0

I am relatively new to authorization/memberships in asp.net, so pls excuse if I ask anything silly. I have been looking at lot of examples to implement a custom membership provider in .net (in stackoverflow, codeproject, devX, and www.asp.net) and coded based on that but somehow couldn't get it working.

My requirement - our organization heavily uses HP's Quality center(QC), I am developing an asp.net application, its login page will use QC'a API for authenticating a user. I also have a SQL database in which I'll store the QC users who have registered to my application (just store QC user id's in DB, not password, like I said, password authentication is done using QC API). There will be a user-roles table in my DB to define the roles for registered users.

Why use 'membership' instead of some simple 'forms authentication' - because maybe in future I want to decouple QC authentication.
So, with this I started with first step - developing custom membership class(named AutoCenterMembershipProvider) and login page. I only need validateuser method. following is the approach I took to start with:
1. Ask user for QC user id/password, user clicks 'Authenticate' button
2. login page's code behind-'Authenticate' button's onClick method- checks if user is found in SQL database and if found, then uses QC API to authenticate user id-password
3. Second set of controls on Login page is enabled - ask user to select which QC Domain and Project user wants to login. Options for Domain and Project dropdown lists are also obtained using QC API after authenticating user. User selects those and clicks Login button
4. On Login button's click - call Membership.ValidateUser(objQCSession.UserName, objQCSession.Password). Since user is already validated using QC api, for simplicity I just return 'true' from my custom implementation of Membership.ValidateUser. Then I call - FormsAuthentication.RedirectFromLoginPage(obj_ACUser.QCSession.UserName, True) to direct user to apps default page provieded in web.config's - app_FAs.aspx.

The issue is - after user is redirected to app_FAs.aspx page, it directs user back to login page. I am trying to find out the mistake or missing piece.

Web.config looks like below:

<authentication mode="Forms">
  <forms loginUrl="~\Pages\Login.aspx" defaultUrl="App_FAs.aspx"></forms>
</authentication>
<authorization>
  <deny users="?"/>
</authorization>
<membership defaultProvider="AutoCenterMembershipProvider">
  <providers>
    <clear/>
    <add name="AutoCenterMembershipProvider" 
         type="CustomMembership.Models.AutoCenterMembershipProvider"
         enablePasswordRetrieval="false"   enablePasswordReset="false" 
         requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
         maxInvalidPasswordAttempts="100"  minRequiredPasswordLength="100"
         minRequiredNonalphanumericCharacters="0" 
         passwordAttemptWindow="100"   applicationName="/" />
  </providers>
</membership>

and customMembership class is like:

Public Class AutoCenterMembershipProvider
    Inherits System.Web.Security.MembershipProvider

    Public Overrides Function ValidateUser(ByVal username As String, ByVal password As String) As Boolean
        Return True
    End Function

rest all members are 'Not implemented'

any help, pointers to missing piece, mistake is greatly appreciated, thanks in advance

Authenticate button click code

Private Sub btn_Authenticate_Click(ByVal sender as Object, ByVal e As   System.Web.UI.ImageClickEventArgs) Handles btn_Authenticate.click
   objQCSession = Session("QCUserSession")
   If Membership.ValidateUser(objQCSession.UserName, objQCSession.Password) then
     FormaAuthentication.RedirectFromLoginPage(objQCSession.UserName, True)
   End if
End Sub
tiwarib
  • 441
  • 6
  • 17
  • I just want to clarify few things. Basically, you have two login steps. 1st Step doesn't use membership provider instead it validate with regular method. 2nd Step use membership provider which it basically dummy one because `ValidateUser` always return `true`. Could you also post `Authenticate button click event` and a method that called `RedirectFromLoginPage`. – Win Mar 29 '13 at 17:00
  • you are right, membership.validateuser is called on 2nd step, which is just a dummy one. Added Authenticate button click's code above. – tiwarib Mar 29 '13 at 18:08

1 Answers1

0

Currenlty, 2nd step - btn_Authenticate_Click method 1 - is just to assign FormAuthenticationTicket to cookie, and redirecting user to app_FAs.aspx page. It doesn't really need Custom Membership Provider's features.

If I understand your problem correctly, I would change the logic like this.

1) After validating user for QC, create FormAuthenticationTicket like this in the same method.

FormsAuthentication.SetAuthCookie("UserName", true|false);

2) btn_Authenticate_Click (does something and) redirects user to app_FAs.aspx

You do not even need Custom Membership Provider. If you want to use Custom Membership Provider, you can implement in 1st step (Not in 2nd step).

Win
  • 61,100
  • 13
  • 102
  • 181
  • thanks Win. I understand that I am better off with FormsAuthentication. I thought of using Membership because, like I said, maybe in future I want to decouple QC authentication and implement my own. So I believe you are suggesting something like - I implement this dummy authentication in the first step, then inside the "If Membership.ValidateUser(User,Pass)", I prepare for the 2nd step; and then on 2nd steps Authentication click, just use FormsAuthentication.SetAuthCookie("UserName", true|false)? – tiwarib Mar 29 '13 at 18:48
  • You can drop Membership Provider for now; it is not a good practice to implement dummy membership provider which always turns `true` on validation. So I'll just add `FormsAuthentication.SetAuthCookie` to step 2 (, or you can even add to Step 1 for now, and move it to Step 2 later once you decouple). – Win Mar 29 '13 at 19:03
  • thanks, guess you are right, should not worry of future decoupling . thanks, will use FormsAuthentication for now – tiwarib Mar 29 '13 at 19:26
  • I removed Membership.validateuser, removed membership tag from web.config and just using FormsAuthentication.SetAuthCookie and RedirectFromLoginPage in the btn_Authenticate_Click method.
    But the issue still remains - after redirecting to app_FAs.aspx, it redirects back to login.aspx. any clue?     – tiwarib Mar 30 '13 at 01:30
  • Could you change authorization to ``? – Win Apr 01 '13 at 14:37