I quite like the Microsoft Membership Framework for handling membership roles, authentication, and security resources in ASP.NET applications. It’s easy to create the initial user login and management framework for a new application, then swap in a more sophisticated Provider as needed.
For my current project, we have a new requirement to allow logins against multiple user stores. The existing application validates against an Active Directory store. But for a subset of users, there is a need to check if they are in a SQL Server database and allow them to login while they wait for their Active Directory setup to complete. This SQL Server also contains a secondary set of roles that will be relevant for any user that is in the SQL Server user store, regardless of whether they were validated via AD or the SQL Server.
The first step I took was to figure out the easiest way to have two separate providers to validate the user. You can configure as many membership providers as you want in the web.config for your application, but you choose a default provider as part of the setup. If you use the standard Login control, it will only check against that default provider.
In order to change that behavior, I overrode the Login.Authenticate event for my Login control. The method looks a little like this:
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e) { bool foundUser = false; List<string> roles = new List<string>(); roles.Add("GeneralUser"); // this will call the default MembershipProvider if (Membership.Provider.ValidateUser(LoginBox.UserName, LoginBox.Password)) { foundUser = true; // do any additional lookups for this type of user (Default MembershipProvider) here } // otherwise, explicitly call secondary provider else if ( Membership.Providers["SecondarySqlMembershipProvider"].ValidateUser(LoginBox.UserName, LoginBox.Password)) { foundUser = true; roles.Add("SecondaryUser"); // do any additional lookups relevant to this type of user } if (foundUser) { Session["UserId"] = LoginBox.UserName; Session["Groups"] = roles; } e.Authenticated = foundUser; }
I didn’t need to modify the Authentication Ticket or cookie, so I could rely on the Membership Framework to handle the rest. If I need to add additional information, I can do it in the commented spots to correctly handle the type of user I care about.
May 3rd, 2008 at 3:10 pm
[...] post that had the relevant code for checking the username and password against the second provider: http://www.stevideter.com/2008/03/20/using-two-membership-providers-for-aspnet-logins/.The code behind for the login page was in C# so I thought I would provide the bare bones [...]
July 17th, 2008 at 12:08 am
[...] Recently I wanted to give someone access to one of my teaching web sites. They were not a student or faculty member so they didn’t have an account in our active directory. I am not a system administrator so I wasn’t able to add them to the active directory either. The solution was to add a second membership provider to my ASP.NET site. The first membership provider is based on active directory. The new, 2nd provider is a SQL provider. I found a great blog post that had the relevant code for checking the username and password against the second provider: http://www.stevideter.com/2008/03/20/using-two-membership-providers-for-aspnet-logins/. [...]
September 5th, 2008 at 12:42 pm
Very good implementation. I used it in my app. thanks.
September 5th, 2008 at 12:45 pm
xuhui,
Thanks for letting me know it was useful to you!