Authentication (Windows & Custom) & Roles

Authentication (Windows & Custom) & Roles

Old forum URL: forums.lhotka.net/forums/t/3043.aspx

JohnB posted on Thursday, June 14, 2007

My environment:
VB.NET
Visual Studio 2005
SQL Server 2000
WinForms application
.NET Remoting
-------------------------------------------------
I have implemented the example that is found in the book for the users and roles using "Csla" for the authentication. I changed "Csla" to "Windows" and my function below returned False as I expected it because I have no "roles" defined.

Public Shared Function CanGetObject() As Boolean
  Return Csla.ApplicationContext.User.IsInRole("Administrator")
End Function

Here is the sample login method that I am working with while I try and understand how the framework works:

------------------------------------------------------
'-- Detect the authentication type
If Csla.ApplicationContext.AuthenticationType = "Windows" Then
    AppDomain.CurrentDomain.SetPrincipalPolicy(System.Security.Principal.PrincipalPolicy.WindowsPrincipal)
Else
    Security.GQPrincipal.Logout()
    Security.GQPrincipal.Login("johnb", "test")
End If

Dim emp As Employee

emp = Employee.GetEmployee(2)
------------------------------------------------------

The GQPrincipal is identical to the PTPrincipal class as is the GQIdentity class.

Problem: I will need to use both Windows Auth and the custom Auth provided in the CSLA example project.

Question: Is there a proper way "CSLA way" of retrieving the roles for a Windows Authenticated user? I have several ideas how I would do this but I wanted to get some input from others who have used the CSLA framework and here those ideas as well. There are several post in this forum which briefly talk about this but never really go into any specifics.

Thanks,
JohnB

RockfordLhotka replied on Friday, June 15, 2007

You want to do custom and Windows authentication? So the user will have authenticated with Windows to get to your code, then your code will re-authenticate them?

Or, Windows will have authenticated the user to get to your code, then your code wants to "graft" roles onto the Windows identity?

Either way, you need a custom principal/identity, and either way you'll sometimes delegate the IsInRole() call to the WindowsPrincipal. The only question is whether your custom principal class's Login() method accepts parameters (username/password) or just uses the current WindowsIdentity object - grabbing the username from that identity and retrieving the extra roles.

Public Shared Sub Login() 
  Dim username As String = WindowsPrincipal.Identity.Name
  Dim identity As MyIdentity = MyIdentity.GetIdentity(username)
  Dim principal As New MyPrincipal(identity)
  Csla.ApplicationContext.User = principal
End Sub

And your IsInRole() is like this:

Public Overrides Function IsInRole(role As String) As Boolean
  Dim identity As MyIdentity = DirectCast(Me.Identity, MyIdentity)
  Dim result As Boolean = identity.IsInRole(role)
  If result Then
    Return True
  Else
    Return WindowsPrincipal.IsInRole(role)
  End If
End Function

Notice how the custom roles list is checked first, and only if that doesn't satisfy the request is the call delegated to the WindowsPrincipal. You could reverse that logic too - it really doesn't matter which way you do it.

JohnB replied on Friday, June 15, 2007

"You want to do custom and Windows authentication? So the user will have authenticated with Windows to get to your code, then your code will re-authenticate them?
Or, Windows will have authenticated the user to get to your code, then your code wants to "graft" roles onto the Windows identity?"

< FYI, I'm using the PTWin, RemotingHost, and PTWeb. >
Well sort of both unless I am confusing myself and/or over-complicating the issue. Using the Project Tracker application as an example, it works fine when I want users to provide a Username and Password. This will work great for my web users but I want my users on the LAN to use Windows integrated (AD) security. When I change the "CslaAuthentication" to "Windows", the WinForms app does not work. The first thing I noticed was that the roles were never populated and therefore always failed when checking for my user in a specific role.

I can see how I can use your suggestion to make Windows (AD) work but is there anything else that I might need to do to make both work? Or am I missing something?

Thanks,
John

RockfordLhotka replied on Friday, June 15, 2007

Oh I see. You have two sets of users. One set should use custom auth, the other should use Windows?

The client and app server must always use the same model. So to do what you want, your web server needs an app server configured to use Csla auth. Your Windows LAN users need an app server configured to use Windows auth.

You can use the same physical app server - just create two virtual roots, and set up the web.config properly in each of them. Obviously there are other differences between the vroots too btw. To get impersonation with Windows auth you need to disable anonymous access and set the impersonation switch in web.config so ASP.NET does the right thing.

My point is that the differences extend beyond CSLA and into IIS and ASP.NET too.

JohnB replied on Friday, June 15, 2007

"Oh I see. You have two sets of users. One set should use custom auth, the other should use Windows?"

Yes that is correct. Now I get it!

Thank you very much for the information and the quick reply, I really appreciate it.

John

Copyright (c) Marimer LLC