Security models in ASP.NET. Authentication.
Author: Sergei Baklanov aspnetman@aspnetmania.com

Windows Authentication
Forms Authentication
Forms Authentication using XML file
Forms Authentication using web.config file
Forms Authentication using database
Forms Authentication with Web services
Passport Authentication

Passport Authentication

Passport is a centralized authentication service created by Microsoft, you can use it at any participating web site. One important plus of this technology is that user does not need to remember login data for each site, as it often needed when your usual account already exists on a certain web site. Passport allows to resolve this problem due to using common user database, that is why at web sites supporting .Net Passport you will always enter one and the same login data: your e-mail and password.

Passport authentication uses standard Web technologies for of convenience and confidentiality:
- SSL protected protocol
- cookie-files
- JavaScript 1.2
- 3DES encryption

To use all power of Passport possibilities you need to do the following:
1. Download .NET passport SDK at: http://msdn.microsoft.com/library/default.asp?url=/downloads/list/websrvpass.asp
2. Then you need to register your site with .Net Passport service: http://go.microsoft.com/fwlink/?LinkID=9732.
If you do not register you possibilities will be extremely limited and you will not be able to get expected result, for example, to logout, you will have to close all browser windows and delete all cookie-files with passport data after this.

As with other authentication types, first you need to configure your project web.config file. The following listing demonstrates basic content of authentication section of config file:

<authentication mode="Passport"> 
	<passport redirectUrl="login.aspx" />
</authentication>

In this code we set authentication mode to passport, then set one single parameter that configure passport authentication - address of the page to which the user is redirected when authentication is needed: <passport redirectUrl="login.aspx" />

There is one more feature that unites all authentication modes - Iidentity interface, for its implementation all user data classes for different authentication modes were created. Passport authentication is not an exception and System.Web.Security.PassportIdentity object of .NET Framework infrastructure became the tool, implementing all basic properties.

Custom reference to login page is special logo downloaded from Internet. Since you have to use this logo quite often it is better to create separate control that implements authentication component. To do it, make the following steps:
1. Create new ASP.NET Web Application project using VS.NET.
2. Add Web User Control to this project and name it passport.ascx
3. Replace its source code with the following:

Imports System.Web.Security

Public Class passport
    Inherits System.Web.UI.UserControl

#Region " Web Form Designer Generated Code "

    'This call is required by the Web Form Designer.
    <System.Diagnostics.DebuggerStepThrough()> Private Sub InitializeComponent()

    End Sub

    'NOTE: The following placeholder declaration is required by the Web Form Designer.
    'Do not delete or move it.
    Private designerPlaceholderDeclaration As System.Object

    Private Sub Page_Init(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Init
        'CODEGEN: This method call is required by the Web Form Designer
        'Do not modify it using the code editor.
        InitializeComponent()
    End Sub

#End Region

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        Dim id As PassportIdentity

        ' Get current user data 
        id = CType(context.User.Identity, PassportIdentity)
        ' Dislay login button
        Response.Write(id.LogoTag())
    End Sub
End Class

Then change your Web project page name into login.aspx and enter the following page structure code:
login.aspx:

<%@ Page Language="vb" AutoEventWireup="false" Codebehind="login.aspx.vb" Inherits="PassAuth.WebForm1"%>
<%@ Register TagName="passport" TagPrefix="ctl" src="passport.ascx"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
	<head>
		<title>LogIn</title>
		<meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
		<meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
		<meta name="vs_defaultClientScript" content="JavaScript">
		<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
	</head>
	<body MS_POSITIONING="GridLayout">
		<form id="Form1" method="post" runat="server">
			<ctl:passport id="pas" runat=server></ctl:passport>
		</form>
	</body>
</html>

PassportIdentity object provides for all basic user authentication operations, or to be precise, Microsoft Passport service which is contacted by .NET Framework with the help of PassportIdentity object. Due to this, all you have to do is to reap the fruits, but to learn what you can and should reap, turn to table 1, where all possible attributes specifying registered user are described.

There are two ways to get all these attributes: using PassportIdentity.GetProfileObject method and using PassportIdentity.Item property. The following C# listing demonstrates both of these ways:
default.aspx.cs:

using System.Web.Security;
�
private void Page_Load(object sender, System.EventArgs e)
{
	PassportIdentity id;
	id = (PassportIdentity)User.Identity;

	Response.Write(id["Firstname"] + "<br>");
	Response.Write(id.GetProfileObject("Lastname") + "<br>");
}

Now let's come back to our project with passport.ascx control and finalize login page. Change login.aspx and login.aspx.vb files in the following way:
login.aspx:

<%@ Page Language="vb" AutoEventWireup="false" Codebehind="login.aspx.vb" Inherits="PassAuth.WebForm1"%>
<%@ Register TagName="passport" TagPrefix="ctl" src="passport.ascx"%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
	<head>
		<title>LogIn</title>
		<meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
		<meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
		<meta name="vs_defaultClientScript" content="JavaScript">
		<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
	</head>
	<body MS_POSITIONING="GridLayout">
		<form id="Form1" method="post" runat="server">
			<p><asp:Label ID="lblLogin" Runat=server>Please login...</asp:Label>
				<ctl:passport id="pas" runat=server/></p>
			
			<asp:Label ID="lbl" Runat=server Visible=False>
				<table border>
					<tr>
						<th>PUID:</th>
						<td><asp:Label ID="lblPUID" Runat=server/></td>
					</tr>
					<tr>
						<th>Firstname:</th>
						<td><asp:Label ID="lblFName" Runat=server/></td>
					</tr>
					<tr>
						<th>Lastname:</th>
						<td><asp:Label ID="lblLName" Runat=server/></td>
					</tr>
					<tr>
						<th>E-mail:</th>
						<td><asp:Label ID="lblEmail" Runat=server/></td>
					</tr>
				</table>
			</asp:Label>
		</form>
	</body>
</html>

Imports System.Web.Security

Public Class WebForm1
    Inherits System.Web.UI.Page

    Protected WithEvents lbl As System.Web.UI.WebControls.Label
    Protected WithEvents lblLogin As System.Web.UI.WebControls.Label
    Protected WithEvents lblPUID As System.Web.UI.WebControls.Label
    Protected WithEvents lblFName As System.Web.UI.WebControls.Label
    Protected WithEvents lblLName As System.Web.UI.WebControls.Label
    Protected WithEvents lblEmail As System.Web.UI.WebControls.Label

#Region " Web Form Designer Generated Code "

    'This call is required by the Web Form Designer.
    <System.Diagnostics.DebuggerStepThrough()> Private Sub InitializeComponent()

    End Sub

    'NOTE: The following placeholder declaration is required by the Web Form Designer.
    'Do not delete or move it.
    Private designerPlaceholderDeclaration As System.Object

    Private Sub Page_Init(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Init
        'CODEGEN: This method call is required by the Web Form Designer
        'Do not modify it using the code editor.
        InitializeComponent()
    End Sub

#End Region

    Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        If User.Identity.IsAuthenticated Then
            ' If user is registered,
            ' create PassportIdentity object and 
            ' display user information
            Dim id As PassportIdentity = CType(User.Identity, PassportIdentity)

            lbl.Visible = True
            lblPUID.Text = User.Identity.Name
            lblFName.Text = id("Firstname")
            lblLName.Text = id("Lastname")
            lblEmail.Text = id("PreferredEmail")

            ' not dislay login message 
            lblLogin.Visible = False
        Else
            ' If no, suggest registration 
            '  and hide table
            lblLogin.Visible = True
            lbl.Visible = False
        End If
    End Sub
End Class

Please note, in the previous example one of the table fields was PUID field and we populated it with User.Identity.Name property value. This property stores Passport User ID - unique identifier of the user, and if you need to get specified user data, you should use this property to find and specify him, and not, let's say core profile MemberName attribute. Though this Name property belongs to User.Identity and not to PassportIdentity object, nevertheless it contains PUID we need, because User.Identity object contains current registered user information and that is why its Name property value is defined by authentication type.

With this we are finishing review of authentication methods in ASP.NET environment. Immense Internet resources and MSDN library materials will support you while you are exploring new technologies. In the next part of the article we will glance at the world of information security from one more side - authorization.

Back to top