30.3. User Authentication
In some organizations it would be possible to use Windows authentication for all user validation. Unfortunately, in many cases this is not possible, and application developers have to come up with their own solutions for determining which users should be able to access a system. This process is loosely referred to as forms-based authentication, as it typically requires the provision of a username and password combination via a login form of some description. Both ASP.NET Application Services and the client application services support forms-based authentication as an alternative to Windows authentication.
To begin with, you will need to enable the membership management service for access by the client application services. Adding the <authenticationService> element to the <system.web.extensions> element in the web.config file will do this. Note that we have disabled the SSL requirement, which is clearly against all security best practices and not recommended for production systems.
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true" requireSSL="false"/>
<roleService enabled="true"/>The next step is to create a custom membership provider that will determine whether a specific username and password combination is valid for the application. To do this, add a new class, CustomAuthentication, to the ApplicationServices application and set it to inherit from the MembershipProvider class. As with the role provider we created earlier, we are just going to provide a minimal implementation that validates credentials by ensuring the password is the reverse of the supplied username, and that the username is in a predefined list.
Public Class CustomAuthentication
Inherits MembershipProvider
Private mValidUsers As String() = {"Nick"}
Public Overrides Function ValidateUser(ByVal username As String, _
ByVal password As String) As Boolean
Dim reversed As String = New String(password.Reverse.ToArray)
Return (From user In mValidUsers _
Where String.Compare(user, username, true) = 0 And _
user = reversed).Count > 0
End Function
...
End ClassAs with the role provider you created, you will also need to inform the membership management system that it should use the membership provider you have created. You do this by adding the following snippet to the <system.web> element in the web.config file:
<membership defaultProvider="CustomAuthentication">
<providers>
<add name="CustomAuthentication"
type="ApplicationServices.CustomAuthentication"/>
</providers>
</membership>You need to make one additional change to the web.config file by specifying that Forms authentication should be used for incoming requests. You do this by changing the <authentication> element in the web.config file to the following:
<authentication mode="Forms"/>
Back on the client application, only minimal changes are required to take advantage of the changes to the authentication system. On the Services tab of the project properties designer, select "Use Forms authentication." This will enable both the "Authentication service location" textbox and the "Optional: Credentials provider" textbox. For the time being, just specify the authentication service location as http://localhost:12345/ApplicationServices.
Previously, using Windows authentication, you performed the call to ValidateUser to initiate the client application services by supplying Nothing as each of the two arguments. You did this because the user credentials could be automatically determined from the current user context in which the application was running. Unfortunately, this is not possible for Forms authentication, so we need to supply a username and password.
Private Sub Form1_Load(ByVal sender As System.Object, _
ByVal e As System.EventArgs) Handles MyBase.Load
If Membership.ValidateUser("Nick", "kciN") Then
MessageBox.Show ("User is valid")If you specify a breakpoint in the ValidateUser method in the ApplicationServices project, you will see that when you run this solution the server is contacted in order to validate the user. You will see later that this information can then be cached locally to facilitate offline user validation.