I am planning to use CSLA as the BL for a web API (similar to ASP.Net MVC). All of the requests to the API must be authenticated and I'm having trouble understanding how CSLA works in this scenario. My web API layer can manage to keep a session in process to identify incoming requests using a token in the HTTP header, so I can know who my users are once they have logged in.
Once a request is made to my API I can pass the credentials to CSLA to authenticate the user. But after the user is authenticated, how do I maintain a session that CSLA is aware of so I don't have to authenticate the user on each request? Would I have to store and instance of the business layer in session state? Any help would be appreciated.
In your global.asax you'll wire up an event for AuthenticationHandler, I think that's the event. You'll use your token and rebuild your Principal / Identity and set it via Csla.ApplicationContext.User property.
The most flexible way then is to think of the IPrincipal's IsInRole instead as being a HasPermission call; you then load up the roles of the principal with all the permissions the user has, and your list can then check that the user has the permission to do whatever action.
Copyright (c) Marimer LLC