Introduction
In my last article I showed you how to setup your own ASP.NET 2.0 application to run as a virtual directory under Community Server 2.1. By the time we were finished, you were able to use the CommunityServer.Components library to display the currently logged in user's name.
Displaying a username is great and all, but what if you want to take advantage of Community Server's robust membership tools (built on top of the ASP.NET 2.0 membership system) to require users to login before accessing your newly created web application? In this article I will show you how to share authentication between Community Server and your own ASP.NET 2.0 web site.
Step 1: Prepare Community Server web site
Open the Web.config file at the root of your Community Server application. Locate the <authentication> tags and change the the loginURL of the <forms> tag from "login.aspx" to "/login.aspx". The authentication section should now look similar to this:
<forms name=".CommunityServer" protection="All" timeout="60000" loginUrl="/login.aspx" slidingExpiration="true" />
If you do not take the above step you will receive a "resource cannot be found" error. This is because your application will see "login.aspx" as a relative path and will attempt to find the login page at "/yourapp/login.aspx". The login.aspx file is actually at the root of your CS web site.
Step 2: Securing your ASP.NET application
We will start by preventing all anonymous users (users who are not logged into your Community Server web site) from accessing any portion of your web site.
Begin by opening the Web.config file at the root of your web site (not the Community Server site). Add the following XML between the <system.web> tags:
<!-- This keeps all anonymous users from accessing your site. -->
<authorization>
<deny users="?" />
</authorization>
Make sure you are not logged into Community Server. Browse to your own application and you should be redirected to the Community Server Login page. After you login and you should be taken back to your web site.
Step 3: Give role specific accessNow, let's do something a little more fancy. Let's create a page that will only be accessable by users in the SystemAdministrator role.
Start by creating a new Web Form .aspx page at the root of your web site. Let's call it AdminsOnly.aspx. Add the text "If you can read this, you are a Systems Administrator." to the newly created page. Save the page and close it.
Next, open the Web.config at the root of your website (not the Community Server site). Add the following XML right above the bottom <configuration /> tag:
<!-- This keeps out all users but those in the SysAdmin role. -->
<location path="AdminsOnly.aspx">
<system.web>
<authorization>
<allow roles="SystemAdministrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
If you have not already done so, create a user in your Community Server web site that is not in the SystemAdministrator role. Login as that user. Browse to your AdminsOnly.aspx page. You should receive a "User Already Logged In" message similar to the one pictured below:
Now logout and log back in under your Community Server Systems Administrator account. Browse to your AdminsOnly.aspx page. The page should display normally, without the above pictured message.
Conclusion
You now know the basics of how to harness the power of Community Server's user authorization features within your own website. This should give you the information you need to share authentication between your ASP.NET 2.0 application and your Community Server website. Enjoy.