WCSF and Security Application block - Simple example please

Topics: User Forum
Jul 7, 2008 at 8:24 AM
Edited Jul 7, 2008 at 11:32 AM

I am looking at the following notes: 
1. http://www.codeplex.com/websf/Wiki/View.aspx?title=ScenariosAndSolutions
2. http://www.codeplex.com/websf/Wiki/View.aspx?title=How%20to%20Authorize%20Web%20Pages
3. http://msdn.microsoft.com/en-us/library/cc309508.aspx

and searching for a simple tutorial on using this together.

Is there a step by step guide to put this together? I have downloaded the Enterprise Library 4.0 and WCSF Feb 2008 implementation.

The problems I am facing is:  no idea what code is needed behind the "Login" button? I am using a basic asp.net System.Web.UI.WebControls.Login on my form
All I want to do is a minimal authentication sample and then move on to authorization..
The steps I followed are:
1. update web.config of a WCSF recipe generated web project to add authorizationProviders rule expression="R:Customer" name="AllowViewAccountsSummary"
2. updated authentication mode="Forms" as per the first reference above
3. updated web.config at business module levels to add rules

Please help..
Jul 7, 2008 at 3:17 PM
I think you need a role provider (in the example, there is a membership provider) for creating Customer Role and then add somebody to the role.

Jul 7, 2008 at 4:28 PM

Hi Rasane,


For a complete sample, you can download the Hands-on Labs for WCSF June 2007 (Lab 06 - Authorization).


The steps that you need to perform are the following:


·         First, you must define the authorization rules for your application in the securityConfiguration section of your application configuration file:


<securityConfiguration defaultAuthorizationInstance="RuleProvider" defaultSecurityCacheInstance="">


    <add type="Microsoft.Practices.EnterpriseLibrary.Security.AuthorizationRuleProvider, Microsoft.Practices.EnterpriseLibrary.Security, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" name="RuleProvider">


        <add expression="R:Administrator" name="AllowAccessTransfers"/>






·         Now, open the Web.config file located in the module folder of the DevelopmentWebsite site, and then add the rule nodes to the compositeWeb/authorization element:



<rule Url="~/EFT/Default.aspx" Rule="AllowAccessTransfers">

<rule Url="~/EFT/LastTransferView.aspx" Rule="AllowAccessTransfers">



Adding this XML restricts access to the module Web pages to users for which the evaluation of the AllowAccessTransfers rule returns true.


·         Finally, to add a node to the site map, you use the AddNode method of the IsiteMapBuilderService:


protected virtual void RegisterSiteMapInformation(ISiteMapBuilderService siteMapBuilderService)


    SiteMapNodeInfo moduleNode = new SiteMapNodeInfo("EFT", "~/EFT/Default.aspx", "EFT");

    siteMapBuilderService.AddNode(moduleNode, "AllowAccessTransfers");


    SiteMapNodeInfo transfersViewNode = new SiteMapNodeInfo("LastTransferView", "~/EFT/LastTransferView.aspx", "Transfers");

    siteMapBuilderService.AddNode(transfersViewNode, moduleNode, "AllowAccessTransfers");



Please, let me know if it helps.


Mariano Converti


Jul 8, 2008 at 12:06 AM

Hi Mariano,

Thanks for that explanation. Referring to that Hands on lab sample, where is the user name/password (authentication) of admin and oper01 stored? where is that being picked, validated, correct role set from?

Thanks in advance,


Jul 8, 2008 at 2:57 PM
Edited Jul 9, 2008 at 3:23 PM
So I said you need a role provider. For example, for the above example, you need to create a role called Administrator in your role provider,
and then add your admin/oper01 in the role of Administrator. When someone uses admin/oper01 to log in, you need to call the role provider like this:

bool yourRoleProvider.IsInRole(string userName, string role)

to check if admin is authorized as an Administrator.

If you want to use Enterprise Library Security Block like WCSF,  one way to incorporate your role provider
is to derive GenericPrincipal and override its IsInRole method with IsInRole method of your role provider.

Here is a real example:

    internal class ComPlusGenericPrincipal : GenericPrincipal
        private readonly IComSecurity comSecurity;

        public ComPlusGenericPrincipal(IIdentity identity, IComSecurity comSecurity, string[] roles)
            : base(identity, roles)
            if (identity == null) throw new ArgumentNullException("identity");
            if (comSecurity == null) throw new ArgumentNullException("comSecurity");
            this.comSecurity = comSecurity;

        public override bool IsInRole(string role)  // Enterprise Library Security Block will call this method at last.
            return comSecurity.IsInRole(Identity, role);

IComSecurity is a legacy role provider based on Com+.

When implementing IAuthorizationService of WCSF,  it is:
      private readonly IAuthorizationProvider authorizatioinProvider; // Enterprise Library Security Block's authorization provider.

        public bool IsAuthorized(string role, string context)
            return authorizatioinProvider.Authorize(
                new ComPlusGenericPrincipal(GetIdentity(), comSecurity, new string[]{role}), context);
        } // The authorization Provider will call ComPlusGenericPrincipal's IsInRole method.