XmlAuthenticationProvider - Enterprise Library Security Extension

This is my first sample in series of samples I’ll publish demonstrating extending the new Enterprise Application Block as part of my demos preperation for next wendsday's (16.02.2005) lecture at the Microsoft’s Israel C# User Group

Today I will focus on extending the new Security Application Block.

Out of the box the new Enterprise Library security application block comes with the ability to authenticate using the Database Authentication Provider but what if you want to play with the Enterprise Library Security Application Block and don’t have database server available?

Well this article is for you :-)

We will create XmlAuthenticationProvider which will allow us to authenticate using xml file holding the username and password.

First of all lets create the Credential Store, The Credential Store is a simple xml file which will hold the username and its password, Normally in production system I would encrypt this information using DpApi so that only the process or specific user will be able to decrypt the data but for simplicity we’ll use simple text.

CredentialStore.Xml – holds the users credentials

<CredentialStore>
 <Account username="ohad" password="1111"/>
 <Account username="oren" password="2222"/>
 <Account username="guy"  password="3333"/>
</CredentialStore>

Next we will build the provider, The provider is just a dll implementing IAuthenticationProvider interface with an added property that will enable us to change the default credential store.

XmlAuthenticationProvider.cs – the authentication provider

using System;

using System.Security.Principal;

using System.Xml;

using Microsoft.Practices.EnterpriseLibrary.Security;

using Microsoft.Practices.EnterpriseLibrary.Configuration;

namespace EnterpriseLibraryExtensions

{

 // We're implementing the IAuthenticationProvider interface

 {

   public XmlAuthenticationProvider(){}

   string configurationName;

   public string ConfigurationName

   {

     get { return configurationName;}

     set { configurationName=value;}

   }

   // Holds the xml credential store file name 

   string credentialStore;

   public string CredentialStore

   {

     get { return credentialStore;}

     set { credentialStore=value;}

   }

   // Initializer of the provider

   public void Initialize(ConfigurationView configurationView)

   {

     configurationName="Custom Authentication Provider";

     credentialStore="CredentialsStore.xml";

   }

   public bool Authenticate(object credentials, out IIdentity identity)

   {
     identity=null;

     bool authenticated=false;

     // Its not such a good practice to hold the password in string
     // but i’ve did it here for demonstration reasons.
     // in production system I would use DpApi to
     // protect the password.

     string username=((NamePasswordCredential)credentials).Name;

     string password=((NamePasswordCredential)credentials).Password;

     XmlTextReader reader = null;

     try

     {

       // Read the XML document

       reader = new XmlTextReader( CredentialStore );

       // Looking for the matching username

       while( reader.Read() )

       {

         if( (reader.LocalName == "Account") &&

             (reader.GetAttribute( "username" ) == username) )

         {

           if (password == reader.GetAttribute( "password" ))

           {

             identity = new GenericIdentity(username);

             authenticated=true;

             break;

           }

         }

       }

     }

     finally

     {

       if( null != reader ) reader.Close();

     }

     return authenticated;

    }

  }

}

How do we deploy the dll ?