Saturday 26 January 2008

Session 6 - Authentication Module Design

The agenda for today's session was "Forms Authentication". This is in deviation to what was originally planned, but we would like to take things on
priority basis.
The following points will be covered
- What is forms based authentication?
- Relationship between authentication and url authorization module.
- Architecting a custom authentication solution.

Summary


We covered how authentication and authorization works in asp.net. The authentication is handled by the FormsAuthenticationModule and the authorization is handled by the UrlAuthorizationModule. The FAM handles the AuthenticateRequest and EndRequest event. The UrlAuthorizationModule handles the AuthorizeRequestEvent.


The following are the activities that FAM does

- It checks if the request is for login.aspx page
- If yes it sets the SkipAuthorization property to true
- If no it creates the FAC cookie and sets the Principal object
- If does some other activities like extending the ticket timeout value etc.
- The EndRequest checks if the responsecode is 401 and do a redirect to login.aspx if it is else continue serving the request.

The UrlAuthorizationModule essentially checks for incoming URL and verifies if it has access to the resource or not. It checks the authorization element from the configuration and sets the ResponseCode to 0x191, decimal 401 [unauthorized access] if the request does not have access to the requested resource.

Lessons learned:

The following are the lessons learned and could be applied whenever a custom authentication httpmodule is to be developed.
- Handle AuthorizeRequest event to create cookies.
- If you use session as part of authentication, then do session related activities in the AcquireRequestState event.
- If you need to include authorization then follow the standard approach i.e. handle the Authorize event or implement authorization based on the authorization configuration

Enjoy learning

Session 5- Front Controller

In this session we have covered topics related to front controller and how does it relate to the upcoming ASP.net MVC framework.
The ASP।net framework uses the page controller pattern। Every request is mapped to a page, which interacts with the model and the database.
The Front Controller on the other hands takes all request and dispatches it to appropriate views.