On most websites, when the user is about to provide the username and password to log into the system, there&#39;s a checkbox like &quot;Stay logged in&quot;. If you check the box, it will keep you logged in across all sessions from the same web browser. How can I implement the same in Java EE?

I&#39;m using FORM based container managed authentication with a JSF login page.

&lt;!-- language: xml --&gt;

    &lt;security-constraint&gt;
        &lt;display-name&gt;Student&lt;/display-name&gt;
        &lt;web-resource-collection&gt;
            &lt;web-resource-name&gt;CentralFeed&lt;/web-resource-name&gt;
            &lt;description/&gt;
            &lt;url-pattern&gt;/CentralFeed.jsf&lt;/url-pattern&gt;
        &lt;/web-resource-collection&gt;        
        &lt;auth-constraint&gt;
            &lt;description/&gt;
            &lt;role-name&gt;STUDENT&lt;/role-name&gt;
            &lt;role-name&gt;ADMINISTRATOR&lt;/role-name&gt;
        &lt;/auth-constraint&gt;
    &lt;/security-constraint&gt;
     &lt;login-config&gt;
        &lt;auth-method&gt;FORM&lt;/auth-method&gt;
        &lt;realm-name&gt;jdbc-realm-scholar&lt;/realm-name&gt;
        &lt;form-login-config&gt;
            &lt;form-login-page&gt;/index.jsf&lt;/form-login-page&gt;
            &lt;form-error-page&gt;/LoginError.jsf&lt;/form-error-page&gt;
        &lt;/form-login-config&gt;
    &lt;/login-config&gt;
    &lt;security-role&gt;
        &lt;description&gt;Admin who has ultimate power over everything&lt;/description&gt;
        &lt;role-name&gt;ADMINISTRATOR&lt;/role-name&gt;
    &lt;/security-role&gt;    
    &lt;security-role&gt;
        &lt;description&gt;Participants of the social networking Bridgeye.com&lt;/description&gt;
        &lt;role-name&gt;STUDENT&lt;/role-name&gt;
    &lt;/security-role&gt;

How to implement &quot;Stay Logged In&quot; when user login in to the web application

I am upgrading a site to use MVC and I am looking for the best way to set up Authentication.

At this point, I have the log-in working off of Active Directory: validating a username and password, and then setting the Auth cookie.

How do I store the user&#39;s role information at time of log-in, in order for my controllers to see those roles as the user navigates through the site?

    [Authorize(Roles = &quot;admin&quot;)]

I have no problem getting a list of roles from Active Directory.  I just don&#39;t know where to put them so that the controllers will see them.

Store/assign roles of authenticated users

I&#39;m trying to add _simple_ Authentication and Authorization to an ASP.NET MVC application.

I&#39;m just trying to tack on some added functionality to the basic Forms Authentication (due to simplicity and custom database structure)


Assuming this is my database structure:
User:
  username
  password
  role (ideally some enum. Strings if need be. Currently, user only has ONE role, but this might change)

High Level Problem:
Given the above database structure, I would like to be able to do the following:

 - Simple Login using Forms Authentication
 - Decorate my actions with:
   [Authorize(Roles={ MyRoles.Admin, MyRoles.Member})]
 - Use roles in my Views (to determine links to display in some partials)

Currently, all I&#39;m really sure of is how to Authenticate. After that I&#39;m lost. I&#39;m not sure at which point do I grab the user role (login, every authorization?). Since my roles may not be strings, I&#39;m not sure how they will fit in with the User.IsInRole().

Now, I&#39;m asking here because I haven&#39;t found a &quot;simple&quot; accomplish what I need. I have seen multiple examples.

For Authentication:

 - We have simple user validation that checks the database and &quot;SetAuthCookie&quot;
 - Or we override the Membership provider and do this inside of ValidateUser
In either of these, I&#39;m not sure how to tack on my simple user Roles, so that they work with the:
HttpContext.Current.User.IsInRole(&quot;Administrator&quot;)
Furthermore, I&#39;m not sure how to modify this to work with my enum values.

For Authorization, I&#39;ve seen:

 - Deriving AuthorizeAttribute and implementing AuthorizeCore OR OnAuthorization to handle roles?
 - Implementing IPrincipal?


Any assistance would be greatly appreciated. However, I fear I may need a lot of detail, because none of what I&#39;ve Googled seems to fit with what I need to do.

ASP.NET MVC Forms Authentication + Authorize Attribute + Simple Roles

I am creating a cookie and storing the value of username after succesfull login. How can I access the cookie when the website is opened. If the cookie exist I want to fill the username text box from the cookie value. And how to decrypt the value to get the username. I am doing server side validation by getting the userdetails from the database. I am using vs 2010 with c#


    FormsAuthenticationTicket tkt;
    string cookiestr;
    HttpCookie ck;
    tkt = new FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now,
        DateTime.Now.AddYears(1), chk_Rememberme.Checked, &quot;User Email&quot;);
    cookiestr = FormsAuthentication.Encrypt(tkt);
    ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);

    if (chk_Rememberme.Checked)
    {
        ck.Expires = tkt.Expiration;
        ck.Path = FormsAuthentication.FormsCookiePath;
        Response.Cookies.Add(ck);
    }

cookie is created with name as .YAFNET_Authentication and content is encrypted

Webconfig:

      &lt;forms name=&quot;.YAFNET_Authentication&quot; loginUrl=&quot;Home.aspx&quot;
      protection=&quot;All&quot; timeout=&quot;15000&quot; cookieless=&quot;UseCookies&quot;/&gt;



How to get the cookie value in asp.net website

I have an (ASP.NET 3.5) intranet application which has been designed to use forms authentication (along with the default aspnet membership system). I also store additional information about users in another table which shares its primary key with the aspnet_users table.

For users who are part of our domain I store their domain  account name in the secondary users table, and I want to automatically log in users whose domain account name matches a name stored in the table.

I have read the guides which are available - they&#39;re all from two years ago or more and assume that you are able to activate Windows Authentication on a separate login page that allows you to extract the domain account name. From what I can tell, though, this is not possible in IIS7 (the overall authentication method is applied on all pages and cannot be selectively deactivated, and both authentication methods can&#39;t be applied on the same page).

Is there a way of getting IIS to pass through the windows domain account name of the requesting user? I don&#39;t need proper AD authentication, just the domain name.

Mixing Forms authentication with Windows authentication

In a forms model, I used to get the current logged-in user by:

    Page.CurrentUser

How do I get the current user inside a controller class in ASP.NET MVC?


How to get the current user in ASP.NET MVC

Smashed my head against this a bit too long. How do I prevent a user from browsing a site&#39;s pages after they have been logged out using FormsAuthentication.SignOut? I would expect this to do it:

	FormsAuthentication.SignOut();
	Session.Abandon();
	FormsAuthentication.RedirectToLoginPage();

But it doesn&#39;t. If I type in a URL directly, I can still browse to the page. I haven&#39;t used roll-your-own security in a while so I forget why this doesn&#39;t work.


FormsAuthentication.SignOut() does not log the user out

I need to do something fairly simple: in my ASP.NET MVC application, I want to set a custom IIdentity / IPrincipal. Whichever is easier / more suitable. I want to extend the default so that I can call something like `User.Identity.Id` and `User.Identity.Role`. Nothing fancy, just some extra properties.

I&#39;ve read tons of articles and questions but I feel like I&#39;m making it harder than it actually is. I thought it would be easy. If a user logs on, I want to set a custom IIdentity. So I thought, I will implement `Application_PostAuthenticateRequest` in my global.asax. However, that is called on every request, and I don&#39;t want to do a call to the database on every request which would request all the data from the database and put in a custom IPrincipal object. That also seems very unnecessary, slow, and in the wrong place (doing database calls there) but I could be wrong. Or where else would that data come from?

So I thought, whenever a user logs in, I can add some necessary variables in my session, which I add to the custom IIdentity in the `Application_PostAuthenticateRequest` event handler. However, my `Context.Session` is `null` there, so that is also not the way to go.

I&#39;ve been working on this for a day now and I feel I&#39;m missing something. This shouldn&#39;t be too hard to do, right? I&#39;m also a bit confused by all the (semi)related stuff that comes with this. `MembershipProvider`, `MembershipUser`, `RoleProvider`, `ProfileProvider`, `IPrincipal`, `IIdentity`, `FormsAuthentication`.... Am I the only one who finds all this very confusing?

If someone could tell me a simple, elegant, and efficient solution to store some extra data on a IIdentity without all the extra fuzz.. that would be great! I know there are similar questions on SO but if the answer I need is in there, I must&#39;ve overlooked.

ASP.NET MVC - Set custom IIdentity or IPrincipal

I&#39;m creating a multi-tenancy web site which hosts pages for clients. The first segment of the URL will be a string which identifies the client, defined in Global.asax using the following URL routing scheme:

    &quot;{client}/{controller}/{action}/{id}&quot;

This works fine, with URLs such as /foo/Home/Index.

However, when using the [Authorize] attribute, I want to redirect to a login page which also uses the same mapping scheme. So if the client is foo, the login page would be /foo/Account/Login instead of the fixed /Account/Login redirect defined in web.config.

MVC uses an HttpUnauthorizedResult to return a 401 unauthorised status, which I presume causes ASP.NET to redirect to the page defined in web.config.

So does anyone know either how to override the ASP.NET login redirect behaviour? Or would it be better to redirect in MVC by creating a custom authorization attribute?

**EDIT - Answer:** after some digging into the .Net source, I decided that a custom authentication attribute is the best solution:

    public class ClientAuthorizeAttribute: AuthorizeAttribute
    {
        public override void OnAuthorization( AuthorizationContext filterContext )
        {
            base.OnAuthorization( filterContext );

            if (filterContext.Cancel &amp;&amp; filterContext.Result is HttpUnauthorizedResult )
            {
                filterContext.Result = new RedirectToRouteResult(
                    new RouteValueDictionary
                    {
                        { &quot;client&quot;, filterContext.RouteData.Values[ &quot;client&quot; ] },
                        { &quot;controller&quot;, &quot;Account&quot; },
                        { &quot;action&quot;, &quot;Login&quot; },
                        { &quot;ReturnUrl&quot;, filterContext.HttpContext.Request.RawUrl }
                    });
            }
        }
    }

How to redirect to a dynamic login URL in ASP.NET MVC

I am using form authentication with below method in my ASP.NET application

    FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, true);

How do I check whether user is logged in or not? And how can I get the user name of a logged in user?

How to check user is &quot;logged in&quot;?

While working with ASP.Net Forms Authentication I came across the .ASPXAUTH cookie. I have a couple questions:

 - What is the purpose of this cookie?
 - What is the location of this cookie?

what is ASPXAUTH cookie?

The `?` wildcard represents unauthenticated users while `*` represents all users, authenticated and unauthenticated. My book shows the following example of URL authorization:

    &lt;authorization&gt;
      &lt;deny users=&quot;?&quot; /&gt;
      &lt;allow users=&quot;dan,matthew&quot; /&gt;
      &lt;deny users=&quot;*&quot; /&gt;
    &lt;/authorization&gt;

&lt;br&gt;
But doesn’t the above code have the same effect as :

    &lt;authorization&gt;
      &lt;allow users=&quot;dan,matthew&quot; /&gt;
      &lt;deny users=&quot;*&quot; /&gt;
    &lt;/authorization&gt;
or did the author also include  `&lt;deny users=&quot;?&quot; /&gt;` rule for a reason?


Why is &lt;deny users=&quot;?&quot; /&gt; included in the following example?

I have an application that uses ASP.NET Forms Authentication. For the most part, it&#39;s working great, but I&#39;m trying to add support for a simple API via an .ashx file. I want the ashx file to have optional authentication (i.e. if you don&#39;t supply an Authentication header, then it just works anonymously). But, depending on what you do, I want to require authentication under certain conditions.

I thought it would be a simple matter of responding with status code 401 if the required authentication was not supplied, but it seems like the Forms Authentcation module is intercepting that and responding with a redirect to the login page instead. What I mean is, if my `ProcessRequest` method looks like this:

    public void ProcessRequest(HttpContext context)
    {
        Response.StatusCode = 401;
        Response.StatusDescription = &quot;Authentication required&quot;;
    }

Then instead of getting a 401 error code on the client, like I expect, I&#39;m *actually* getting a 302 redirect to the login page.

For nornal HTTP traffic, I can see how that would be useful, but for my API page, I want the 401 to go through unmodified so that the client-side caller can respond to it programmatically instead.

Is there any way to do that?

Forms authentication: disable redirect to the login page

I have been using Spring Security 3.x for handling user authentication for my projects, and so far, it has worked flawlessly.

I recently received the requirements for a new project. In this project, it requires 2 sets of user authentication: one to authenticate employees against LDAP, and another to authenticate customer against database. I&#39;m a little stumped on how to configure that in Spring Security.

My initial idea was to create a login screen that has the following fields:-
  
 - radio button field - for users to choose whether they are employees or customers.
 - `j_username` user field.
 - `j_password` password field.

If the user selects &quot;employee&quot;, then I want Spring Security to authenticate them against LDAP, otherwise the credential will be authenticated against database. However, the problem is the form will be submitted to `/j_spring_security_check` and there&#39;s no way for me to send the radio button field to my implemented custom authentication provider. My initial thought is I probably need two form submission URLs rather than relying on the default `/j_spring_security_check`. Each URL will be handled by different authentication providers, but I&#39;m not sure how to configure that in Spring Security.

I know in Spring Security, I can configure fall back authentication, for example if LDAP authentication fails, then it will fall back to database authentication, but this is not what I&#39;m shooting for in this new project. 

Can someone share how exactly I should configure this in Spring Security 3.x?

Thank you.

----------

**UPDATE - 01-28-2011 - @EasyAngel&#39;s technique**

I&#39;m trying to do the following:-

 - Employee form login submits to `/j_spring_security_check_for_employee`
 - Customer form login submits to `/j_spring_security_check_for_customer`

The reason I want 2 different form logins is to allow me to handle the authentication differently based on the user, instead of doing a fall-back authentication. It is possible that employee and customer have same user ID, in my case.

I incorporated @EasyAngel&#39;s idea, but have to replace some deprecated classes. The problem I&#39;m currently facing is neither filter processes URLS seem registered in Spring Security because I keep getting `Error 404: SRVE0190E: File not found: /j_spring_security_check_for_employee`. My gut feeling is the `springSecurityFilterChain` bean is not wired properly, thus my custom filters are not used at all.

By the way, I&#39;m using WebSphere and I do have `com.ibm.ws.webcontainer.invokefilterscompatibility=true` property set in the server. I&#39;m able to hit the default `/j_spring_security_check` without problem.

Here&#39;s my complete security configuration:-

&lt;!-- language: lang-xml --&gt;


    &lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
    &lt;beans xmlns=&quot;http://www.springframework.org/schema/beans&quot; xmlns:sec=&quot;http://www.springframework.org/schema/security&quot; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;
    	xsi:schemaLocation=&quot;http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd&quot;&gt;
    
    	&lt;sec:http auto-config=&quot;true&quot;&gt;
    		&lt;sec:form-login login-page=&quot;/login.jsp&quot; authentication-failure-url=&quot;/login.jsp?login_error=1&quot; default-target-url=&quot;/welcome.jsp&quot;
    			always-use-default-target=&quot;true&quot; /&gt;
    		&lt;sec:logout logout-success-url=&quot;/login.jsp&quot; /&gt;
    		&lt;sec:intercept-url pattern=&quot;/employee/**&quot; access=&quot;ROLE_EMPLOYEE&quot; /&gt;
    		&lt;sec:intercept-url pattern=&quot;/customer/**&quot; access=&quot;ROLE_CUSTOMER&quot; /&gt;
    		&lt;sec:intercept-url pattern=&quot;/**&quot; access=&quot;IS_AUTHENTICATED_ANONYMOUSLY&quot; /&gt;
    	&lt;/sec:http&gt;
    
    	&lt;bean id=&quot;springSecurityFilterChain&quot; class=&quot;org.springframework.security.web.FilterChainProxy&quot;&gt;
    		&lt;sec:filter-chain-map path-type=&quot;ant&quot;&gt;
    			&lt;sec:filter-chain pattern=&quot;/**&quot; filters=&quot;authenticationProcessingFilterForEmployee, authenticationProcessingFilterForCustomer&quot; /&gt;
    		&lt;/sec:filter-chain-map&gt;
    	&lt;/bean&gt;
    
    	&lt;bean id=&quot;authenticationProcessingFilterForEmployee&quot; class=&quot;org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter&quot;&gt;
    		&lt;property name=&quot;authenticationManager&quot; ref=&quot;authenticationManagerForEmployee&quot; /&gt;
    		&lt;property name=&quot;filterProcessesUrl&quot; value=&quot;/j_spring_security_check_for_employee&quot; /&gt;
    	&lt;/bean&gt;
    
    	&lt;bean id=&quot;authenticationProcessingFilterForCustomer&quot; class=&quot;org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter&quot;&gt;
    		&lt;property name=&quot;authenticationManager&quot; ref=&quot;authenticationManagerForCustomer&quot; /&gt;
    		&lt;property name=&quot;filterProcessesUrl&quot; value=&quot;/j_spring_security_check_for_customer&quot; /&gt;
    	&lt;/bean&gt;
    	
    	&lt;bean id=&quot;authenticationManagerForEmployee&quot; class=&quot;org.springframework.security.authentication.ProviderManager&quot;&gt;
    		&lt;property name=&quot;providers&quot;&gt;
    			&lt;list&gt;
    				&lt;ref bean=&quot;employeeCustomAuthenticationProvider&quot; /&gt;
    			&lt;/list&gt;
    		&lt;/property&gt;
    	&lt;/bean&gt;
    
    	&lt;bean id=&quot;authenticationManagerForCustomer&quot; class=&quot;org.springframework.security.authentication.ProviderManager&quot;&gt;
    		&lt;property name=&quot;providers&quot;&gt;
    			&lt;list&gt;
    				&lt;ref bean=&quot;customerCustomAuthenticationProvider&quot; /&gt;
    			&lt;/list&gt;
    		&lt;/property&gt;
    	&lt;/bean&gt;
    	
    	&lt;bean id=&quot;employeeCustomAuthenticationProvider&quot; class=&quot;ss.EmployeeCustomAuthenticationProvider&quot;&gt;
    		&lt;property name=&quot;userDetailsService&quot;&gt;
    			&lt;bean class=&quot;ss.EmployeeUserDetailsService&quot;/&gt;
    		&lt;/property&gt;
    	&lt;/bean&gt;
    
    	&lt;bean id=&quot;customerCustomAuthenticationProvider&quot; class=&quot;ss.CustomerCustomAuthenticationProvider&quot;&gt;
    		&lt;property name=&quot;userDetailsService&quot;&gt;
    			&lt;bean class=&quot;ss.CustomerUserDetailsService&quot;/&gt;
    		&lt;/property&gt;
    	&lt;/bean&gt;
    	
    	&lt;sec:authentication-manager&gt;
    		&lt;sec:authentication-provider ref=&quot;employeeCustomAuthenticationProvider&quot; /&gt;
    		&lt;sec:authentication-provider ref=&quot;customerCustomAuthenticationProvider&quot; /&gt;
    	&lt;/sec:authentication-manager&gt;
    
    &lt;/beans&gt;

I&#39;m starting a bounty here because I can&#39;t seem to get this working for several days already... frustration is the word. I&#39;m hoping someone will point out the problem(s), or if you can show me a better or cleaner way to handle this (in code). 

I&#39;m using Spring Security 3.x. 

Thank you.

----------

**UPDATE 01-29-2011 - @Ritesh&#39;s technique**

Okay, I managed to get @Ritesh&#39;s approach to work very closely to what I wanted. I have the radiobutton that allows user to select whether they are customer or employee. It seems like this approach is working fairly well, with one problem... 

 - If employee logs in with right credential, they are allowed in... **WORK AS EXPECTED**.
 - If employee logs in with wrong credential, they are not allowed in... **WORK AS EXPECTED**.
 - If customer logs in with right credential, they are allowed in... **WORK AS EXPECTED**.
 - If customer logs in with wrong credential, the authentication falls back to employee authentication... **DOESN&#39;T WORK**. This is risky because if I select customer authentication, and punch it the employee credential, it will allow the user in too and this is not what I want.

&lt;!-- language: lang-xml --&gt; 
    
        &lt;sec:http auto-config=&quot;false&quot; entry-point-ref=&quot;loginUrlAuthenticationEntryPoint&quot;&gt;
            &lt;sec:logout logout-success-url=&quot;/login.jsp&quot;/&gt;
            &lt;sec:intercept-url pattern=&quot;/employee/**&quot; access=&quot;ROLE_EMPLOYEE&quot;/&gt;
            &lt;sec:intercept-url pattern=&quot;/customer/**&quot; access=&quot;ROLE_CUSTOMER&quot;/&gt;
            &lt;sec:intercept-url pattern=&quot;/**&quot; access=&quot;IS_AUTHENTICATED_ANONYMOUSLY&quot;/&gt;
    
            &lt;sec:custom-filter position=&quot;FORM_LOGIN_FILTER&quot; ref=&quot;myAuthenticationFilter&quot;/&gt;
        &lt;/sec:http&gt;
    
    
        &lt;bean id=&quot;myAuthenticationFilter&quot; class=&quot;ss.MyAuthenticationFilter&quot;&gt;
            &lt;property name=&quot;authenticationManager&quot; ref=&quot;authenticationManager&quot;/&gt;
            &lt;property name=&quot;authenticationFailureHandler&quot; ref=&quot;failureHandler&quot;/&gt;
            &lt;property name=&quot;authenticationSuccessHandler&quot; ref=&quot;successHandler&quot;/&gt;
        &lt;/bean&gt;
    
        &lt;bean id=&quot;loginUrlAuthenticationEntryPoint&quot;
              class=&quot;org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint&quot;&gt;
            &lt;property name=&quot;loginFormUrl&quot; value=&quot;/login.jsp&quot;/&gt;
        &lt;/bean&gt;
    
        &lt;bean id=&quot;successHandler&quot;
              class=&quot;org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler&quot;&gt;
            &lt;property name=&quot;defaultTargetUrl&quot; value=&quot;/welcome.jsp&quot;/&gt;
            &lt;property name=&quot;alwaysUseDefaultTargetUrl&quot; value=&quot;true&quot;/&gt;
        &lt;/bean&gt;
    
        &lt;bean id=&quot;failureHandler&quot;
              class=&quot;org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler&quot;&gt;
            &lt;property name=&quot;defaultFailureUrl&quot; value=&quot;/login.jsp?login_error=1&quot;/&gt;
        &lt;/bean&gt;
    
    
        &lt;bean id=&quot;employeeCustomAuthenticationProvider&quot; class=&quot;ss.EmployeeCustomAuthenticationProvider&quot;&gt;
            &lt;property name=&quot;userDetailsService&quot;&gt;
                &lt;bean class=&quot;ss.EmployeeUserDetailsService&quot;/&gt;
            &lt;/property&gt;
        &lt;/bean&gt;
    
        &lt;bean id=&quot;customerCustomAuthenticationProvider&quot; class=&quot;ss.CustomerCustomAuthenticationProvider&quot;&gt;
            &lt;property name=&quot;userDetailsService&quot;&gt;
                &lt;bean class=&quot;ss.CustomerUserDetailsService&quot;/&gt;
            &lt;/property&gt;
        &lt;/bean&gt;
    
    
        &lt;sec:authentication-manager alias=&quot;authenticationManager&quot;&gt;
            &lt;sec:authentication-provider ref=&quot;customerCustomAuthenticationProvider&quot;/&gt;
            &lt;sec:authentication-provider ref=&quot;employeeCustomAuthenticationProvider&quot;/&gt;
        &lt;/sec:authentication-manager&gt;
    &lt;/beans&gt;

Here&#39;s my updated configuration. It has to be some really small tweak I need to do to prevent the authentication fall back but I can&#39;t seem to figure it out now.  

Thank you.

**UPDATE - SOLUTION to @Ritesh&#39;s technique**

Okay, I think I have solved the problem here. Instead of having `EmployeeCustomAuthenticationProvider` to rely on the default `UsernamePasswordAuthenticationToken`, I created `EmployeeUsernamePasswordAuthenticationToken` for it, just like the one I created `CustomerUsernamePasswordAuthenticationToken` for `CustomerCustomAuthenticationProvider`. These providers will then override the `supports()`:-

**CustomerCustomAuthenticationProvider class**

    @Override
    public boolean supports(Class&lt;? extends Object&gt; authentication) {
        return (CustomerUsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
    }

**EmployeeCustomAuthenticationProvider class**

    @Override
    public boolean supports(Class&lt;? extends Object&gt; authentication) {
        return (EmployeeUsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
    }

**MyAuthenticationFilter class**

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
    
        ...

        UsernamePasswordAuthenticationToken authRequest = null;

        if (&quot;customer&quot;.equals(request.getParameter(&quot;radioAuthenticationType&quot;))) {
            authRequest = new CustomerUsernamePasswordAuthenticationToken(username, password);

        }
        else {
            authRequest = new EmployeeUsernamePasswordAuthenticationToken(username, password);
        }

        setDetails(request, authRequest);

        return super.getAuthenticationManager().authenticate(authRequest);
    }

... and WALAA! It works perfectly now after several days of frustration! 

Hopefully, this post will be able to help somebody who is doing the same thing as I am here.

Configuring Spring Security 3.x to have multiple entry points

I have a page that when you press &#39;log out&#39; it will redirect to the `login.aspx` page which has a `Page_Load` method which calls `FormsAuthentication.SignOut()`.  

The master page displays the &#39;log out&#39; link in the top right of the screen and it displays it on the condition that `Page.User.Identity.IsAuthenticated` is `true`.  After stepping through the code however, this signout method doesn&#39;t automatically set `IsAuthenticated` to `false` which is quite annoying, any ideas?

Page.User.Identity.IsAuthenticated still true after FormsAuthentication.SignOut()

Can I change the FormsAuthentication cookie name?

If yes, How?

The problem which I&#39;ve got is that when I have two web applications are deployed in the same domain then when anyone is logged in then the second one will be automatically logged out because they use the same Authentication&#39;s cookie name.

Can I change the FormsAuthentication cookie name?

I&#39;ve read everything on this topic I could find, including MSDN articles and SO posts, but I&#39;m still very lost and confused.

## Questions ##

Please answer the following (briefly, if possible):

 1. What is **SimpleMembership/SimpleMembershipProvider** (*WebMatrix.WebData*) and what is it/are they responsible for?

 2. What is **WebSecurity** (*WebMatrix.WebData*)?

 3. What is the **Membership** (*System.Web.Security*) class?

 4. Why does MVC4 create a **UserProfile** table and a **webpages_Membership** table? What are they for and what is the difference? What is the UserProfile class that MVC4 creates?

 5. What is the **UsersContext** class?

 6. How do all of these work together to make user authentication?

## My Situation ##

These questions then lead into the next problem:

Suppose I have an existing database with users (IDs, Usernames, passwords). I&#39;m creating a new MVC4 application and using Forms Authentication. User passwords are stored in the database in an encrypted form (not bcrypt).

What do I have to do to make it work with MVC4?

Do I have to create a custom *MembershipProvider*?

## My Knowledge Thus Far ##

As far as I can understand, *WebSecurity* is a static class (Module) that interacts with a *MembershipProvider*. A MembershipProvider is a class that explains how particular functions work, such as *ValidateUser*, *CreateUser*, *ChangePassword*.

To solve my problem I assume I need to create a custom MembershipProvider and tell WebSecurity to use my new MembershipProvider.

## Bounty? ##

I have placed a bounty on this question and intend to award it to Andy Brown for an outstanding answer.

All Forms Authentication Solutions on Gang of Coders

Total of 17 Forms Authentication Solutions

How to implement "Stay Logged In" when user login in to the web application