Hybrid security

dbrillon posted on Tuesday, June 30, 2009

I have been searching for a solution in the forum for my problem but I could only find partial answer.

I want to use my business object in a Winforms application. I want the application to do the authentication with the Widows security but I want the authorization to be loaded from the database the same way as in the ProjectTracker sample. What should I do to achieve that?

Is the following solution a valid option?
- Set the security to CSLA
- Create custom Principal and Identity classes

In the Login method of the Principal class use the Windows principal to do the authentication and use the custom principal for the authorisation.

E.g.:

In the CustomPrincipal class I have this method:

Public static bool LoginAsWindows()
{
String windowsId = System.Threading.Thread.CurrentPrincipal.Identity.Name;
CustomIdentity identity = CustomIdentity.GetIdentity(windowsId);
If (identity.IsAuthenticated)
{
CustomPrincipal principal = new CustomPrincipal(identity);
Csla.ApplicationContext.User = principal;
}
Return identity.IsAuthenticated
}

Any suggestion?

RockfordLhotka replied on Tuesday, June 30, 2009

Yes, that is basically what you need to do.

Also, if you are using a 3-tier deployment, so you have an app server, you'll need to configure the app server to disallow anonymous users and set it to impersonate the caller so the Windows identity flows from client to server along with your custom identity (assuming you actually care about the real Windows identity on the server for things like filesystem access, etc).