Geek Answers Handbook

ASP.NET MVC - manually allow someone and save authorization using forms authentication

I want to take advantage of form authentication in ASP.NET. I want him to keep authorization for me and that, but in my situation one thing is different. I want to authenticate against a simple web service (specifically provided by the client).

I have my own code to look at the website and see if they should be logged in, but how to set the cookie flag [?] Or authorization in ASP.NET so that they know that the current user is logged in.

Mostly...

if (HttpContext.Current.User.Identity.IsAuthenticated) // we're all good //Other wise... bool success = CheckClientsWebService(string username, string password); if (success) // Somehow tell .NET that they're authorized

* Note. This is a fairly simple service that does not apply to groups or roles. Just check if the user can view the site.

+7
source share
3 answers

On forms, authentication is not proof of who you are in the authentication cookie.? With that in mind, could you create a ticket in a custom login form without having to create a custom provider? I definitely think you can. Take a quick test and create a forms authentication ticket and see if the membership provider in the user box considers user authentication.

I was curious - so this is the code ...

Model

 public class SignInViewModel { public string Username { get; set; } public string Password { get; set; } }

controller

 public class SignInController : Controller { public ActionResult Index() { var model = new SignInViewModel {}; return View(model); } [HttpPost] public ActionResult Index(SignInViewModel model) { if (model.Username == "Fred" && model.Password == "Mertz") { FormsAuthentication.SetAuthCookie(model.Username, false); return RedirectToAction("Secure"); } return View(model); } [Authorize] public ActionResult Secure(SignInViewModel model) { return View(); } [Authorize] public ActionResult Logout(SignInViewModel model) { FormsAuthentication.SignOut(); return RedirectToAction("Index"); }

Index.cshtml

 @using (Html.BeginForm()) { <fieldset> <legend>SignInViewModel</legend> <div class="editor-label"> @Html.LabelFor(model => model.Username) </div> <div class="editor-field"> @Html.EditorFor(model => model.Username) @Html.ValidationMessageFor(model => model.Username) </div> <div class="editor-label"> @Html.LabelFor(model => model.Password) </div> <div class="editor-field"> @Html.EditorFor(model => model.Password) @Html.ValidationMessageFor(model => model.Password) </div> <p> <input type="submit" value="Login" /> </p> </fieldset> }

Secure.cshtml

 <h2>Secure</h2> @Html.ActionLink("Logout", "Logout")
+7
source

I can simplify this, but the way I read it is as follows:

  • If the user is not authenticated, you have a form in which you collect the username / password
  • The results of this form are submitted to the web service for authorization.
  • If this authorization is successful, you need a way to tell the web application that they are logged in.
  • If they are authenticated, do something.

If this is correct, you do not need a membership provider. The [Authorize] attribute simply looks like the forms authentication cookie determines whether it has been set and is valid for the current lifetime of the cookie. This authentication cookie saves the username and expiration time of the cookie (and other things, but not important here).

Given that you only need to set your web.config configuration element and set the method for setting the authentication cookie.

Web.config

 <system.web> <authentication mode="Forms"> <forms loginUrl="~/Account/LogOn" timeout="2880" /> </authentication> </system.web>

GET Login URL

 public ActionResult Logon(){ //if the user is logged in, send the to the home page if(httpContext.User.Identity.IsAuthenticated_{ Return RedirectToAction("Index", "Home"); } Return this.View(new LoginViewModel()); }

POST action to login

 [HttpPost] public ActionResult Logon(LoginViewModel model){ //Check for model errors if(!ModelState.IsValid()){ Return this.View(model); } //Validate against web service - return error if false if(!CheckClientsWebService(model.UserName, model.Password)){ ModelState.AddModelError("","The username or password is invalid"); Return this.View(model); } //Manually set the authentication cookie FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe); //Send them on to the home page, they now have a authorization cookie Return RedirectToAction("Index", "Home"); }

After you .SetAuthCookie() function, the user will now have an authentication ticket, and the HttpContext.User.Identity.IsAuthenticated calls will be true if the cookie has not expired, and you can get the username from HttpContext.User.Identity.Name

+6
source

As Wiktor commented, run your own MembershipProvider . Just implement the methods you need, leave the rest by throwing a NotImplementedException .

In your case, it looks like all you need to implement is a public bool ValidateUser(string username, string password) - the implementation of which just needs to be transferred to your web service.

Then you can use all the standard built-in authentication and authorization tools.

0
source

More articles:


All Articles