[Mono-list] how to do proper role based authentication in web apps

DI Mag. Rainer Burgstaller rainer.burgstaller@web.de
Fri, 04 Jun 2004 07:46:33 +0200


I have a question on how to properly do RBA in web applications. I am  
currently using the formsauthentication but it only supports fixed users  
stored in the web.config file which is pretty inflexible (am I missing  
something)? So what I currently do is to override the  
Thread.CurrentPrincipal and HttpContext.User by the user which is stored  
in the cookie (which I also create by hand). I do that in the global.asax.

I checked a few open source projects (omniportal, Rainbow) on how they do  
it but it does not seem like they do it too good either (I dont mean to  
insult anyone). I am coming from the java side and there JAAS offers a  
quite elegant way of doing such a thing by using "plugin" authentication  
providers. So I wondered if there is such a possibility or if I could  
somehow replace the FormsAuthenticationModule by something I do which then  
allows authentication agains a db for example.

any suggestions?