Authentication Users Via A Third Party Web Service And Other Customisations.

Topics: ASP.NET 2.0, Business Logic Layer, Controls
Mar 10 at 2:58 PM
Goodday people,

I have a challenge with BlogEngine.NET

I have an entire database of users, far different from BlogEngine's DB.

I do have some other customization I'd like to do, like -
  • Authenticating users via a web service rather than using the table from the BlogEngine DB.
  • Inserting user name from the web service into the User table in BlogEngine DB
  • Assigning users from the web service user roles, and allowing them post.
I understand the login.aspx.cs has a method (LoginUser_OnAuthenticate()) that authenticates the user to see if the username and passwords match those in the data-store. What I don't understand is where is the Response.Redirect() method to direct the user to the landing page if the match is correct?

I'm sorry, I'm still new to C#. Just trying to wrap my head around this.

I don't know if anyone has worked on something like this and would like you to put me through.

Regards,
Mar 10 at 10:54 PM
Edited Mar 11 at 5:23 PM
Hi again!

I think you're looking at the complied web site, not at the source code. When you browse the source code everything will start to make more sense. You'll also get a feel for how large the code base is.

The LoginUser_OnAuthenticate method in login.aspx.cs calls a method in BlogEngine.Core/Services/Security/Security.cs - the response redirect happens in that piece of code.

Here's a link to the code on GitHub. If you're interested in developing go to the GitHub site and put in a pull request!

https://github.com/rxtur/BlogEngine.NET/blob/master/BlogEngine/BlogEngine.Core/Services/Security/Security.cs

All the best,
Simon
Mar 12 at 8:37 AM
Hi Simon,

Thanks for the reply. I have downloaded the code base, and it is truly large!

The LoginUser_OnAuthenticate method in login.aspx.cs calls the AuthenticateUser method in Security.cs. From the code snippet:
public static bool AuthenticateUser(string username, string password, bool rememberMe)
        {
            string un = (username ?? string.Empty).Trim();
            string pw = (password ?? string.Empty).Trim();

            if (!string.IsNullOrWhiteSpace(un) && !string.IsNullOrWhiteSpace(pw))
            {
                bool isValidated = Membership.ValidateUser(un, pw);

                if (isValidated)
                {
                    if (BlogConfig.SingleSignOn)
                    {
                        FormsAuthentication.SetAuthCookie(un, rememberMe);
                        return true;
                    }

                    HttpContext context = HttpContext.Current;
                    DateTime expirationDate = DateTime.Now.Add(FormsAuthentication.Timeout);

                    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
                        1,
                        un,
                        DateTime.Now,
                        expirationDate,
                        rememberMe,
                        $"{SecurityValidationKey}{AUTH_TKT_USERDATA_DELIMITER}{Blog.CurrentInstance.Id}",
                        FormsAuthentication.FormsCookiePath
                    );

                    string encryptedTicket = FormsAuthentication.Encrypt(ticket);

                    // setting a custom cookie name based on the current blog instance.
                    // if !rememberMe, set expires to DateTime.MinValue which makes the
                    // cookie a browser-session cookie expiring when the browser is closed.
                    HttpCookie cookie = new HttpCookie(FormsAuthCookieName, encryptedTicket);
                    cookie.Expires = rememberMe ? expirationDate : DateTime.MinValue;
                    cookie.HttpOnly = true;
                    context.Response.Cookies.Set(cookie);

                    string returnUrl = context.Request.QueryString["returnUrl"];

                    // ignore Return URLs not beginning with a forward slash, such as remote sites.
                    if (string.IsNullOrWhiteSpace(returnUrl) || !returnUrl.StartsWith("/"))
                        returnUrl = null;

                    if (!string.IsNullOrWhiteSpace(returnUrl))
                    {
                        context.Response.Redirect(returnUrl);
                    }
                    else
                    {
                        context.Response.Redirect(Utils.RelativeWebRoot);
                    }

                    return true;
                }
            }

            return false;
        }
Where is the page being re-directed to here:
if (!string.IsNullOrWhiteSpace(returnUrl))
      {
         context.Response.Redirect(returnUrl);
      }
else
      {
           context.Response.Redirect(Utils.RelativeWebRoot);
      }
                    
Any help on this?
Mar 12 at 6:08 PM
The re-direct is to the address that's defined in a query string attached to the url. The string returnURL is defined a few lines above the IF statement.

string returnUrl = context.Request.QueryString["returnUrl"];

If you login it looks something like this : https://yourwebsite.com/blog/Account/login.aspx?ReturnURL=/blog/admin/

If you delete the returnURL from the querystring you'll find that the ELSE statement redirects you to back to the blog main page (with your logged in role privileges).

Simon
Sun at 10:58 AM
Hi Simon,

I successfully found a way of authenticating users via a web service and then assign user roles to those I authenticate. :)
Mon at 3:08 PM
That's great! Would you be willing to share it on the GitHub page (where the development support resides) so that others can see and learn from what you've done?
https://github.com/rxtur/BlogEngine.NET/issues

Simon