Tuesday, June 10, 2008

Users' Choice IDEs - 2008

Evans Data published their annual 'Users' Choice IDEs' survey.
You can get a free copy of it here.

In this survey IDE users rated several features/functions of their favorite IDE.
So the report shows the satisfaction rate of users about their IDE.

Delphi
From the eight rated EDIs, Delphi holds the sixth place.
Features where Delphi has relative high score are the compiler performance, ease of use, performance resulting applications, debugger, editor and integrated third party tools.
The Delphi compiler performance has the highest rate in the survey.
Among the lowest rated features is the documentation, which will be no suprise.

If you want to read all information/rates, go get the report.

Friday, June 06, 2008

Mixing Forms and Windows authentication in ASP.NET

In ASP.NET it is easy to set the prefered authentication method in the web.config file.
For external websites this is set mostly to Forms authentication through a own Login.aspx. When you use Windows authentication the authentication is handled by Windows, and you will get a Windows logon window automatically if the authentication failed.
In forms authentication users will be logged in based on, for example credentials which are located in the applications database. With windows authentication users are logged in based on their Windows domain account.
How can you mix those two? 
In this situtation a client wanted to enable Windows authentication for the domain users, and Forms authentication for external users.
You can't do this through the web.config file. Let's first look at methods:

Windows authentication
If you choose Windows authentication you can get the user name with the  server variable LOGON_USER.

string user = Request.ServerVariables["LOGON_USER"];


If the user, is not autorized a IIS 401 security error page will appear. The server variable is then an empty string.

Forms authentication
With forms authentication the user will be redirected to given login page. (Mostly likely login.aspx). In this page you can check the user in you database and authenticate it based on that result.

In the mix
If you mix those two you probably want to match the Windows user with the application users. However first you must setup your application to accept both users.

I found a solution here. Basically it drills down to the following:

1. Set Forms authentication in you web.config

2. Create an extra login page, Winlogin.aspx and let that be the forms login page. (in the web.config)

3. In IIS set security on Winlogin.aspx so, that it won't allow anonymous users.

4. In Winlogin.aspx determine if the user is authenticated based on his windows account. If you have the user you can also (if needed) check if he is in your own database, and if OK, redirect from this page:

FormsAuthentication.RedirectFromLoginPage(UserId, false);

5. If the user is not authenticated, the IIS 401 security error will be shown. You can hower redirect to your own HTML page in IIS, by setting the custom error redirect.

6. In your OwnRedirect401.html redirect to the your 'normal' Login.aspx with for example a META redirect, like this:

<meta http-equiv="refresh" content="0;URL=Login.aspx" />

Note that you must exclude login.aspx as a protected page in you web,config. I.o.w allow anonymous users, other wise you will end up again on your Winlog.aspx.
<location path="login.aspx">
  <system.web>
    <authorization>
      <allow users="?"/>
    </authorization>
  </system.web>
</location>
Some references:
Above method described in detail (MSDN article)
A alternate approach to the problem