In the VB book on page 248 the code looks like this:
===================================================================
Public Shared Function Login(ByVal username As String, ByVal password As String) As Boolean
Dim identity As MyBusinessIdentity = MyBusinessIdentity.GetIdentity(username, password)
If identity.IsAuthenticated Then
Dim principal As New MyUser(identity)
Csla2.ApplicationContext.User = principal
End If
Return identity.IsAuthenticated
End Function
===================================================================
I think it should be like this instead:
Public Shared Function Login(ByVal username As String, ByVal password As String) As Boolean
Dim identity As MyBusinessIdentity = MyBusinessIdentity.GetIdentity(username, password)
Dim principal As New MyUser(identity)
Csla2.ApplicationContext.User = principal
Return identity.IsAuthenticated
End Function
===================================================================
In my web app I called Login and then in the next line of code I set
mMyUser = CType(Thread.CurrentPrincipal, MyUser).
Whenever the login failed, the unauthenticated user was still being logged in because the principal on the thread was my Anonymous principal from the previous hit. Oops!
So in my opinion we should *always* define the principal and set ApplicationContext.User when a login occurs - not just when it is successful. This may not apply to everyone - it depends on your app - but I just tripped over this and thought I would share my experience.
Joe
As I stated, I have an Anonymous principal which is logged in and is "on the thread" - and is in HttpContext. This Anonymous principal is required because I need to fetch data from the DB on my login page - before the real user logs in. This data cannot be fetched by a BO without a Csla prinicpal being "on the thread". So when the real user logs in and fails to authenticate, they still get logged i because of the problem in the code above. This is bad. Luckily this Anonymous principal basically has no permissions so the real user can't do much anyway. But by fixing the code, I ensure that a failed log in attempt gets the principal on the thread set correctly and IsAuthenticated no longer returns True (which is does from my Anonymous principal.)
Joe
You are getting closer.
The Principal object has to be a Csla prinicipal. So 3 years ago we built a login anonymous method. I guess if I changed my code to use the new Logout method that my Anonymous user would no longer be authenticated and the issue would go away. Good point.
I still think it is clearer to always set the thread for the Login method based on the result achieved. The If statement should be removed IMO.
Joe
Not sure is this will help but remember that the data portal does not care if the user is authenticated or not, it just cares that the Identity/Principal pair is of the right type. And you guys are right, login out first will set the underlying Identity/Principal pair to the right type and the anonymous user would gain access to the backend to fill the home page.
Copyright (c) Marimer LLC