Mixed authentication

mparsin posted on Wednesday, February 27, 2013

Normal 0 false false false EN-US X-NONE X-NONE

Hi,

We need some expert advice.

Currently our product successfully implements CSLA using Silverlight for the client, but we want to expand our product by implementing other clients. In particular we want to create a Service Layer using the MVC Web API as well as have some HTML pages that will be called from the Silverlight client. Both the WebAPI client and HTML pages would use the same set of CSLA Business objects and the same Authentication mechanism (CustomIdentity and CustomPrincipal) we have already built. We are using Custom and Windows Authentication models.

In summary, this is what we would like to achieve…

Be able to open Asp.Net (html) pages from the Silverlight application without re-authorization. But if the user saves the link to the page and tries to open it from other machine, prompt them for authorization.
Be able to reuse our security objects when implementing REST services with the WebAPI client.

Our question is which of the following would be the best option.

Extend our Web host application? (a very simple MVC web project)
Add additional web project(s) and set up different server-side authentication types.

We would prefer first approach, but we are not sure if mixed authentication configurations are at all possible. Even if they are, would they work smoothly together?

The plan:

Set server-side authentication mode to “Forms”
When a user logs in, apps create a temporary cookie
When a user requests an html page from the Silverlight application “IsAuthenticated” should be “true”. Therefore no login will be required and the Principal will be re-created for each request.

Are we on the right track or are we missing something?

Thanks in advance,

Maxim