.NET Development
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
 
User Name:
Password:
Remember me
 



Go Back   Dev Articles Community ForumsProgramming.NET Development

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
Thread Tools Search this Thread Display Modes
 
Unread Dev Articles Community Forums Sponsor:
  #1  
Old October 16th, 2002, 08:22 PM
jerzeh jerzeh is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Jul 2002
Posts: 5 jerzeh User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
ASP.NET user authentication/authorization problem

Hello all.

If someone could help me with this problem, I would greatly appreciate it. I am trying to write a login page that will authenticate a user but also set up their roles in the same place. I have a class wrapping a SQL Server stored procedure that takes credentials and returns a string designating either the users role or 'none' if the credentials are incorrect. I have seen examples where the roles for a user are assigned in the Application_AuthenticateRequest of the global.asax, but none that do both the authenticating and role assignment in the same place. Below is the code i am writing to solve this. I have a feeling that I am not properly synchronizing everything but have not found much along the lines of helpful documentation for what I am doing wrong.

The problem is that the user is being authenticated properly but i keep getting redirected to the login page even after i am supposedly assigned to the proper role for accessing the target page (i'm going to go out on a limb here and say that the assigned roles didn't stick ). Below I have included the <script> segment of my login page, and the web.config files of my project root and the protected directory in question. Any help/resources would be greatly appreciated. I have tried doing the code in different sequences other than the one shown but I havent found the problem yet. Thanks in advance!

login code:
Code:
<script runat="server">
public void LoginBtn_Clicked(object sender,
  System.EventArgs e) {
    string[] saPerms = new String[1];
    string sUserType;
    string sRedirectURL;
    
    sUserType = Convert.ToString
      (UserType.getUserTypeAuthenticate
      (txtUserName.Text,txtPassword.Text));
        
    if(sUserType == "none") {
        lblStatus.Text = "Invalid Authentication Credentials.";
    }
    else {
        //authorize the user
        saPerms[0] = sUserType;
        GenericIdentity oIdentity = new GenericIdentity
          (txtUserName.Text);
        GenericPrincipal oPrincipal = new GenericPrincipal
          (oIdentity,saPerms);
        Thread.CurrentPrincipal = oPrincipal;
    
        //authenticate the user
        HttpCookie cookie = FormsAuthentication.GetAuthCookie
          (txtUserName.Text,false);
        sRedirectURL = FormsAuthentication.GetRedirectUrl
          (txtUserName.Text,false);
        Response.Cookies.Add(cookie);
    
        Response.Redirect(sRedirectURL);
    }
}
</script>


root web.config:
Code:
<configuration>
    <system.web>
        <authentication mode="Forms">
            <forms loginUrl="login\Login.aspx" />
        </authentication>
    </system.web>
</configuration>


administrator dir. web.config
Code:
<configuration>
    <system.web>
        <authorization>
            <allow roles="administrator" />
            <deny users="*" />
        </authorization> 
    </system.web>
</configuration>

Last edited by jerzeh : October 16th, 2002 at 08:31 PM.

Reply With Quote
  #2  
Old October 16th, 2002, 10:31 PM
James Yang James Yang is offline
Contributing User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Apr 2002
Location: Atlanta, Georgia
Posts: 284 James Yang User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 m 45 sec
Reputation Power: 16
Send a message via ICQ to James Yang
Ok, I didn't read the whole code line by line cuz im really busy atm.. But everything seems right

I suggest, you put on the tracing and see what really happens when you login. See if you really asssigned the role to the user. See if the cookei is actually made and set, etcetc

James

P.S hmm I havn't seen Thread.CurrentPrincipal = oPrincipal; on asp.net page b4. Try

changing that to

Context.User = oPrincipal;
__________________
Regards,

James Yang
.NET Developer / Network Engineer
MCSE, MCDBA, MCSA, CCNA

http://www.yellowpin.com/
http://www.opentechsupport.com/

Reply With Quote
  #3  
Old October 17th, 2002, 01:23 AM
jerzeh jerzeh is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Jul 2002
Posts: 5 jerzeh User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
James - Thanks for the post. I did some tracing and here is what I came up with.

I added
  • Tracing in a Page_Load method and after the authorization and authentication blocks in my initial code.
  • The suggestion of Context.User = oPrincipal;
  • Commented out the redirect at the end so as to get the trace output.
The tracing simply kept track of the current user name and whether the current user was a member of the desired role.

Initial Output, before authentication
Code:
Page Load - Is Admin = False
Page Load - User     = ""

....which is to be expected

After form submit
Code:
Page Load - Is Admin     = False
Page Load - User         = ""

Authorized - Is Admin    = True
Authorized - User        = "testuser"

Authenticated - Is Admin = True
Authenticated - User     = "testuser"

...also looks like i would expect, but now for the problem

If I attempt to now manually go to the page I initially requested (admin/admin.aspx), I am still redirected to the login page and the trace returns this:
Code:
Page Load - Is Admin = False
Page Load - User     = "testuser"

This seems strange to me because the user name is being remembered but the fact that I belong to a role is being forgotten.
And even if I dont attempt to go to the page, but instead fill out the login form and re-submit it, the values of the trace within the Page_Load method are never anything different. I also noted that a cookie *is* being saved in the session.

If anyone has any ideas regarding other approaches or can take a look at my code, it would be much appreciated. Thanks in advance.

-Jeremy

Last edited by jerzeh : October 17th, 2002 at 01:25 AM.

Reply With Quote
  #4  
Old October 17th, 2002, 02:59 AM
James Yang James Yang is offline
Contributing User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Apr 2002
Location: Atlanta, Georgia
Posts: 284 James Yang User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 m 45 sec
Reputation Power: 16
Send a message via ICQ to James Yang
Jeremy,

I would really love to help you but atm (I have set of exams to preparem for the next two weeks starting on monday. And I need to study for em) I just have way too many things to do. So I'll give you urls to sites which you might find useful


try these two site

http://samples.gotdotnet.com/quicks...th/userauth.src

http://samples.gotdotnet.com/quickstart/aspplus/

Have you considered just using
FormsAuthentication.RedirectFromLoginPage(UserEmai l.Value, PersistCookie.Checked);
instead of setting cookie manually? Its less complicated

James

Reply With Quote
  #5  
Old October 17th, 2002, 07:59 AM
jerzeh jerzeh is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Jul 2002
Posts: 5 jerzeh User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
James - Thanks for your help. I will check out those links later on today.

FYI - the reason that I am setting the cookie manually and then redirecting is because when I am done, the same login page will be able to be passed parameters from another source. And if there is no page specified as a redirect page, the user will be directed to the default page for their permission level.

Thanks for your help.

-Jeremy

Reply With Quote
  #6  
Old October 17th, 2002, 08:08 AM
James Yang James Yang is offline
Contributing User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Apr 2002
Location: Atlanta, Georgia
Posts: 284 James Yang User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 m 45 sec
Reputation Power: 16
Send a message via ICQ to James Yang
I've actually made authentication module for my CMS last month involving the use of principal and identity classes. If you want I could send you some of the source code for it.. If you think it would help!

Reply With Quote
  #7  
Old October 17th, 2002, 08:44 AM
jerzeh jerzeh is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Jul 2002
Posts: 5 jerzeh User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
That would be great.

Anything to see some working examples. If you are able to send me some code, plus being able to look at the samples you recommended, I'm sure I can figure this out. Thanks again for your help.

jeremy@jeremyzeh.com

Last edited by jerzeh : October 17th, 2002 at 08:47 AM.

Reply With Quote
  #8  
Old October 17th, 2002, 08:59 AM
James Yang James Yang is offline
Contributing User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Apr 2002
Location: Atlanta, Georgia
Posts: 284 James Yang User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: 2 m 45 sec
Reputation Power: 16
Send a message via ICQ to James Yang
Its sent

but the code is a bit messy i don't think there are too many comments either.. but the files are named like

login.cs logout.cs etc so it should be easy to find the relavant bit.

If you are interested in working version of the thing i sent you, contact me on my msn or icq.. I should be able to show you one on my localhost. I won't have time to explain to you the archtecture and stuff tho...due to this EXAM!!

Reply With Quote
  #9  
Old February 2nd, 2004, 03:41 AM
brisco44 brisco44 is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Feb 2004
Posts: 1 brisco44 User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Lightbulb

Hello,

I think you have forgotten one important aspect of web authentication:
once you are logged in, before loading a page, the server test the authentication and initialize some objects like IPrincipal of CurrentHttpContext.

So in the file Global.asax, in the method Application_AuthenticateRequest, you have to verify your custom authentification and initialize your personnal objects:
generate and save in Cache the Principal Object, then cast (to IPrincipal) your Principal and affect it to HttpContext.Current.User

It would be OK now,
good luck

Reply With Quote
  #10  
Old February 18th, 2004, 12:35 AM
Umesh Umesh is offline
Registered User
Dev Articles Newbie (0 - 499 posts)
 
Join Date: Feb 2004
Posts: 1 Umesh User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
hi
Their is good article in MSDN about custom auth using GenericPrincpal. If you are using GenericPrincpal you got to pass back the principle object to the client inside the cookie and get back the information from the cookie in Application_AuthenticateRequest event when the request comes for page and assign the identity back to Context object .
Hope this will help you
Enjoy Madi,
umesh.b

Reply With Quote
Reply

Viewing: Dev Articles Community ForumsProgramming.NET Development > ASP.NET user authentication/authorization problem


Developer Shed Advertisers and Affiliates


Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump

Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 


Powered by: vBulletin Version 3.0.5
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.

© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap