The solution that goes along with this post is available at https://github.com/StephenFriend/AuthWithWIFAndSAM and it will probably be easier to look at the code as you read this. In the walkthrough below, I've used Visual Studio 2012 and there are different tagged commits, so that it's easy to see the changes that are made as we move from Forms Authentication to using the Session Authentication Module.
First, I'll set up an extremely simple solution using forms auth. If you've cloned from github, simply type git checkout -f formsAuth
The first step is to create a new MVC4 app (imaginatively called 'DemoSite' in the code), using the 'Internet Application' Project template. Next we want to amend the Web.config file at the root of the MVC site.
In the controllers folder create a Home controller using the 'Empty MVC Controller' template from the drop-down in the scaffolding options section of the dialogue. The code for the Home Controller should look like this:
[Authorize]
public class HomeController : Controller
{
[AllowAnonymous]
public ActionResult Index()
{
return View();
}
public ActionResult MyStuff()
{
return View();
}
}
Note the use of the 'Authorize' attribute on the whole class and the 'AllowAnonymous' attribute on the 'Index()' method. This should mean that anyone is able to access the Index view, but only users that are authorized can access the MyStuff view.
Next up let's create an Account controller. The code for this will look like this initially:
public ActionResult Login()
{
return View();
}
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginInput model)
{
if (ModelState.IsValid && LoginDetailsAreValid(model))
{
FormsAuthentication.SetAuthCookie(model.Email, false);
return RedirectToAction("MyStuff", "Home");
}
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View(model);
}
// In the real world this would be likely be a call to the database to get the user details, with a validation
// that the user exists and that their password is correct. See WebMatrix.WebData.SimpleMembershipProvider.ValidateUser()
// for an example (download the ASP.Net web stack here: http://aspnetwebstack.codeplex.com/)
private bool LoginDetailsAreValid(LoginInput loginDetails)
{
return (string.Compare(loginDetails.Email, "you@example.com",
StringComparison.InvariantCultureIgnoreCase) == 0 &&
string.Compare(loginDetails.Password, "password", StringComparison.Ordinal) == 0);
}
In order for this to compile you'll also need to create a LoginInput class (in the Models folder), which is a simple View Model that we'll use to create the login view and user input. It should look like this:
public class LoginInput
{
[Required]
public string Email { get; set; }
[Required]
[DataType(DataType.Password)]
public string Password { get; set; }
}
The end point of this first stage is to create the views that go with the various controller actions. Home/Index looks like this:
@{
ViewBag.Title = "Index";
}
Welcome to the demo
@Html.ActionLink("Login", "Login", "Account")
@Html.ActionLink("My Stuff", "MyStuff", "Home")
Account/Login looks like this:
@model DemoSite.Models.LoginInput
@{
ViewBag.Title = "Login";
}
Login
@if (User.Identity.IsAuthenticated)
{
You are already logged in as @User.Identity.Name
}
else
{
using (Html.BeginForm())
{
@Html.ValidationSummary()
}
}
and Home/MyStuff looks like this:
@{
ViewBag.Title = "MyStuff";
}
Congratulations, you're authenticated
If you start up the website now, you should be able to log in (as you@example.com, password = 'password') and if you check your cookies, you will see that a cookie called .ASPXAUTH has been created. If you try to access Home/MyStuff without logging in you will be automatically redirected back to Account/Login
Now, we're going to stop using Forms Authentication, initially not replacing it with anything. (Use git checkout -f noAuth to see the code in the repo).
To start, go to the web.config file and change the authentication node from:
to:
This means that the FormsAuthenticationProvider module will no longer be loaded at application start-up. Once you've done this, you'll see that if you log on you'll be presented with a 401 error when you are redirected to 'MyStuff'. If, however, you check your cookies, you'll see that the call to FormsAuthentication.SetAuthCookie in the AccountController has set a cookie, but there is no provider specified so the 401 error is displayed on actions that have an 'Authorize' attribute.
In order to use the SAM module you will need to alter your web.config so that includes the following elements in the <config sections> element:
The first of these is to "configure a service or application to use Windows Identity Foundation" [1], the second names the configuration section for federation configuration, which you'll need to add to the config file:
The default configuration requires SSL, so you will need this section if you don't want to sort out setting up SSL for this example.
Under <system.webServer><modules> you will need to add the following so that the SessionAuthenticationModule is added to the ASP.Net pipeline.:
In order to have access to the classes you have just configured, you will also need to add references to System.IdentityModel and System.IdentityModel.Services to your project.
Finally, you need to alter the Account controller to look like this:
public class AccountController : Controller
{
public ActionResult Login()
{
return View();
}
[HttpPost]
public ActionResult Login(LoginInput model)
{
if (ModelState.IsValid && LoginDetailsAreValid(model))
{
WriteAuthCookie(model.Email);
return RedirectToAction("MyStuff", "Home");
}
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View(model);
}
// In the real world this would be most likely be a call to a database to get the user details, with validation
// that the user exists and that their password is correct. See WebMatrix.WebData.SimpleMembershipProvider.ValidateUser()
// for an example (download the ASP.Net web stack here: http://aspnetwebstack.codeplex.com/)
private bool LoginDetailsAreValid(LoginInput loginDetails)
{
return (string.Compare(loginDetails.Email, "you@example.com",
StringComparison.InvariantCultureIgnoreCase) == 0 &&
string.Compare(loginDetails.Password, "password", StringComparison.Ordinal) == 0);
}
private void WriteAuthCookie(string userEmail)
{
var claims = new List();
claims.Insert(0, new Claim(ClaimTypes.Name, userEmail));
var claimsId = new ClaimsIdentity(claims, "Password");
var cp = new ClaimsPrincipal(claimsId);
var sam = FederatedAuthentication.SessionAuthenticationModule;
var token = new SessionSecurityToken(cp);
sam.WriteSessionTokenToCookie(token);
}
}
As you can see the new WriteAuthCookie method deals with persisting the authentication details to a cookie. In it we create a new Name claim (the only claim we use in this example), that is then used to create a ClaimsIdentity, which in turn is used to create a new ClaimsPrinciple that is then persisted to a cookie.
Once you have logged in, if you check your cookies, you should see that you have a new 'FedAuth' cookie, which is what the SAM module uses. If you then go back to Account/Login you should see that the claim of 'Name' is used for the User.Identity.Name property that is displayed on that page if you're logged in.
[1] http://msdn.microsoft.com/en-us/library/hh568638.aspx - MSDN WIF Configuration Schema
Thanks
ReplyDeleteGreat article but I am getting system.null exception error in the code sam.WriteSessionTokenToCookie(token);. pl help.
ReplyDelete