- Understanding HTTP Modules
- Overview of the Custom XmlAuthentication Module
- Implementing the XmlAuthenticate Subroutine
- Implementing the XmlAuthorize Subroutine
- Compiling the Custom Module
- Installing the Custom Module
- Summary
Implementing the XmlAuthenticate Subroutine
The XmlAuthenticate subroutine is used to identity the user requesting a page. This subroutine is also used to retrieve the list of roles associated with the user. For example, a user might be an administrator, guest, and/or supervisor.
The code for the XmlAuthenticate subroutine is contained in Listing 2.
Listing 2XmlAuthenticate Subroutine
Private Sub XmlAuthenticate( s As Object, e As EventArgs ) Dim application As HttpApplication Dim strUserID As String Dim objIdentity As GenericIdentity Dim objPrincipal As GenericPrincipal Dim arrRoles As String() application = CType( s, HttpApplication ) strUserID = application.Request.Params( "XmlUserID" ) If strUserID = Nothing Then strUserID = "anonymous" End If strUserID = strUserID.ToLower() objIdentity = New GenericIdentity( strUserID, "XML" ) arrRoles = GetRoles( strUserID, application ) objPrincipal = New GenericPrincipal( objIdentity, arrRoles ) application.Context.User = objPrincipal End Sub
The XmlAuthenticate subroutine retrieves the UserID of the current user from the Params collection of the Request object. The Params collection includes form, query string, and cookie parameters. For example, passing the following UserID query string to the SomePage.aspx page would identify you as user Bob:
http://localhost/SomePage.aspx?userID=Bob
After the user has been identified, a list of the roles associated with the user is retrieved from an XML file. The roles are retrieved by calling a function named GetRoles(). The GetRoles() function is contained in Listing 3.
Listing 3GetRoles() Function
Function GetRoles( strUserID As String, application as HttpApplication ) As String() Dim dstUsers As DataSet Dim drowRoleList As DataRow() Dim drowRole As DataRow Dim colRoles As ArrayList Dim strFilePath As String dstUsers = application.Context.Cache( "XmlRoles" ) If dstUsers Is Nothing Then dstUsers = New DataSet strFilePath = application.Server.MapPath( application.Request.ApplicationPath & "/XmlRoles.xml" ) dstUsers.ReadXml( strFilePath ) application.Context.Cache.Insert( "XmlRoles", dstUsers, New CacheDependency( strFilePath ) ) End If drowRoleList = dstUsers.Tables( 0 ).Select( "userID='" & strUserID & "'" ) colRoles = New ArrayList For each drowRole in drowRoleList colRoles.Add( drowRole( "role" ).ToString() ) Next Return colRoles.ToArray( GetType( String ) ) End Function
The GetRoles() function retrieves the list of roles from an XML file named XmlRoles.xml (The contents of the XmlRoles.xml file is cached for better performance.) This file is automatically retrieved from the root directory of the current application. The XmlRoles.xml file is contained in Listing 4.
Listing 4XmlRoles.xml File
<roles> <user userID="doug" role="administrators" /> <user userID="doug" role="guests" /> <user userID="bob" role="guests" /> </roles>
The file in Listing 4 assigns the user named doug to the administrators and guests role. The user named bob, on the other hand, is included only in the guests role.
Notice that we are not making any attempt to verify the user with a password. If bob wants to pretend to be doug, there is nothing stopping him. In real applications, you would also want to retrieve a password from a user to prevent one user from pretending to be another.