOG: Attempting download of new URL file:///c:/inetpub/wwwroot/ChangeControl/bin/ChangeControl.CustomSecurity/ChangeControl.CustomSecurity.DLL.
LOG: Attempting download of new URL file:///C:/WINDOWS/Microsoft.NET/Framework/v1.1.4322/Temporary ASP.NET Files/changecontrol/c1cd7e7e/416a3947/ChangeControl.CustomSecurity.EXE.
LOG: Attempting download of new URL file:///C:/WINDOWS/Microsoft.NET/Framework/v1.1.4322/Temporary ASP.NET Files/changecontrol/c1cd7e7e/416a3947/ChangeControl.CustomSecurity/ChangeControl.CustomSecurity.EXE.
LOG: Attempting download of new URL file:///c:/inetpub/wwwroot/ChangeControl/bin/ChangeControl.CustomSecurity.EXE.
LOG: Attempting download of new URL file:///c:/inetpub/wwwroot/ChangeControl/bin/ChangeControl.CustomSecurity/ChangeControl.CustomSecurity.EXE.

Re: Configuration Error

abee-fish

8:19 19 Aug '04

I found my own solution. I'm new to .NET and I didn't realize I needed to create a .dll from the CustomSecurity download and then add that to my references. It all works fine now. I'm just working on the logoff scenario now. abee
Sign In·View Thread·PermaLink

RE: Custom Auth bet with no cookies

pughster

5:35 23 Apr '04

It would help me if you already have thoughts on this code when applied to cookieless sessioning (Web.config / sessionState / cookieless="true"). If you can get me started with some idea on that I will echo-back my final results in a later post. pughster
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

Nice code!

bhardman

3:51 23 Apr '04

Any thoughts on how to go about how to limit access to only certain pages or folders in the site?   With regular forms auth I've been using the <location> tag in web.config.   I suppose a similar solution is in order, just trying to decide where best to put the checks.

I added the following signout code to CustomAuthentication.cs, which seems to work ok.

          public static void SignOut()
          {
               string cookieName = ConfigurationSettings.AppSettings[AUTHENTICATION_COOKIE_KEY];

               HttpRequest request = HttpContext.Current.Request;
               HttpResponse response = HttpContext.Current.Response;

               HttpCookie userCookie = new HttpCookie(cookieName.ToUpper(), null);
               userCookie.Expires = DateTime.Now.AddDays(-1);
               response.Cookies.Add(userCookie);

               string returnUrl = request["ReturnUrl"];
               if(returnUrl != null && returnUrl.Trim() != String.Empty)
               {
                    response.Redirect(returnUrl, false);
               }
               else
               {
                    response.Redirect(request.ApplicationPath + "/default.aspx", false);
               }
          }

/brettman

2.25/5 (4 votes)

web service

qjia

4:25 11 Mar '04

How does web service use the Custom Authentication ? thx Jason
Sign In·View Thread·PermaLink	2.00/5 (3 votes)

multiple user login

Tata Taufik

16:01 23 Feb '04

Hi, I observe that the custom authentication only works for single user login in one PC. It's simply because the same cookie name used. Is there any solution to enable multiple user login in one PC?
Sign In·View Thread·PermaLink	1.67/5 (3 votes)

Updated Version?

Ozzie

9:00 23 Jan '04

I was wondering if you had an updated version of this article? I had found a bug or 2 while compiling, and I could not quite get the cookie to register correctly.

A nice addition to the code would be a full scenario - go to a page which forces you to logon, with a logoff page so you could demonstrate removing the cookie from the browser session.

Just an idea. Nice article - I have not seen any similiar.

It someone has, could they point them out to me? Cool

Thanks,
Doug

Don't spend your life just wishing - http://www.AllGiftRegistry.com

5.00/5 (1 vote)

authentication mode?

Larkin

11:27 22 Jan '04

In your VS project download, the web.config file has authentication mode set to "Windows". Is this correct or is this a mistake? Doesn't make much sense to set authentication mode to Windows when you are implementing a custom authentication scheme.
Sign In·View Thread·PermaLink	2.00/5 (2 votes)

Re: authentication mode?

netclectic

5:19 20 Feb '04

Setting the authentication mode in web.config doesn't appear to make any difference, presumably because you're overriding the behaviour of the AuthenticateRequest event.
Sign In·View Thread·PermaLink	2.29/5 (6 votes)

Last Visit: Monday, October 13, 2008 12:58 PM Last Update:Monday, October 13, 2008 12:58 PM

General News Question Answer Joke Rant Admin