View Single Post
  #5 (permalink)  
Old December 30th, 2007, 11:27 PM
Bob Bedell Bob Bedell is offline
Friend of Wrox
 
Join Date: Jun 2003
Location: , , USA.
Posts: 1,093
Thanks: 1
Thanked 12 Times in 11 Posts
Default

Hi Imar,

Yup, I enjoyed the break too. Got the snot beat out of me by my 6 year old nephew for several days. Good to see the folks and bro. All is well.

Session["CSLA-Principal"] actually should be null until after the user authenticates. Here the null check is for a session variable that indexes the SessionStateItemCollection, not for the existence of the Session object itself. If session doesn’t exist, this line can’t be reached. ["CSLA-Principal"] indexes a CSLA.Security.BusinessPrincipal that is manually added to session after the user authenticates.

Here' the blow by blow:

Code:
protected void Application_AcquireRequestState(object sender, EventArgs e)
    {
        if (HttpContext.Current.Session == null)
        {
            // do nothing - Session object not 
            // instantiated yet.
        }
        else
        {
            // The Session object has been instantiated or the first null
            // check would have returned 'true'. Here I'm just indexing the 
            // SessionStateItemCollection for a session-state variable. 
            // Indexing the SessionStateItemCollection simply returns null if 
            // the requested session variable doesn’t exist. The "CSLA-Principal"
            // session variable won't exist (will be null) until after the user 
            // has authenticated and a custom CSLA.Security.BusinessPrincipal 
            // object has been manually added to session-state by a method of 
            // the login form. 
            if (Session["CSLA-Principal"] != null)
            {
                // The user has already authenticated and the CSLA.Security.BusinessPrincipal
                // object stored in session-state is assigned as the users CurrentPrincipal.  
                System.Threading.Thread.CurrentPrincipal = (System.Security.Principal.IPrincipal)Session["CSLA-Principal"];
                HttpContext.Current.User = System.Threading.Thread.CurrentPrincipal;
            }
            else
            {   
                // Fires if user logs out later in the session.
                if (System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated)
                {
                    System.Web.Security.FormsAuthentication.SignOut();
                    Server.Transfer("Login.aspx");
                }
                else
                {   // Unauthentiucated user assigned a GenericPrincipal object until 
                    // they authenticate.
                    System.Threading.Thread.CurrentPrincipal = (System.Security.Principal.IPrincipal)Session["CSLA-Principal"];
                    HttpContext.Current.User = System.Threading.Thread.CurrentPrincipal;
                }
            }
        }
    }


For completeness sake, here's the login button click event:
Code:
protected void btnLogin_Click(object sender, System.EventArgs e)
    {
        string userName = txtUsername.Text;
        string password = txtPassword.Text;

        // If logging in, clear the current session.
        Session.Clear();

        // Log into the system. BusinessPrinciple methods
        // query a security database, load an Idendity object,
        // and set the threads current principle the the 
        // BusinessPrincipal, which now references either an
        // authentucated or unauthenticated Identity object,
        // based on the query results.
        BusinessPrincipal.Login(userName, password);

        // see if we logged in successfully 
        if (Thread.CurrentPrincipal.Identity.IsAuthenticated)
        {
            // The authenticated CSLA.Security.BusinessPrincipal 
            // gets added to session-state as a session variable named
            // "CSLA-Principal".
            Session["CSLA-Principal"] = Thread.CurrentPrincipal;
            HttpContext.Current.User = Thread.CurrentPrincipal;

            // redirect to the page the user requested
            FormsAuthentication.RedirectFromLoginPage(
                userName, false);
        }
    }


Best,

Bob