New Posts New Posts RSS Feed: ASP.NET Security Integration
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Forum LockedASP.NET Security Integration

 Post Reply Post Reply
Author
cjohnson84 View Drop Down
Groupie
Groupie


Joined: 24-Sep-2009
Location: Akron, Ohio
Posts: 44
Post Options Post Options   Quote cjohnson84 Quote  Post ReplyReply Direct Link To This Post Topic: ASP.NET Security Integration
    Posted: 23-Oct-2009 at 11:12am
I am attempting to build a simple Silverlight application that integrates DevForce with ASP.NET Security.  I have a simple login page with two text boxes and a "Login" button.  I want to authenticate the username and password entered by the user against my SQL Server database.  I have run aspnet_regsql.exe against the database and used the ASP.NET Configuration website to create a couple users and roles in the database.
 
In separate assemblies I have created an entity framework model of my database (excluding the asp.net authentication table) and the dev force model of my database using the DevForce object mapper.  I have modified the web.config of the web application by setting the authentication mode to "Forms" and I have set aspNetCompatibilityEnabled = true.  I have also added the connect string to my database:
 
<connectionStrings>

<remove name="LocalSqlServer"/>

<add name="LocalSqlServer" connectionString="Data Source=UDSSRV1\UDSLAB1;Initial Catalog=DevForceTest;Persist Security Info=True;User ID=sa;Password=sa" providerName="System.Data.SqlClient"/>

</connectionStrings>

Is there anything I'm missing here?  I run my application and I am able to "login" regardless of what i enter in the username and password textboxes.  I get no errors.  What do I need to do to at least see my login fail when I run my application in the development environment?
Back to Top
kimj View Drop Down
IdeaBlade
IdeaBlade
Avatar

Joined: 09-May-2007
Posts: 1390
Post Options Post Options   Quote kimj Quote  Post ReplyReply Direct Link To This Post Posted: 26-Oct-2009 at 11:30am

Currently, the default ASPAuthenticatingLoginManager used by DevForce does not throw a LoginException when the user/password is invalid, instead the returned UserBase.IsAuthenticated property is false.  This was mostly done for legacy purposes and we are looking at modifying this behavior.  For right now, you can easily work around this by creating a custom LoginManager which extends the DevForce ASPAuthenticatingLoginManager and overriding  a single method.  Here's a complete sample:


using System;
using System.Web.Security;
using IdeaBlade.EntityModel;
namespace Sample {
  /// <summary>
  /// A custom LoginManager extending the DevForce AspAuthenticatingLoginManager.
  /// The DevForce implementation currently allows non-authenticated users to be logged in,
  /// so this class overrides user validation and throws a LoginException
  /// when the user is not authenticated.
  /// </summary>
  public class LoginManager : IdeaBlade.EntityModel.Web.AspAuthenticatingLoginManager {
    protected override bool ValidateUserCore(ILoginCredential credential) {
      // Base class calls Membership.ValidateUser, and returns t/f based on whether
      // the user is authenticated.  If not authenticated, we don't actually know why.
      // The base class does not throw a LoginException if the user is not authenticated,
      // so we do here.
      bool isAuthenticated = base.ValidateUserCore(credential);
      if (isAuthenticated) return isAuthenticated;
      var members = Membership.FindUsersByName(credential.UserName);
      if (members.Count == 0) {
        throw new LoginException(LoginExceptionType.InvalidUserName, "Invalid username");
      } else {
        throw new LoginException(LoginExceptionType.InvalidPassword, "Invalid password");
      }
    }
  }
}
Put the class in a server-side assembly, and add the name of this assembly to the top-level (non-key specific) <probeAssemblyNames> in the config file.
 
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down