More actions
Up Secure

Authenticate

Last modified on August 15, 2012 17:21

Authentication is the act of confirming that users are who they claim to be.  Authenticating a claim might be done using ASP.NET security, Active Directory, Windows Identity Foundation, or a custom implementation. 

DevForce has built-in hooks to support the authentication scheme of your choice, and includes out-of-the-box support for ASP.NET security.

Unless your application allows "guest" access, when your application starts you should obtain user credentials.  These might be in the form of a userid and password (when using ASP.NET security this is called Forms authentication), or it might mean obtaining an "ambient" credential, such as the current Windows userid or HttpContext.Current.User.  

In DevForce, an EntityManager must be "logged in" to the EntityServer in order to access data or services.  As a developer you have control over how and when this login occurs. You determine the credentials your application accepts, you call a Login  method to authenticate the user, and you write the server code to perform the authentication via the IEntityLoginManager.

When you determine a user is authenticated, you provide that information to DevForce in the form of an IPrincipal.  If you're not familiar with the IPrincipal interface, it, along with the IIdentity interface, is a flexible means of holding information on who a user is and their roles.  It does not hold user credentials or claims, but does indicate how the user was authenticated.  The DevForce implementation of these interfaces is the UserBase.

On the server DevForce will tuck this IPrincipal away, and return a security token to the client.  This token includes an encrypted credential, encrypted using the EntityServer's specific "session encryption key".  The security token is transmitted with every request to the server, where DevForce first validates the token before proceeding with the request.  In Azure and other load balanced environments, the encrypted credential in the token allows the user to be authenticated by any server having the same session encryption key.  (This key is configurable and we'll see more on this key later.)   Once logged in, the server keeps track of each user's last access, and will time the session out after a configurable period of inactivity.

Guest Users

A guest user is an anonymous user -- one who has not provided a credential and is therefore not authenticated.  We noted above that an EntityManager must be logged in to an EntityServer, and that every request to the server is accompanied by a token which is validated before proceeding.  How does this work with anonymous users?   If you do not call a Login method and supply a credential, DevForce will do it for you when necessary.  DevForce first determines whether you have disabled anonymous access via a configuration setting; if not, a UserBase is constructed for the guest user indicating the user is not authenticated and has no assigned roles.  

The DevForce default is to allow anonymous users, but it is a very good idea to disable this feature unless your application intentionally allows it.  When anonymous logins are disabled, an exception is thrown for the Login attempt, and no further access to the EntityServer is permitted from the EntityManager.

To disable guest access, set the AllowAnonymousLogin flag to false in the web.config or server .config file:

XML
<objectServer>
  <serverSettings allowAnonymousLogin="false" />
</objectServer>


Tags: Security
Created by DevForce on February 16, 2011 15:21

Navigation

Tag Cloud

  1. Data Binding
  2. Data Sources
  3. Design Views
  4. Validation
  5. Anonymous
  6. Architecture
  7. ASP.NET
  8. Asynchronous
  9. Attach
  10. Azure
  11. CacheQueryOptions
  12. Caching
  13. Closure
  14. Cocktail
  15. code first
  16. Code Generation
  17. Code Sample
  18. Concurrency
  19. Configure
  20. Cookbook
  21. Coroutine
  22. Create
  23. Debug
  24. Delete
  25. Deploy
  26. DevForce 2012
  27. DevForce-Caliburn framework
  28. Disconnect
  29. Discovery
  30. Display
  31. Dynamic query
  32. EDM
  33. EDMX
  34. Entity cache
  35. Entity Framework
  36. EntityAspect
  37. EntityCache
  38. EntityKey
  39. EntityKeyQuery
  40. EntityManager
  41. EntityProperty
  42. EntityQuery
  43. EntityQueryOperation
  44. EntitySaveOperation
  45. EntityServer
  46. EntityServerSaveInterceptor
  47. EntityState
  48. EntityVersion
  49. ESQL
  50. Exception
  51. Extensibility
  52. Extension
  53. Faking
  54. Fetching
  55. FetchStrategy
  56. IIS
  57. Include
  58. Interception
  59. iOS
  60. IVerifierProvider
  61. JavaScript
  62. LINQ
  63. Localization
  64. Log
  65. MEF
  66. MergeStrategy
  67. Metadata
  68. MetadataType
  69. Model
  70. Multi-threading
  71. MVVM
  72. Navigation
  73. Object Mapping
  74. ObjectDataSource
  75. OData
  76. Offline
  77. Paging
  78. Performance
  79. Persistence
  80. POCO
  81. Predicate
  82. PredicateBuilder
  83. PredicateDescription
  84. Prism
  85. Property Interceptors
  86. PropertySortSelector
  87. Push
  88. Query
  89. Query cache
  90. Query Inversion
  91. QueryStrategy
  92. Refetch
  93. Refresh
  94. Release Notes
  95. Sample Application
  96. Save
  97. SaveOptions
  98. SaveResult
  99. SaveStatus
  100. Saving
  101. Security
  102. Serialization
  103. Silverlight
  104. Stored Procedure
  105. Telerik
  106. Template
  107. Test
  108. ToQuery
  109. Tour
  110. Transactions
  111. Troubleshooting
  112. Validation
  113. Verifier
  114. VerifierEngine
  115. Video
  116. Visual Studio
  117. WCF
  118. WinForms
  119. WIP
  120. WPF

Spaces

 | 2009Documentation | Documentation

This wiki is licensed under a Creative Commons 2.0 license. XWiki Enterprise 3.2 - Documentation. Copyright © 2015 IdeaBlade