Extending Forms Authentication - Windows or Custom Authentication

• Download source code - 152 Kb

A working demo of this code can be found here. This only uses the Custom authentication. However, the demo allows you to simply move to Windows authentication.

Introduction

I've been developing a website where I wanted to use Windows authentication but had to cater for browsers that didn't support it. I looked for a possible solution and realized that you could merge Forms and Windows authentication. However, I didn't find a solution that fully met my needs, so I decided to develop my own solution.

How it works

Configuration

The XML code below is placed in the project's web.config file. This is the standard method of configuring the project for Forms authentication.

<authentication mode="Forms">
      <forms name="forms" loginUrl="login.aspx" timeout="15"></forms>
</authentication>

To set the permissions of a sub directory or file within the web project, the authorization information is enclosed within location tags. The example below is the code used within the demo project supplied. It sets the authorization for the 3 private pages denying all users except for those who are grouped within the stated roles. You can also specify individual users by using the name attribute.

<location path="Private1.aspx">
      <system.web>
            <authorization>
                  <allow roles="low, medium, high" />
                  <deny users="*" />
            </authorization>
      </system.web>
</location>
      
      
<location path="Private2.aspx">
      <system.web>
            <authorization>
                  <allow roles="medium, high" />
                  <deny users="*" />
            </authorization>
      </system.web>
</location>
      
      
<location path="Private3.aspx">
      <system.web>
            <authorization>
                  <allow roles="high" />
                  <deny users="*" />
            </authorization>
      </system.web>
</location>

IUserAuthenticator

All authenticators must implement the IUserAuthenticator interface in order to be used by the solution. A base authenticator class is implemented and the WindowsUserAuthenticator is also implemented. All you have to do is extend these classes and add your custom authentication and roles, or if you are using Windows authentication, just add your custom roles. In order to allow the Windows authenticated code to have custom roles, the WindowsPrincipal object is extended and a StringCollection is used to hold the roles.

public interface IUserAuthenticator
{ 
    UserAuthenticationData Authenticate(string username, string password); 
    UserAuthenticationData Authenticate(string username, 
                                          string password, string domain); 
    void AddRoles(UserAuthenticationData uad); 
    string Type{get;}
}

The Authenticate method returns a UserAuthenticationData object which holds all the required data to re-authenticate the user on the next server round trip. This includes:

• Name
• Domain
• Custom Roles
• If the user is successfully authenticated
• If Windows authentication is being used
• User's Windows authentication token

This UserAuthenticationData is serialized and saved within the Forms cookie.

Re-Authentication

Within the project's Gobal.asax FormsAuthentication_Authenticate or Application_AuthenticateRequest methods, the following line of code is required to re-authenticate the user.

ExtendedFormsAuthentication.ReAuthenticate(Context);

If Windows authentication is used, a new identity is created from the UserAuthenticationData token value, and if custom authentication is used then a generic identity is created. The custom roles are also added at this stage.

Code access

As well as restricting access to locations within the web project, this method also allows you to place access security on methods or classes. The demo code below only allows those users that meet the requirements in terms of username or roles to access the method. If the user is not authorized then a SecurityException is thrown.

[PrincipalPermissionAttribute(SecurityAction.Demand, Role="low")]
public static int Do1()
{
      return 1;
}
 
[PrincipalPermissionAttribute(SecurityAction.Demand, Role="medium")]
public static int Do2()
{
      return 2;
}
 
[PrincipalPermissionAttribute(SecurityAction.Demand, Role="high")]
public static int Do3()
{
      return 3;
}
 
[PrincipalPermissionAttribute(SecurityAction.Demand, Name=@"domain\user")]
public static int DoWinUser()
{
      return 4;
}

Update - 30 May 2004

The code now uses a dummy cookie to the timeout value. Removes need for extra appSetting in web.config file.

FormsAuthentication.SetAuthCookie("get_timeout", true);
DateTime expires = 
  FormsAuthentication.GetAuthCookie("get_timeout", true).Expires;

The timeout is placed as you would normally do with Forms authentication - within the forms tag.

<authentication mode="Forms">
      <forms name="forms" loginUrl="login.aspx" timeout="15"></forms>
</authentication>

Mentions

• Implementing .NET role-based security without COM+.

  Peter A. Bromberg.

• Custom roles for WindowsPrincipals in ASP.NET.

  Ben Hickman

• Mixed Authentication using Forms and Windows Authentication.