Implementing Custom User Authentication

Customization strategies and examples

Most of customizations related to the sign in process should be implemented in the SignIn.aspx code-behind file in Section 1. Here are several example customizations.

One example is where authentication is provided by your custom logic and without the authentication logic created by Iron Speed Designer; the Sign In page is not displayed.

Step 1: Modify the LoadData method in Section 1 of the SignIn.aspx code-behind file instead of calling CookieInit(), e.g.:

DirectCast(Me.Page, BaseApplicationPage).CurrentSecurity. SetUser(userName, userID, userRoles).

Step 2: Redirect the user back to the page where user came from.

RedirectOnSuccess()

Another example is performing an action upon logging in or logging out, for example to retrieve a record for the logged in user and check some value or update another table.

Private Sub LogInHandle(ByVal args As LogInEventArgs) Handles Me.LogEvent

Select Case args.EventType

Case Utils.Events.LoggedIn

Dim rec As IUserIdentityRecord = SecurityControls.GetUserRecord()

Dim columns() As BaseColumn = rec.TableAccess.TableDefinition.Columns

End Select

End Sub

A final example is implementing single sign-in using Database Security. No customization is required. Simply use Windows Security and Database role management.

Using your own custom authentication mechanism

This example shows how to customize your application to use a different authentication mechanism.

Step 1: Modify the BaseClasses.Utils.ActiveDirectorySecurity, BaseClasses.Utils.WindowsSecurity or BaseClasses.Utils.RoleBasedSecurity class, located in:

...\<Designer>\BaseClasses\Utils\ActiveDirectorySecurity.vb

and

...\<Designer>\BaseClasses\Utils\RoleBasedSecurity.vb

In particular, you may need to modify the implementation of the following methods:

Function ValidateCurrentUser(ByVal appRoles As String) As SecurityControls.ValidationResults

Function SetLoginInfo(ByVal userName As String, ByVal userPassword As String, ByRef errorMessage As String) As Boolean

Function Logout(ByVal page As BaseClasses.Web.UI.BasePage) As Boolean

Function GetUserStatus() As String

Function SetUser(ByVal userName As String, Optional ByVal userID As String = "", Optional ByVal userRoles As String = "") As Boolean

Step 2: Recompile BaseClasses.DLL using the modified BaseClasses source code.

Step 3: Copy the new BaseClasses.DLL (and BaseClasses.PDB if present) into your application’s Bin directory. Your application now has customized authentication.

Encrypting and decrypting authentication passwords

You can customize the authentication mechanism created by Iron Speed Designer to encrypt and decrypt user-entered passwords.

The application security logic is in several classes, but from customization perspective the SignIn class is the most relevant, located in:

Security\SignIn.aspx.cs (.vb)

The Login method in the class stores the user name and password in encrypted format in a cookie on the application user’s machine if the ‘remember’ checkbox is checked on the application’s Sign In page.

When the application user tries to open a secured page, he is redirected to the Sign In page where the SignIn_PreRender method (in Security\SignIn.aspx.cs (.vb) is executed. This method retrieves the user name and password and the ‘automatically sign in’ status from the cookie on the application user’s machine and decrypts them.

This method is followed by the Page.Load handler, which calls LoadData, which in turn calls the CookieInit method. CookieInit performs different logic related to cookie initialization and also tries to sign in by calling the Login method (in Security\SignIn.aspx.cs (.vb)) with the user name and password retrieved from cookies (if set to automatically sign in) or otherwise just inserts the user name and password into the textboxes in the Sign In page. For Active Directory security, if nothing is stored but ‘Automatically sign in’ is checked, it will use the logged-in user's identity from HTTPContext.

When the application user clicks OK on the Sign In page, and if login is successful, the MySetCookie method is called, which in turn encrypts values from the Sign In page’s text boxes and stores them in cookies on the application user’s machine.

Slightly different logic is implemented for Windows Security: When the Authorize method is called from the fist page navigated (Authorize is implemented in the BasePage class located in BaseClasses\Web\UI\BasePage.vb) it always calls the Me.CurrentSecurity.ValidateCurrentUser() method which is implemented for all security types. For Windows Security, this method immediately retrieves logged in user information from the HttpContext and uses it as the logged in user ID to retrieve roles from the database if database security is configured.