Lullaby's authentication provider framework

written by Ryan Olshan on Friday, September 12 2008

I have added an authentication provider feature to beta 2 of Lullaby. Using the authentication provider feature, incoming requests can be authenticated via any number of authentication sources such as Active Directory, SQL Server, etc. To create an authentication provider, create a class that implements Lullaby.Providers.Authentication.IAuthenticationProvider. The following methods need to be implemented:

  • Authenticate - Returns a boolean indicating if the user successfully authenticated
  • CanImpersonateUser - Returns a boolean indicating if the user can impersonate another user. Return false if you don't plan on implementing this feature.

To activate the authentication feature, you need to add the authentication element to web.config for the REST services configuration handler section.

<authentication providerType="Namespace.Class, AssemblyName" tokenExpiration="10" />

  • providerType - Tye type and assembly name of the provider
  • tokenExpiration - Time (in minutes) that a security token is valid for. Default value is 60 minutes.

Once the authentication element is configured, all you need to do is add the RequireAuthenticationAttribute to any REST class or method you want to require authentication on.

In order for authentication to work properly, the following request headers need to be provided:

  • Lullaby-API-Key - API key, password, etc. that will be used to authenticate against a username
  • Lullaby-API-Username - Username to authenticate against
  • Lullaby-Authenticate-As - (optional) Used for authenticating as another user
  • Lullaby-Security-Token - (optional) Used for authenticating via a security token that is issued on a successful login attempt. If the security token has expired, authentication will default to the authentication provider.

Once authentication takes place, if it's successful, the following response headers will be passed back to the client:

  • Lullaby-Authenticated-As - The user that was authenticated as
  • Lullaby-Security-Token - A unique identifier that is created for purposes of identification without having to re-authenticate using the authentication provider.
  • Lullaby-Security-Token-Expiration - Date and time the security token will expire on (UTC)

If authentication fails, a 401 response code and Unauthorized response status code will be issued.

Kick this post on .NET Kicks

posted in:

Technology and tagged as: ,

2 Comments

Similar Posts

  1. Introducing Lullaby
  2. Lullaby service URL routing
  3. Lullaby 1.0 Beta 3 released

Comments

  • Scott Rosin on on 9.20.2008 at 4:38 AM

    Scott Rosin avatar

    Oh. NOW someone comes up with a REST framework. Great. ;-) I just finished implementing a custom coded REST API for a large web app project. It was a lot of work: especially handling server time-outs during very long internal processes. I never did come up with a satisfactory solution except to call the API for each request in the batch and send them back to the client which waited with an HTTPListener. Does Lullaby have a solution for this?

    I'll be at SoCal Code Camp to hear your talk. Perhaps we can talk afterward.

  • Ryan Olshan on on 9.20.2008 at 10:46 PM

    Ryan Olshan avatar

    Hi Scott,

    I haven't put in place a solution like you did or something similar, but I would love to discuss with you how you architected your REST API and see what we can leverage into Lullaby.

    See you at the SoCal Code Camp.

Post a comment