Vibrant discussion about CSLA .NET and using the framework to build great business applications.
I am getting my feet wet with CSLA code for the first time. I have PTracker working with Winforms (PTWIN) local proxy only. Now I am trying to determine the best way to use the CSLA framework for my authentication model.
I would like to use Windows authentication but want the users to be prompted again with their Windows login and password. I would also like to use my own application database roles for authorization, not Windows groups.
Assuming this is this possible with CSLA, can someone please provide some advice on the cleanest way to get this done?
As a start I know I will have to change the app.config CslaAuthentication setting: <add key="CslaAuthentication" value="Windows" /> which I have done but this disables the login screen.
Thanks in advance.
You'll have to write a different login form to do what you want. You'll want to get the user's Windows credentials, and then you'll need to authenticate them with Windows itself - and there are APIs in .NET to do this (though I don't know them off the top of my head).
You will still want CSLA to use Windows auth - you just need to change your UI to keep track of whether it has re-authenticated the user (because Windows already did the authentication, and so the principal object is already set and correct).
Rocky
My authentication model is a hybrid. I want the users to login to my application with their Windows user credentials even though they are already authenticated but then use the internal roles in my SQL Server database.
I have added the .Net routine which re-autheticates the user against an LDAP server into my login form which is cloned from the PTracker app.
Now I need to determine a way to graft my database roles onto the Identity object since I will be using Windows authentication minus any Windows roles. My Winforms app can use the continue to use the SecurityDataset from Pttracker if I remove the userid.
Any advice on how to best graft the roles is much appreciated.
I'm still trying to figure out how to best graft the application level roles onto the Windows Identity object but in the meantime I thought I'd share the piece I used to to the LDAP authentication. In my login form I added the following:
' Re-Authenticate this user with Active Directory
Dim LDAPDomain As String = My.Settings.LDAPDomainIf ValidateActiveDirectoryLogin(LDAPDomain, Me.txtUsername.Text, Me.txtPassword.Text) Then GetCurrentUser() Me.DialogResult = System.Windows.Forms.DialogResult.OK Me.Close()Else MessageBox.Show("The system cannot log you on. Make sure your username and password are correct.")End If
Private Function ValidateActiveDirectoryLogin(ByVal Domain As String, ByVal Username As String, ByVal Password As String) As Boolean Dim Success As Boolean = False Dim Entry As New System.DirectoryServices.DirectoryEntry("LDAP://" & Domain, Username, Password) Dim Searcher As New System.DirectoryServices.DirectorySearcher(Entry) Searcher.SearchScope = DirectoryServices.SearchScope.OneLevel Try Dim Results As System.DirectoryServices.SearchResult = Searcher.FindOne Success = Not (Results Is Nothing) Catch Success = False End Try Return Success End Function
I have made some effort in that regard and enabled Mixed/Dual Authentication: Window and Forms.
http://forums.lhotka.net/forums/thread/22529.aspx
Tarek.
Thanks Tarek,
I ended up using LDAP to authenticate the userid/password. Then I take this userid and build the CSLA principle and identity objects. I have a connection string containing a totally different userid and password which is granted execute access to stored procedures only.
The last piece I need to build is to encrypt the connection string in the app.config file. This is a challenge because my app is clickonce forms which means that I need to use a non-machine dependent method of encrypting the app.config. I am looking at a solution like this one:
http://guy.dotnet-expertise.com/CommentView,guid,b3850894-3a8e-4b0a-aa52-5fa1d1216377.aspx
Dear Warren
Thank you for the feedback about using LDAP.
Just to make sure I understand what you meant.
Did you implement Forms Authentication and to validated the username/password against LDAP (Windows Active Directory), i.e., the user will enter his username/password and you check the validity of this user using .NET Against Active Directory (LDAP) ?
If so, then could you please kindly post a sample code on how to do such authentication against LDAP ?
Thank you again.
Hi TareKahf.
In the post of 05-26-2008, 6:30 PM, you said that you have a sample code that enabled Mixed/Dual Authentication. Could you please help me, I tried, but not it works.
I'm sorry for my english it so bad.
Wendy Mejías A.
wmejias@poder-judicial.go.cr
Dear Wendy,
Please check this link for complete details about the required changes you asked for:
http://forums.lhotka.net/forums/25866/ShowThread.aspx#25866
I hope this will be helpful to you.
RockfordLhotka: You'll have to write a different login form to do what you want. You'll want to get the user's Windows credentials, and then you'll need to authenticate them with Windows itself - and there are APIs in .NET to do this (though I don't know them off the top of my head). You will still want CSLA to use Windows auth - you just need to change your UI to keep track of whether it has re-authenticated the user (because Windows already did the authentication, and so the principal object is already set and correct).
That's waht I did in
FAQ: How to use Windows authentication in PTracker (PTWin) (C#)
http://forums.lhotka.net/forums/post/28161.aspx
I made some changes to PTracker authentication in order to have Windows Authentication. In fact you just need to change CslaAuthentication attribute. The nicest thing about it is that you can have both at the same time.
If the users that is authenticated under Windows exists in the users table, it gets logged on with no further questions. Otherwise (the windows user name doesn't exist in the users table) the login window will ask for username/password. This is quite useful when you have an application on a client but your laptop is not in the client's domain. You can still use your laptop and login in the application using the application admin username.
Cheers
Tiago Freitas Leal, CslaGenFork (Open Source CSLA code generator)
Hi all,
Its really ammazing how many different ways we have found to implement different authentication methods.
I think we can wirte a book on this !!