Application Security, Part 21

Alright: at this point we have the foundation of our user authentication strategy set up. Let see how our application actually authenticates its users. We’ll begin at the entry point of the application, the static Main method of the primary form.

 

/// <summary>

/// The main entry point for the application.

/// </summary>

[STAThread]

static void Main(string[] asArguments)

{

Hashtable rArguments = null;

try

{

rArguments = CUtility.rParseCommandLineArguments(asArguments,frmMain.c_sArgumentSeparator_Prefix,frmMain.c_sArgumentSeparator_Suffix);

string sCulture = (string)rArguments[frmMain.c_sArgumentKey_Culture];

if((sCulture != null)&&(sCulture != string.Empty))

{

try

{

System.Globalization.CultureInfo rCulture = new System.Globalization.CultureInfo(sCulture);

System.Threading.Thread.CurrentThread.CurrentCulture = rCulture;

System.Threading.Thread.CurrentThread.CurrentUICulture = rCulture;

}

catch(Exception)

{

}

}

string sUserName = (string)rArguments[frmMain.c_sArgumentKey_UserName];

string sPassword = (string)rArguments[frmMain.c_sArgumentKey_Password];

System.Collections.Hashtable rConfigurationSection = (System.Collections.Hashtable)System.Configuration.ConfigurationSettings.GetConfig(frmMain.c_sConfigurationSection_Authorization);

byte byLimit_LoginAttempts = byte.Parse((string)rConfigurationSection[frmMain.c_sKey_Limit_LoginAttempt]);

AuthenticationService.TaskVisionII_Authentication rAuthenticationService = new AuthenticationService.TaskVisionII_Authentication();

rAuthenticationService.Url = (string)rConfigurationSection[frmMain.c_sKey_Location_Service];

ICredentials rCredentials = null;

AuthenticationService.CUser rUser = null;

frmLogin rLogin = null;

byte cAttempts = 0;

while(cAttempts < byLimit_LoginAttempts)

{

try

{

if((sUserName != null)&&(sPassword != null))

{

rCredentials = new System.Net.NetworkCredential(sUserName,sPassword);

}

else

{

rCredentials = System.Net.CredentialCache.DefaultCredentials;

}

rAuthenticationService.Credentials = rCredentials;

rUser = rAuthenticationService.rAuthenticate();

break;

}

catch(WebException rException)

{

if(rLogin == null)

{

rLogin = new frmLogin();

}

rLogin.Show();

while(rLogin.Visible)

{

Application.DoEvents();

}

if(rLogin.DialogResult != DialogResult.OK)

{

break;

}

sUserName = rLogin.UserName;

sPassword = rLogin.Password;

}

cAttempts++;

}

if(rUser == null)

{

throw new Exception();

}

Thread.CurrentPrincipal = new CUser(rUser.sName,rUser.sLanguage_Preferred,rUser.afPermissions,rCredentials,rUser.asRoles);

}

catch(Exception rException)

{

return;

}

fRestart = true;

while(fRestart)

{

fRestart = false;

try

{

frmMain.SetCulture();

}

catch(Exception)

{

}

Application.Run(new frmMain(rArguments));

}

}

 

 

The code permits a number of login attempts that is specified in the application’s configuration file. Typically, on the first attempt, the application will not have prompted the user for a name and password, but rather tries to authenticate them using the credentials by which they logged into the operating system. Those credentials are passed to the authentication Web Service. If the user is authenticated, then an object is returned containing the data for that user, including his or her preferred language. If the credentials are not acceptable, though, an exception will be thrown. The code for the exception handler prompts the user for alternative credentials and then passes those alternative credentials to the authentication Web Service.