tags:

views:

43

answers:

1
+1  Q: 

Custom authentication with service layer?

Hello

I have an app with 3 "layers", first "datalayer", 2nd "businesslayer" and 3rd is the asp.net mvc site. And I'm trying to add forms authentication in the proper way.

Should I somehow configure it to use the business layer? That gets/adds/updates user that is a part of the authentication to be?

And in which project shall I add the user validation at?

/M

+1  A: 

Authentication is something that should always happen at the application boundary, because different applications using the same Domain Model may have different authentication needs. If you ever decide to expose your Domain Model as, say, a web service, Forms Authentication is not likely to be the best authentication mechanism.

In ASP.NET MVC you can easily implement UserName/Password authentication using the default project template from Visual Studio, but once the user is authenticated, you should set Thread.CurrentPrincipal.

In general, IPrincipal is the standard basis for modeling user context in .NET. For example, HttpContext.User is an IPrincipal.

In your Domain Model and Data Access modules, you can use Thread.CurrentPrincipal to implement Authorization logic. This allows you to vary Authentication and Authorization independently of each other.

If you need to work with a richer User concept in your Domain Model, you can have your User class implement IPrincipal.

Mark Seemann  2010-01-19 08:39:30
Is there someway of implementing this: http://schotime.net/blog/index.php/2009/02/17/custom-authorization-with-aspnet-mvc/ into my service layer and use it from my asp.net mvc application? Or does the custom auth class need to be in same project as the mvc app?
molgan  2010-01-19 12:10:40
The best way of utilizing service layer or Domain Model services from the Application/UI Layer is to use Dependency Injection (DI). However, you can't really inject a service into an attribute because it is statically wired. However, you can globally configure ASP.NET MVC FilterAttributes with DI. Here's an example showing how to do it for HandleError: http://blog.ploeh.dk/2009/12/01/GlobalErrorHandlingInASPNETMVC.aspx
Mark Seemann  2010-01-19 13:12:32

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data