ASP.NET 2.0 introduced the Application Services which are a
set of services used to manage user security from authenticating users,
creation of new users, retrieving user passwords, getting user roles, to loading
and saving per-user profile data from and into a database. These services to
function properly are configured through XML entries in the Web.config
The above services, as you can see, work only with web
applications. But the problems appear when you have multiple applications,
including Web and Windows client applications, with a shared database and all
of those applications need a way to authenticate and authorize users in
addition to processing a user’s profile and this could not be done before
Visual Studio 2008 and .NET 3.5.
With the release of Visual Studio 2008 and .NET 3.5, Client
Application Services have been introduced to the Windows Forms and Windows
Presentation Foundation applications. Basically, Client Application Services
make use of the ASP.NET AJAX Application Services to allow a Desktop
application to interact with the Membership, Role, and Profile providers.
ASP.NET 2.0 shipped with Membership, Role, and Profile
providers that make a developer's life easier when it comes to working with
user management including authenticating and authorizing users, creating new
accounts, retrieving a user's password, storing and loading a user’s profile.
All of these functionalities have been added to facilitate the most common
tasks a developer faces in every application that requires such a kind of user
and security management.
These services are always configured for a web application
since they are defined in the Machine.config configuration file. By default,
these providers are set to work with a SQL Server 2005 Express edition and can
be easily configured through the Web.config configuration file of a specific
web application. Here is the default configuration in the Machine.config file.
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=188.8.131.52,
enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/"
requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5"
<add name="AspNetSqlProfileProvider" connectionStringName="LocalSqlServer"
applicationName="/" type="System.Web.Profile.SqlProfileProvider, System.Web,
Version=184.108.40.206, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
<add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer"
applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web,
Version=220.127.116.11, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
<add name="AspNetWindowsTokenRoleProvider" applicationName="/"
type="System.Web.Security.WindowsTokenRoleProvider, System.Web, Version=18.104.22.168,
Off course, you can use your own providers for any of the
above services and this requires you to add those custom providers through the
Web.config configuration file. As you can see, there are mainly three types of
services. The first is Membership service which allows you to authenticate
users, create new users, retrieve users, change user’s passwords and many more
functionalities. The second is the Profile service which allows you to store
user-specific information just like session variables in ASP.NET, but is much
more powerful because it automatically saves the data into the database at the
end of every request and loads back the data at the beginning of every request.
For a full discussion on Profile service, check the following series.
Extended Look at the Profile Object - Part 1
Extended Look at the Profile Object - Part 2
Extended Look at the Profile Object - Part 3
The third and final service is the Role management service.
This service allows you to manage user’s roles by creating new roles, adding
users to roles, retrieving user’s roles and other functionalities.
AJAX Extensions 1.0 shipped with built-in client-side Application
Services. This means that with AJAX 1.0 Extensions you can authenticate users,
process user roles, and load and save user’s profile without the need to
postback to the server.
To be able to allow the client-side code to interact with
the Application Services, you need to configure them in the Web.config
configuration file as follows.
<authenticationService enabled="true" requireSSL = "false"/>
The above enables the Authentication, Profile, and Role
services so that the AJAX engine creates client-side proxies so that the
in an asynchronous way.
Every client-side proxy for the above services is configured
with HttpHandler to know where to post the asynchronous request on the server.
For instance, the Authentication Service is configured with the
Authentication_JSON_AppService.axd HttpHandler. When a request accesses the
aforementioned HttpHandler, the handler checks what Membership provider is
configured in the web application on the server and accordingly it redirects
the request to that configured provider. For instance, a call to Login method
on the HttpHandler would be redirected to the Login method implementation of the
configured Membership provider in the Web.config configuration file of the
You can also configure the application services to interact
with your Web services instead of using the built-in HttpHandlers. This can be
very easy and a matter of setting the path of the Web services that will do the
authentication operations to the Path property of the AuthenticationService
class located inside the ScriptManager instance. Here is an example of how to
<asp:ScriptManager ID="ScriptManager1" runat="server">
<AuthenticationService Path="~/AuthenticationService.asmx" />
After all, whether the client-side proxy is accessing a Web
service, which is nothing but a compiled class on the server, or the
HttpHandler which instantiates an instance of the configure MembershipProvider,
the same functionality is present.
If you have been following from the beginning of this
article, you should have noticed how the concept of Application Services has
evolved. First of all, the Application Services were added to ASP.NET 2.0, and
after that AJAX developers were also able to access those Application Services
from the client-side. What are left are the Windows Forms and Windows
Presentation Foundation applications to access those Application Services and
this enables having a single database containing the entire user’s information
and shared by several application types including Web-AJAX and Windows
What can be understood is that Client Application Services
or CLAS, introduced with Visual Studio 2008 and .NET 3.5, is a way to allow a
Windows Forms or WPF application to access the Application Services using the
ASP.NET 2.0 AJAX 1.0 Extensions Application Services.
Usually, you would have a web application that is configured
with ASP.NET 2.0 Application Services and ASP.NET 2.0 AJAX 1.0 Extensions
Application Services and you need to use those application services in a new
Windows Forms application.
CLAS mainly gives the windows application the power of:
Authenticating and authorizing users: By configuring the
windows application to use the authentication service, the application can then
authenticate and authorize users against a database just as a Web or AJAX application can do.
Operating in an Offline-mode: What makes CLAS even more
powerful is that you can configure the application to cache all the processed
information while the application is in live connection to the database and
once the connection is off, the application can still operate in an offline
mode by retrieving information from the cached data. Usually, SQL Server
Compact Edition 3.5 database is used locally to store the information.
Visual Studio 2008 adds a new Tab to the project properties
page called Services and is shown in Figure 1.
Figure 1: Windows Forms Services Tab
This is a new Tab that has been added to allow you to
configure CLAS for your application. We will come to the above Tab later when
we go in depth into how to configure CLAS for an application.
CLAS is a collection of application services and is built on
top of several client application providers. For each of the services there is
a provider that can be configured through the app.config configuration file.
When you configure the application using the Services Tab,
automatically the configuration settings are added to the app.config file. Here
is a sample configuration setting.
System.Web.Extensions, Version=22.214.171.124, Culture=neutral,
credentialsProvider="ClientAppServicesDemo.Login, ClientAppServicesDemo" />
The above membership provider’s configuration section is so
close to the one we saw earlier when configuring the Membership provider in an
ASP.NET application. In the coming sections we will delve into more details
about the providers and classes that ship with the CLAS.
CLAS comes with several new classes that constitute the core
functionality. We will list those classes and give a brief description of the
use and importance of each one of them.
ClientFormsIdentity: When the user is about to be
authenticated a call to the static Membership.ValidateUser method is issued to
validate the credentials of the user. If Windows Authentication is configured
in the application then this method always returns true. If however, Forms
Authentication is configured, and if the user was successfully authenticated,
an instance of the ClientFormsIdentity can be retrieved by casting the
System.Threading.Thread.CurrentPrincipal.Identity to an instance of
ClientFormsIdentity. Notice though when the application is configured with
Windows Authentication, the System.Threading.Thread.CurrentPrincipal.Identity
refers to an instance of System.Security.Principal.WindowsIdentity with the
AuthenticationType property set to Kerberos. However, when the application is
configured with Forms Authentication, an instance of the ClientFormsIdentity
can be retrieved as mentioned above and the AuthenticationType property is set
ClientRolePrincipal: Once the user is authenticated, an
instance of the ClientRolePrincipal can be retrieved by casting the
System.Threading.Thread.CurrentPrincipal object to an instance of
ClientRolePrincipal object. This object provides information about the roles
the currently authenticated user belongs to.
ConnectivityStatus: This class contains a single static
property called IsOffline which allows you to switch the application from online
mode to offline mode and vice versa.
ClientFormsAuthenticationCredentials: This class represents
the credentials of a user. When you want to allow the user to enter his/her
credentials to be authenticated, usually you would create a Login Windows Form
that implements the IClientFormsAuthenticationCredentialsProvider interface.
This interface contains a single method called GetCredentials and returns an
instance of ClientFormsAuthenticationCredentials object containing the user’s
ClientFormsAuthenticationMembershipProvider: This class
manages access to the remote authentication service for forms authentication.
It extends the MembershipProvider and adds the Logout method and UserValidated
event. Typically, when Forms Authentication is configured for the application,
you can retrieve an instance of this class by casting the Membership.Provider
property to an instance of ClientFormsAuthenticationMembershipProvider object.
ClientWindowsAuthenticationMembershipProvider: This class
manages Windows Authentication. It extends Membership.Provider and adds a
single method Logout. When the user is logged out, he or she will continue to
be authenticated by Windows but unable to access the remote authentication
ClientRoleProvider: This class manages the access to the
remote roles service. If your applications require accessing roles information
for users, you can simply configure the Roles service the same as you configure
Authentication service. As the other providers, the ClientRoleProvider contains
the ServiceUri property that points to the address of the remote Role service.
When a user is authenticated, you can retrieve an instance of the
ClientRolePrincipal from the System.Threading.Thread.CurrentPrincipal object.
This class contains the IsInRole method that internally calls the
ClientRoleProvider.IsUserInRole method. One final note about the
ClientRoleProvider, it is a Read-Only provider which means you can only use the
ClientRoleProvider to retrieve a user’s roles information.
interface has been mentioned above when we discussed the
ClientFormsAuthenticationCredentials class. This interface shall by implemented
by the Windows Forms that will ask the user for credentials, fill up an instance
of the ClientFormsAuthenticationCredentials object and send it back to the
ValidateUser method whether called directly from the Membership class or from
the ClientFormsAuthenticationMembershipProvider. Any class that implements this
class shall provide a method called GetCredentials that returns an object of
ClientFormsAuthenticationCredentials filled up with the entered user
At this point, we will be satisfied by only the above
classes. In the next parts of this series we will introduce the other remaining
classes and illustrate more the ones mentioned above.
Material is still scarce on this topic, but there is a very
informative section on the MSDN library that allows you to get an idea on all
the details the surrounds Client Application Services. Follow this link to
access this information: Client
In this article we have revised the application services
introduced by ASP.NET 2.0 and how the ASP.NET 2.0 AJAX 1.0 Extensions make use
of those application services so that they can be accessed from within the
After that, we covered the concept of Client Application
Services, what they are and why they are needed. In addition, a detailed
section on the different classes introduced by Client Application Services was
included to give a better idea on those classes.
This article is just an introductory article on the Client
Application Services. There will be two other parts, one of them shows you how
to configure your application to authenticate and authorize users and another
one shows you how to work with Web Settings and Profile objects from inside a
I hope you enjoyed this article and benefited from the
information presented. If you have any questions or comments please feel free
to contact me directly at firstname.lastname@example.org.
Happy Ajaxified Dot Netting!!