tags:

views:

139

answers:

1
+2  Q: 

Second layer of authentication in ASP.NET MVC2 application

We have an ASP.NET application that's partly in MVC (the rest of it being a legacy webforms-based CMS). The application is authenticated via Forms Authentication, although any user accessing it from a specific set of IP addresses are automatically assigned to a "special" user.

We currently have a child application that we would ideally like to bring into the (parent) MVC application as an area. This application uses Windows Authentication as a 2nd layer of authentication. Is there an easy way of retaining the second layer of authentication (possibly by a 2nd authorize attribute)? This is bearing in mind the users can log into this application from both within & outside of the set of IP addresses used for the special forms authentication user, which rules out straight forms authentication. We're also not necessarily tied to windows authentication for this second layer if this makes for an easier solution.

+1  A: 

I'm yet to try it out fully, but from what I've seen & tried out thus far, my solution to my own problem is to:

  1. Use Forms authentication for the protected area instead of Windows authentication.
  2. Create a role for certain users who are allowed to access this area & allocate it accordingly.
  3. Create a new custom authorisation attribute, sending an unauthenticated users to the login page. In this case I need to do this as the application defines the login page to be the IP checker (instead of a proper login page), so using a normal authorisation attribute would cause a request infinite loop. The process is similar to the solution described here, except I'm using a plain RedirectResult instead of RedirectToRouteResult as the login page is still in WebForms instead of MVC.
  4. (Optional) since I'm using MVC Areas, I can even create a base controller with the custom authorisation attribute & derive all other controllers from it. This saves me from prefixing every method in every controller (& no doubt stop me from forgetting to do so somewhere!).

I am still open to other solutions though!

Simon Rice  2010-09-14 11:50:06

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication