Vibrant discussion about CSLA .NET and using the framework to build great business applications.

Forum has moved

New location: CSLA .NET forum

CSLA .NET Resources:
  • CSLA .NET forum
  • CSLA .NET home page
  • Mixed authentication

    rated by 0 users
    Not Answered This post has 0 verified answers | 0 Replies | 1 Follower

    Not Ranked
    3 Posts
    mparsin posted on Wed, Feb 27 2013 9:30 AM

    Normal 0 false false false EN-US X-NONE X-NONE


     We need some expert advice.

    Currently our product successfully implements CSLA using Silverlight for the client, but we want to expand our product by implementing other clients.  In particular we want to create a Service Layer using the MVC Web API as well as have some HTML pages that will be called from the Silverlight client.  Both the WebAPI client and HTML pages would use the same set of CSLA Business objects and the same Authentication mechanism (CustomIdentity and CustomPrincipal) we have already built. We are using Custom and Windows Authentication models.

     In summary, this is what we would like to achieve…

    1. Be able to open Asp.Net (html) pages from the Silverlight application without re-authorization.  But if the user saves the link to the page and tries to open it from other machine, prompt them for authorization.
    2. Be able to reuse our security objects when implementing REST services with the WebAPI client.

    Our question is which of the following would be the best option.

    1. Extend our Web host application?  (a very simple MVC web project)
    2. Add additional web project(s) and set up different server-side authentication types.

    We would prefer first approach, but we are not sure if mixed authentication configurations are at all possible.  Even if they are, would they work smoothly together?

    The plan:

    • Set server-side authentication mode to “Forms”
    • When a user logs in, apps create a temporary cookie
    • When a user requests an html page from the Silverlight application “IsAuthenticated” should be “true”. Therefore no login will be required and the Principal will be re-created for each request.


    Are we on the right track or are we missing something?


    Thanks in advance,


    Page 1 of 1 (1 items) | RSS

    Copyright (c) 2006-2014 Marimer LLC. All rights reserved.
    Email admin@lhotka.net for support.
    Powered by Community Server (Non-Commercial Edition), by Telligent Systems