Skip to end of metadata
Go to start of metadata
Table of Contents

ASP.NET has two authentication models. The default uses your existing Windows logon and IE to identify you to the Web Server without any interaction (although this also applies to Basic Authentication where the Browser pops up a dialog box). The other approach is called Forms Authentication. Microsoft expects an application using this technique to code a page that presents a Form with a textbox for Userid and Password. The form then validates the two fields and passes the authenticate userid back to the .Net Framework. In this code an ASP.NET page is created that claims to be the Forms Authentication page, but instead of asking the user directly for Userid and Password it redirects to CAS, validates the ticket, and then passes the Userid back to the .NET Framework.

Objectively, .Net doesn't care what method is used to authenticate the user. So this code is no better than other .NET authentication technologies, and in some cases you might prefer some sort of filter that can also make decisions. This code is provided as an example because it is the closest match in spirit and design between the CAS service and any specific ASP.NET authentication model. It also uses the best documented and most "application developer" oriented programming interface.

.NET runs in an environment called the CLR just as JSP runs in a JVM. It is configured by a Web.Config file in the directory just as Servlets are configured by web.xml. One configuration option in both Web.Config and web.xml is how the pages and applications in the directory are secured. One of the ASP.NET options is to use "Forms Authentication", where access to a set of pages requires authentication through a login page. Typically a Web.Config is generated automatically by Visual Studio. Change the existing authentication to:

This tells ASP.NET to require authentication for all access to the directory and to internally reroute every unauthenticated user to the login.aspx page. You can read the Microsoft documentation if you want a more limited scope of protection.

Now in Visual Studio create a login.aspx page with CS as the language. I suggest dragging a Label object to it from the Toolbox, which will become Label1 and will be used for an error message if something goes wrong. There is nothing more on the "login web page". The rest is done with code.

In the generated login.aspx.cs file, add System.IO, System.Net, System.Web, and System.Xml to the list of using statements (imports for you Java folk). The rest is to code a Page_Load event handler. You can probably improve on:

Now in any page in the application, the netid is accessible as Context.User.Identity.Name.

For an alternative code sample that also implements a Role Provider see ASP.NET Forms Authentication with Role Provider.

Another alternative code sample based on this tutorial that supports Single Sign Out with sample app is available here.

  • No labels