Documentation of Authentication and Security

Documentation of Authentication and Security

Old forum URL:

Kirby posted on Friday, March 04, 2011


I'm new to CSLA 4 and try to understand how security and authorization works (Windows Authentication for the first step).

I've bought the CSLA 4 eBook series but the Security book is not available yet. What could you suggest as a beginners documentation for security and Authorization / Authentication for the moment?

Thank You!



RockfordLhotka replied on Saturday, March 05, 2011

The authorization functionality in CSLA is entirely unaffected by your choice of authentication. Authentication is security, authorization is business logic.

My blog has some information about the CSLA 4 authorization rules system, and right now that's the only real documentation around creating authorization rules (and perhaps some other forum posts).

When it comes to authentication, the behavior is the same from 3.8 to 4. The Core 3.8 video series includes a video covering this topic.

Basically for Windows authentication:

  1. Set CslaAuthentication to Windows in client and server config files
  2. Configure your ASP.NET/IIS, WAS, or AppFabric host to use Windows authentication
  3. Set your ASP.NET/IIS, WAS, or AppFabric host to use impersonation in the server config file
  4. Remember the limitations on Windows impersonation (it can impersonate for only one hop), and implement Kerberos if you need multiple hops (I won't cover this in any video or ebook - this is way complex IT Pro networking stuff)

Obviously this all only works if the user is logging into a domain account on their client workstation. That implies that the workstation is part of the domain, or that they are hitting a web page that is domain-secured. I don't (and won't) talk in depth about how to get client workstations and/or web pages to do Windows authentication - those are IT Pro topics that are (in all honesty) outside of my expertise. Because there are many variations on how to configure domain security, client policy, and all that stuff, I focus on how to make CSLA work within the context of a domain that has been set up by a competent IT group.

Copyright (c) Marimer LLC