Approach for replacing forms authentication in .NET application
https://stackoverflow.com/questions/4523565
-
12-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
My question is about an approach, and I am looking for tips or links to help me develop a solution. I have an .NET 4.0 web forms application that works with Forms authentication using the aspnetdb SQL database of users and passwords. A new feature for the application is a new authentication mechanism using single sign on to allow access for thousands of new users. Essentially, when the user logs in through the new single-sign-on method, I will be able to identify them as legitimate users with a role.
So I will have something like HttpContext.Current.Session["email_of_authenticated_user"] (their identity) and HttpContext.Current.Session["role_of_authenticated_user"] (their role).
Importantly, I don't necessarily want to maintain these users and roles redundantly in the aspnetdb database which will be retired, but I do want to use the session objects above to allow the user to pass through the application as if they were in passing through with forms authentication. I don't think CustomRoleProviders or CustomMemberProviders are helpful since they do not allow for creating session-level users.
So my question is how to use the session level user and role that I do have to "mimic" all the forms authentication goodness like enforcing:
[System.Security.Permissions.PrincipalPermission(System.Security.Permissions.SecurityAction.Demand, Role = "Student")]
or
<authorization>
<allow users="wilma, barney" />
</authorization>
Thanks for any pointers.
Solution
I think you're confusing Forms Authentication with the SqlMembershipProvider.
Forms authentication is the means by which ASP.NET generically authorizes and authenticates users. It does not specify a specific implementation of how that is done. It only provides a way that, once authenticated, the application can use those credentials throughout the app via a "ticket" system that's saved as a cookie.
Essentially, there are only two kinds of authentication in windows, Forms Authentication and Windows Authentication. Since your new method is not Windows based, then you have to use Forms Authentication (unless you simply ignore the stuff that's built into asp.net and roll everything yourself, which is kind of stupid to do).
You might want to look into the Windows Identity Foundation as it provides a plugable architecture for identity, including various web based single sign-on methods.
