0

My ASP.NET webapp will be protected by third party agent(SM). SM will intercept every call to the webapp, authenticate the user as valid system user, add some header info ex username and redirect it to my webapp. I then need to validate that the user is an active user of my website.

Currently I am authenticating the user by implementing the Application_AuthenticateRequest method in the Global.asax.cs file. I have a custom membership provider whose ValidateUser method, checks if the user exists in the users table of my database.

Just wanted to get comments if this was a good approach or not.

protected void Application_AuthenticateRequest(object sender, EventArgs e)
    {
        //if user is not already authenticated
        if (HttpContext.Current.User == null)
        {

            var smcred = ParseAuthorizationHeader(Request);
            //validate that this user is a active user in the database via Custom Membership 
            if (Membership.ValidateUser(smcred.SMUser, null))
            {
                //set cookie so the user is not re-validated on every call.
                FormsAuthentication.SetAuthCookie(smcred.SMUser, false);
                var identity = new GenericIdentity(smcred.SMUser);
                string[] roles = null;//todo-implement role provider Roles.Provider.GetRolesForUser(smcred.SMUser);
                var principal = new GenericPrincipal(identity, roles);

                Thread.CurrentPrincipal = principal;
                if (HttpContext.Current != null)
                {
                    HttpContext.Current.User = principal;
                }
            }

        }
    }

    protected virtual SMCredentials ParseAuthorizationHeader(HttpRequest request)
    {
        string authHeader = null;
        var smcredential = new SMCredentials();
    //here is where I will parse the request header for relevant tokens ex username

        //return smcredential;
        //mockup below for username henry
        return new SMCredentials() { SMUser = "henry", FirstName = "", LastName = "", EmailAddr = "" };

    }
Improve this question

1 Answer 1

Reset to default
2

I would go with the Attribute approach to keep it more MVC like. It would also allow you more flexibility, you could potentially have different Membership Providers for different controllers/actions.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

do you mean implementing a custom AuthorizeAttribute? If so then from what I read the AuthenticateRequest occurs before the authorize call.
yes, a custom AuthorizeAttribute is what I would do.Both the event handler and custom attribute will help you achieve what you described but the AuthorizeAttribute will offer you more flexibility and unit testability.
In order to keep authentication( who is the users) and authorization( what does this user have access to) I decided to authenticate the user in the event handler, whereas I do the role authorization(is user active? is the user admin?) with a authorize attrribute. Does that make sense

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.