Applications that use Forms authentication will often want to use the GenericPrincipal class (in conjunction with the FormsIdentity class), to create a non-Windows specific authorization scheme, independent of a Windows domain.
For example, an application may:
Use Forms authentication to obtain user credentials (user name and password).
Validate the supplied credentials against a data store; for example, a database or Microsoft® Active Directory® directory service.
Create GenericPrincipal and FormsIdentity objects based on values retrieved from the data store. These may include a user’s role membership details.
Use these objects to make authorization decisions.
This How To describes how to create a Forms-based Web application that authenticates users and creates a custom Forms authentication ticket that contains user and role information. It also shows you how to map this information into GenericPrincipal and FormsIdentity objects and associate the new objects with the HTTP Web request context, allowing them to be used for authorization logic within your application.
This How To focuses on the construction of the GenericPrincipal and FormsIdentity objects together with the processing of the forms authentication ticket. For details about how to authenticate users against Active Directory and SQL Server 2000, see the following related How Tos in the Reference section of this book:
The following items describe the recommended hardware, software, network infrastructure, skills and knowledge, and service packs you will need.
Microsoft SQL Server™ 2000
Microsoft Visual Studio® .NET development system
The procedures in this article also require that you have knowledge of ASP.NET Web development with the Microsoft Visual C#™ development tool.
This How To includes the following procedures:
This procedure creates a new ASP.NET Web application. The application will contain two pages; a default page that only authenticated users are allowed to access, and a logon page used to collect user credentials.
▸ To create a Web application with a logon page
Start Visual Studio .NET and create a new C# ASP.NET Web Application called GenericPrincipalApp.
Rename WebForm1.aspx to Logon.aspx.
Add the following controls to Logon.aspx to create a logon form.
Set the TextMode property of the password Text Box control to Password.
In Solution Explorer, right-click GenericPrincipalApp, point to Add, and then click Add Web Form.
Enter default.aspx as the new form’s name, and then click Open.
▸ To edit the application’s Web.config file to configure the application for Forms authentication
Use Solution Explorer to open Web.config.
Locate the <authentication> element and change the mode attribute to Forms.
Add the following <forms> element as a child of the <authentication> element and set the loginUrl, name, timeout, and path attributes as follows:
<authentication mode="Forms"> <forms loginUrl="logon.aspx" name="AuthCookie" timeout="60" path="/"> </forms> </authentication>
Add the following <authorization> element beneath the <authentication> element. This allows only authenticated users to access the application. The previously established loginUrl attribute of the <authentication> element redirects unauthenticated requests to the Logon.aspx page.
<authorization> <deny users="?" /> <allow users="*" /> </authorization>
This procedure writes code to generate an authentication ticket for authenticated users. The authentication ticket is a type of cookie used by the ASP.NET FormsAuthenticationModule.
The authentication code typically involves looking up the supplied user name and password against either a custom database or against Active Directory.
For information about performing these lookups, see the following How To articles in the Reference section of this book:
▸ To generate an authentication ticket for authenticated users
Open the Logon.aspx.cs file and the following using statement to the top of the file beneath the existing using statements:
using System.Web.Security;
Add the following private helper method to the WebForm1 class called IsAuthenticated, which is used to validate user names and passwords to authenticate users. This code assumes that all user name and password combinations are valid.
private bool IsAuthenticated( string username, string password ) { // Lookup code omitted for clarity // This code would typically validate the user name and password // combination against a SQL database or Active Directory // Simulate an authenticated user return true; }Add the following private helper method called GetRoles, which is used to obtain the set of roles that the user belongs to.
private string GetRoles( string username, string password ) { // Lookup code omitted for clarity // This code would typically look up the role list from a database table. // If the user was being authenticated against Active Directory, the // Security groups and/or distribution lists that the user belongs to may be // used instead // This GetRoles method returns a pipe delimited string containing roles // rather than returning an array, because the string format is convenient // for storing in the authentication ticket / cookie, as user data return "Senior Manager|Manager|Employee"; }Display the Logon.aspx form in Designer mode and double-click the Logon button to create a click event handler.
Add a call to the IsAuthenticated method, supplying the user name and password captured through the logon form. Assign the return value to a variable of type bool, which indicates whether or not the user is authenticated.
bool isAuthenticated = IsAuthenticated( txtUserName.Text, txtPassword.Text );If the user is authenticated, add a call to the GetRoles method to obtain the user’s role list.
if (isAuthenticated == true ) { string roles = GetRoles( txtUserName.Text, txtPassword.Text );Create a new forms authentication ticket that contains the user name, an expiration time, and the list of roles that the user belongs to. Note that the user data property of the authentication ticket is used to store the user’s role list. Also note that the following code creates a non-persistent ticket, although whether or not the ticket / cookie is persistent is dependent upon your application scenario.
// Create the authentication ticket FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, // version txtUserName.Text, // user name DateTime.Now, // creation DateTime.Now.AddMinutes(60),// Expiration false, // Persistent roles ); // User dataAdd code to create an encrypted string representation of the ticket and store it as data within an HttpCookie object.
// Now encrypt the ticket. string encryptedTicket = FormsAuthentication.Encrypt(authTicket); // Create a cookie and add the encrypted ticket to the // cookie as data. HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);Add the cookie to the cookies collection returned to the user’s browser.
// Add the cookie to the outgoing cookies collection. Response.Cookies.Add(authCookie);
Redirect the user to the originally requested page
// Redirect the user to the originally requested page Response.Redirect( FormsAuthentication.GetRedirectUrl( txtUserName.Text, false )); }
This procedure implements an application authentication event handler and constructs GenericPrincipal and FormsIdentity objects based on information contained within the authentication ticket.
▸ To construct GenericPrincipal and FormsIdentity objects
From Solution Explorer, open global.asax.
Switch to code view and add the following using statements to the top of the file:
using System.Web.Security; using System.Security.Principal;
Locate the Application_AuthenticateRequest event handler and add the following code to obtain the forms authentication cookie from the cookie collection passed with the request.
// Extract the forms authentication cookie string cookieName = FormsAuthentication.FormsCookieName; HttpCookie authCookie = Context.Request.Cookies[cookieName]; if(null == authCookie) { // There is no authentication cookie. return; }Add the following code to extract and decrypt the authentication ticket from the forms authentication cookie.
FormsAuthenticationTicket authTicket = null; try { authTicket = FormsAuthentication.Decrypt(authCookie.Value); } catch(Exception ex) { // Log exception details (omitted for simplicity) return; } if (null == authTicket) { // Cookie failed to decrypt. return; }Add the following code to parse out the pipe separate list of role names attached to the ticket when the user was originally authenticated.
// When the ticket was created, the UserData property was assigned a // pipe delimited string of role names. string[] roles = authTicket.UserData.Split(new char[]{'|'});Add the following code to create a FormsIdentity object with the user name obtained from the ticket name and a GenericPrincipal object that contains this identity together with the user’s role list.
// Create an Identity object FormsIdentity id = new FormsIdentity( authTicket ); // This principal will flow throughout the request. GenericPrincipal principal = new GenericPrincipal(id, roles); // Attach the new principal object to the current HttpContext object Context.User = principal;
This procedure adds code to the default.aspx page to display information from the GenericPrincipal object attached to the current HttpContext object, to confirm that the object has been correctly constructed and assigned to the current Web request. You will then build and test the application.
▸ To test the application
In Solution Explorer, double-click default.aspx.
Double-click the default.aspx Web form to display the page load event handler.
Scroll to the top of the file and add the following using statement beneath the existing using statements.
using System.Security.Principal;
Return to the page load event handler and add the following code to display the identity name attached to the GenericPrincipal associated with the current Web request.
IPrincipal p = HttpContext.Current.User; Response.Write( "Authenticated Identity is: " + p.Identity.Name ); Response.Write( "<p>" );Add the following code to test role membership for the current authenticated identity.
if ( p.IsInRole("Senior Manager") ) Response.Write( "User is in Senior Manager role<p>" ); else Response.Write( "User is not in Senior Manager role<p>" ); if ( p.IsInRole("Manager") ) Response.Write( "User is in Manager role<p>" ); else Response.Write( "User is not in Manager role<p>" ); if ( p.IsInRole("Employee") ) Response.Write( "User is in Employee role<p>" ); else Response.Write( "User is not in Employee role<p>" ); if ( p.IsInRole("Sales") ) Response.Write( "User is in Sales role<p>" ); else Response.Write( "User is not in Sales role<p>" );In Solution Explorer, right-click default.aspx, and then click Set As Start Page.
On the Build menu, click Build Solution. Eliminate any build errors.
Press Ctrl+F5 to run the application. Because default.aspx is configured as the start up page, this is the initially requested page.
When you are redirected to the logon page (because you do not initially have an authentication ticket), enter a user name and password (any will do), and then click Logon.
Confirm that you are redirected to default.aspx and that the user identity and the correct role details are displayed. The user should be a member of the Senior Manager, Manager, and Employee role, but not a member of the Sales role.