Iron Speed Designer Help
 
Authentication (security) and authorization (role management) types

Iron Speed Designer provides these authentication mechanisms in your application:

  • Database Security.  Validates user using user name and password against the record in the database.  Can be used only with Database Roles which are retrieved from the same database.

  • Microsoft Active Directory Security.  Validates the user against a Microsoft Active Directory server on your network. It creates a Directory Entry using the user name and password and then creates a DirectorySearcher to retrieve information regarding this particular user; the user is considered authenticated if information is retrieved. It can be used with Database Roles, Active Directory Groups and Microsoft Authorization Manager (AzMan) roles store.  Active Directory security allows using single sign in for Intranet users. It will retrieve user name from the context and use it to retrieve information from Active Directory.  Active Directory Security requires certain settings in your Microsoft IIS web server and in your application application.

  • Microsoft SharePoint Security.  Can be used only in combination with SharePoint Groups authorization.  SharePoint sites and their groups are used as security roles.  Validates the user against a Microsoft SharePoint server on your network by retrieving the logged in user’s credentials from the SharePoint Context.  It is possible to use sites without specifying the exact SharePoint web application or make them Web Application specific.

  • Windows Authentication.  Verifies if HttpContext.Current.Identity.User is set and if yes considers this user as logged in and retrieves roles from the Database. If roles can’t be retrieved, sets them to Non-Anonymous. Important: Use this security type carefully because it does not require user to type in password and effectively authenticates every user who logged in into the domain. This security type should be used only you’re your application and Microsoft IIS web server set to ‘Windows Authentication’.  If HttpContext.Current.User is not set, and Database Roles is selected as a Roles management then it will redirect to the Sign In page and use the database to authenticate the user name and password.  So if your application is used both for intranet and Internet users, the latter will use normal database authentication.

  • None Security.  Security is disabled and all roles information is disregarded.

Currently these authorization (role-based security) types are implemented:

  • Database Roles.  Used with Database Security, Windows Authentication Security or Active Directory Security. In all cases retrieves roles from the database based on user name which could be validated by any security.

  • Active Directory Groups.  Used with Active Directory Security only. Allows using Active Directory groups as user roles. Allows use of nested groups (if configured via the Application Security Wizard), meaning that user1 can be member of groupA, which in turn is a member of groupB and if groupB is set as a role for a page or control user1 will get access to the page or control even if it is not a direct member of groupB.

  • Microsoft Authorization Manager.  Used with Active Directory Security only and allows to use custom set of roles with Active Directory user entries.

  • None Roles.  When selected all roles are treated as Signed In only. Does not modify roles stored for pages or controls.

 

Authentication

Authorization

Details

Database

Database

No single sign in.  Authenticates against Database with user name and password. Roles from database.

Database

None

No single sign in. Authenticates against Database with user name and password. Any role is treated as Signed In Only.

Active Directory

Database

Single sign in (Uses HttpContext.Current.User.Identity to get user name and domain for single sign In). Authenticates against Active Directory. If can’t sign-In automatically presents Sign In page and uses user name and password to authenticate with Active Directory.

Retrieves roles from the database, uses user name to retrieve a record for single sign in or user name and password for normal sign in. If no record exists, user gets only Signed In role.

Active Directory

Active Directory

Single sign in (Uses HttpContext.Current.User.Identity to get user name and domain for single sign in). Authenticates against Active Directory. If can’t sign-in automatically presents Sign In page and uses user name and password to authenticate with Active Directory.

Roles = groups to which user belongs. Retrieves either immediate groups user belongs to if “nested groups” option is not checked, or also all groups which have immediate groups as a member recursively (unlimited level of nesting) if “nested groups” option is checked.

Active Directory

Azman

Single sign in (Uses HttpContext.Current.User.Identity to get user name and domain for single sign In). Authenticates against Active Directory. If can’t sign-in automatically presents Sign In page and uses user name and password to authenticate with Active Directory.

Roles are retrieved from Microsoft Authorization Manager (AzMan) using user name.

SharePoint Authentication

SharePoint Groups

Single Sign In (Uses SharePoint.SPContext.Current.Web.CurrentUser to get user name). Does not authenticate; if user is present in the context he/she is considered to be authenticated.  Always tries to sign in user first, regardless of “Automatically sign in” option.

Retrieves roles (groups and sites) from SharePoint context.

Windows Authentication

Database

Single sign in (Uses HttpContext.Current.User.Identity to get user name and domain for single sign In).  Does not authenticate; if user is present in the context he/she is considered to be authenticated. Always tries to sign in user first, regardless of “Automatically sign in” option. If no user in context is present, presents Sign In page and uses user name and password to authenticate with Database.

Retrieves roles from the database, uses user name to retrieve a record for single sign in or user name and password for normal sign in. If no record exists, user gets only Signed In role.

Windows Authentication

None

Single sign in (Uses HttpContext.Current.User.Identity to get user name and domain for single sign In). Does not authenticate, if user is present in the context he/she considered to be authenticated. Always tries to sign in user first, regardless of “Automatically sign in” option. If no user is present and page is secured, user will be redirected to the Sign In page but there is no way to login so whatever he/she types in the login screen he will not be authenticated.

CurrentSecurity interface overview

Depending on security type, the security interface CurrentSecurity is implemented by different classes.  The functionality is common for all classes and does not depend on the security type.  These methods are used to perform various security related tasks and are defined in the ISecurity interface so they could be called from any page that derives from BasePage via the ISecurity instance.  These methods can be called from any page in the following manner:

DirectCast(Me.Page, BaseApplicationPage).CurrentSecurity.LogOut(CType(Me.Page, BaseApplicationPage))

 

Function ValidateCurrentUser(ByVal appRoles As String) As SecurityControls.ValidationResults

This method validates a user.  It verifies if the user currently stored in the session user has one of appRoles  and returns one of ValidationResults.  This method calls the appropriate validation procedure depending on the role management type.

Function SetLoginInfo(ByVal userName As String, ByVal userPassword As String, ByRef errorMessage As String) As Boolean

This method authenticates the user and stores the user name, domain, roles and user ID into the session to be used by ValidateCurrentUser later on.

Function Logout(ByVal page As BaseClasses.Web.UI.BasePage) As Boolean

Clears the session and by that logs out the user.

Function GetUserStatus() As String

This method returns the user name if the user is logged in and the empty string if not.

Function SetUser(ByVal userName As String, Optional ByVal userID As String = "", Optional ByVal userRoles As String = "") As Boolean

This method stores user’s information in the session without authentication.  This method can be used if you provide custom authentication functionality.

Additional CurrentSecurity methods

Also there are several methods which are not page dependant and can be called from any class in your application.  These methods are implemented as shared (static) methods and they allow retrieving and setting security related values separately.  They are defined in the SecurityControls class so they can be called anywhere in your code by specifying the SecurityControls class name in front, such as:

SecurityControls.SetCurrentUserRoles(roles)

 

Public Shared Function IsUserInRole(ByVal context As HttpContext, ByVal appRolesLst As System.Collections.IList) As Boolean

Public Shared Function IsUserInRole(ByVal appRoles As String) As Boolean

These two methods verify if the currently logged in user has one of roles from appRolesLst.

Public Shared Function GetCurrentUserRoles() As String

This method retrieves user roles from the session for the currently logged in user.  It returns the empty string if the user is not logged in or if no roles are assigned.  This method works for all security types.

Public Shared Function GetCurrentUserName() As String

This method retrieves the user name from the session for the currently logged in user.  It returns the empty string if the user is not logged in. This method works for all security types.

Public Shared Function GetCurrentUserID() As String

This method retrieves the user ID from the session for the currently logged in user.  It returns the empty string if the user is not logged in or if no user ID was assigned.  This method works for all security types.

Public Shared Sub SetCurrentUserName(ByVal usrName As String)

This method allows you to set user name for the currently logged in user from any class in your application.  This method does not perform any authentication or validation.  It sets the user name even if the user is not logged in.  It can be called for any security type.

Public Shared Sub SetCurrentUserID(ByVal usrID As String)

This method allows you to set the user ID for the currently logged in user from any class in your application.  This method does not perform any authentication or validation.  It sets the user ID even if the user is not logged in.  It can be called for any security type.

Public Shared Sub SetCurrentUserRoles(ByVal usrRoles As String)

This method allows you to set roles for the currently logged in user from any class in your application.  This method does not perform any authentication or validation.  It sets roles even if the user is not logged in.  It can be called for any security type.

Public Shared Function GetUserRecord(Optional ByVal userID As String = "") As IUserIdentityRecord

This method returns the database record for the userID or current logged in user if the userID is omitted.  It returns Nothing if userID is invalid or no user is logged in.  It only returns a record for Database Security and Nothing in other cases.

Logic related to the sign in process is located in the SignIn.aspx code-behind file created by Iron Speed Designer.  It has calls to all methods in Section 1 which allows you to modify any part of the logic.  Logic related to the sign out process is located in the SignOut.aspx code-behind file.

Events

When user logs in and logs out, LogEvent is raised and it can be handled on any page to perform custom logic and to cancel the login or logout process.

Public Event LogEvent(ByVal args As LogInEventArgs)

LogEvent can be handled on any page or any class derived from BasePage or BaseApplicationPage as long as it is the currently loaded page.

The event has one argument of type LogInEventArgs with the following public members:

Cancel – Boolean property.  If set to true in the event handler it cancels either the sign in or sign out process which will then return false.

LoggedInUserID – String. Returns the user ID of the logged in user.  If the event type is LoggedIn, this is the user ID used to login whether successful or not.

LoggedInUserName – String. Returns the user name of the logged in user.  If the event type is LoggedIn, this is the user name used to login whether successful or not.

LoggedIn – Boolean property.  Returns true if the user is logged in and false otherwise.

EventType – One of the following types:  LoggingIn, LoggedIn, LoggingOut, LoggedOut, SettingIn and SetIn.

CurrentSecurity class locations

CurrentSecurity is an instance of the ISecurity Interface implemented in:

BaseClasses\Utils\SecurityControls.vb

The ActiveDirectorySecurity class is located in:

BaseClasses\Utils\ActiveDirectorySecurity.vb

The RoleBasedSecurity class is located in:

BaseClasses\Utils\RoleBasedSecurity.vb

The WindowsSecurity class located in:

BaseClasses\Utils\WindowsSecurity.vb

The NoneSecurity class, located in:

BaseClasses\Utils\NoneSecurity.vb

RoleBasedSecurity uses regular database table(s) to authenticate users and determine user roles(s); the ActiveDirectorySecurity class uses Active Directory to authenticate users; and the WindowsSecurity class uses the Windows context to retrieve logged in users.

With Active Directory security you may choose either to use Active Directory Groups as roles (this logic is implemented in the same ActiveDirectorySecurity class), Database Roles tables or Microsoft Authorization Manager as a policy store.  With Windows Security you may use only Database Roles.

Logic for Active Directory Groups is implemented in the ActiveDirectoryGroups class, located in:

BaseClasses\Utils\ActiveDirectoryGroups.vb

Logic for Authorization Manager is implemented in the AzManRoles class, located in:

BaseClasses\Utils\AzManRoles.vb

Logic for Database Roles is implemented in the ProprietoryRoles class, located in:

BaseClasses\Utils\ProprietoryRoles.vb

Finally all authentication types can be used without role management in which case NoneRoles class will be used which is implemented in:

BaseClasses\Utils\NoneRoles.vb

Examples

Implementing Custom User Authentication

Example: Overriding Security at the Page Level

Example: Programmatically Accessing the Currently Logged-in User

Example: Access User Name and Password from Sign In Control

Example: Allow Only Active Users to Login

Example: Encrypting Passwords Before Saving to the Database

Example: Restrict Login after Incorrect Password Used