Q: How do I install this module?

Use the download on the downloadpage or, much easier, use Nuget in Visual Studio 2010. Search for 'simplebasic' or look at http://nuget.org/Packages/Packages/Details/SimpleBasicAuthenticationModule-0-1

Q: How do I edit the credentials?

The credentials to be used by the basic authentication module are stored in:

<web project root folder>/App_Data/UserCredentials.xml

the credentials are stored in this format:

<ArrayOfstring xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<string>user;ww;user</string>
<string>admin;ww;admin</string>
<string>both;ww;user|admin</string>
</ArrayOfstring>

Each string element is divided in three parts, separated by a semi colon ';'

Here we see three user: 'user', 'admin' and 'both'
They share the same password: 'ww'
Both 'user' and 'admin' have only one role with the same description as their name
The user 'both' has two roles: 'user' and 'admin'
Multiple roles are separated by the pipe sign '|'

Q: How do I configure the web.config?

The web.config of the web application will look like:

<?xml version="1.0"?>
<configuration>

<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="None" />
</system.web>

<system.webServer>
<modules>
<add name="SimpleBasicAuthentication" type="SimpleBasicAuthentication.BasicAuthenticationModule" />
</modules>
</system.webServer>

</configuration>

The authentication of the web project is set to NONE!!!! This module will handle the authentication, not the web application. So check that the already existing authentication (normally this is the Forms authentication) is commented out or removed.

The module referenced in the web.config will already be loaded if the dll is just available in the bin directory of the web application.

Q: After entering my credentials I get an error and i am redirected to: "localhost:port/login.aspx?ReturnUrl=%2f"

You have used the MVC4 internet project template. This template is designed to check for claims.
Do these steps
- Just remove (or comment out) the AccountController controller in Controllers and InitializeSimpleMembership Attribute In Filters
- Remove WebMatrix.WebData reference

Q: OK, I am logging in into the web application, what now?

use c# to get to know your user which logs in:

in ASPX:

string name = Context.User.Identity.Name;
bool isAuthenticated = Context.User.Identity.IsAuthenticated;
bool hasUserRole = Context.User.IsInRole("User");
bool hasAdminRole = Context.User.IsInRole("Admin");

in MVC it will look like:

if ((System.Web.HttpContext.Current != null)
&& (System.Web.HttpContext.Current.User != null))
{
ViewBag.User = "Welcome " + System.Web.HttpContext.Current.User.Identity.Name;

if (System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
{
var isUser = System.Web.HttpContext.Current.User.IsInRole("User");
var isAdmin = System.Web.HttpContext.Current.User.IsInRole("Admin");

ViewBag.User += " (";
ViewBag.User += isUser ? "User" : "";
ViewBag.User += isUser && isAdmin ? "; " : "";
ViewBag.User += isAdmin ? "Administrator" : "";
ViewBag.User += ")";
}
}
else
{
ViewBag.User = "Welcome";
}

Q: What about the roles?

Roles are supported. Just add something like Authorize(Roles = "admin") at the top of your controller and you are done. Now the views/actions behind this controller are only available for those who have the admin role.

Q: Can this be combined with the ASP.Net MVC Area?

Sorry, this basic authentication implementation uses a module so every call to the website will pass this module. Area calls will pass this module also :-(

Q: Are there any limitations?

OK, this is not the silver bullet, but it is close to that :-) :
  • This work only for Web Projects, not the 'websites' which can be created also by Visual Studio
  • If some kind of other authentication is set in the web.config (e.g. forms authentication) a warning will appear concerning duplicate XML nodes in the web.config
  • Are you aware you have to implement SSL? The name/password combination is sent unencrypted in EVERY basic authentication scenario!
  • At this moment the code is compiled in .Net Framework version 4.

Q: If I like this module how can I let you know?

You can leave a message on the discussion page, thank you for helping you out.

---

The logic of this module is based on:
http://blogs.msdn.com/b/astoriateam/archive/2010/07/21/odata-and-authentication-part-6-custom-basic-authentication.aspx

The caching is based on:
http://blogs.msdn.com/b/rjacobs/archive/2010/06/14/how-to-do-api-key-verification-for-rest-services-in-net-4.aspx

Last edited May 30, 2013 at 9:52 AM by svelde, version 24

Comments

No comments yet.