We are building a new site in MVC 4. There are some slightly unusual requirements when checking if someone is allowed to login, so a simple check of username, password and enabled would not suffice in this case, (also roles will be checked).
I started by doing the traditional custom membershipprovider class and roleprovider. MVC4 didn't like me doing this:
This method cannot be called during the application's pre-start initialization phase.
This as I understand it is due to the simple membership provider and oauth stuff, (I do not know a great deal about this area). A work around seems to be:
<add key="enableSimpleMembership" value="false"/>
<add key="autoFormsAuthentication" value="false"/>
It got me wondering, should I still be doing the membership provider? My database is local, I have a service layer that has all the logic in to dictate if a user can login or not and which roles and permissions they have. Should I be looking at oauth / simple membership / some other way, or just as above, turn off simple membership?
If I did turn it off with the appsetting am I then able to intergrate oauth as well at a later stage, (this is just me thinking very broadly and do not have this requirement at the moment). Is it possible to use multiple authentications mechanisms?
Or is it really as simple as this ,(accountController):
public ActionResult Login()
{
if(logiclayer.CheckAccess("username", "password"))
{
var persistCookie = false;
FormsAuthentication.SetAuthCookie("userName", persistCookie);
}
return View();
}
So their cookie is set and then the controllers can use the [Authorize] attribute? This doesn't take into account [Authorize(Roles = "admin")] as this will throw an error if no role provider is setup, which comes back to the original question, on how this should be done.
