Up until now, we had been using a server variable and then session variables to store the username. In fact this is the exact code we used from the Session_Start function of Global.ASAX:
Session("User") = Trim(Request.ServerVariables("LOGON_USER")).Replace("/", "\").Replace("'", "''")Not the most beautiful code in existence, but it did what we needed. It got the network username from the server and stuck it in a place where we could use it.
Session("User") = CStr(Session("User")).Substring(CStr(Session("User")).LastIndexOf("\") + 1)
Of course I hated that code. It annoyed me because it was a hack. Enforced psuedo-authentication. What is worse, is that it didn't use the Page.User functionality.
So, we got a new project from that prime contract, and I was pondering how I could get that LOGON_USER ServerVariable into Page.User. So a bit of research, and I came up with some new code. First, the retreival of the LOGON_USER moved from Session_Start to Application_AuthenticateRequest. Then I added this code to that method:
Dim username As StringWhat this does is retrieves the username from the server variable, uses that username to generate the authentication cookie so that the PAGE object knows about the authentication, and then generates the GenericIdentity and Generic Princpal objects necessary for Page.User functionality.
username = Trim(Request.ServerVariables("LOGON_USER")).Replace("/", "\").Replace("'", "''")
username = username.Substring(username.LastIndexOf("\") + 1)
Dim id As New System.Security.Principal.GenericIdentity(username)
Dim p As New System.Security.Principal.GenericPrincipal(id, getUserApplicationRoles(username))
HttpContext.Current.User = p
The final bit of usefulness would be the getUserApplicationRoles function which returns an array of strings, and basically gets the roles associated to the passed in user for our application.
So, we still use the server's security, but we now have access to Page.User.Identity.Name and Page.User.IsInRole. And I'm happy.