Sharing the goodness…
Beth Massi is a Senior Program Manager on the Visual Studio team at Microsoft and a community champion for .NET developers. Learn more about Beth.
More videos »
I’ve gotten a few questions lately on how to assign user permissions to a LightSwitch HTML mobile app so I thought I’d post a quick How To. The short answer is you need to deploy a desktop client to perform the security administration for your application. Typically an administration console also manages other types of global data that your app may use, like lookup tables and other reference data, and is used by one or a few system administrators. However, if you just need access to the Users and Roles screens so you can grant users access to the system, then the steps are simple.
Let’s take an example. I have a simple HTML client application and I’ve enabled Forms Authentication on the Access Control tab of the project properties.
I’ve already added permission checks in code to perform business rules and control access to application functionality. If you’re not familiar with how to do this, please read: LightSwitch Authentication and Authorization. The basic gist is that you use the access control hooks (_CanInsert, _CanDelete, _CanRead, etc.) on your data service (via the data designer) to perform permission checks in the middle-tier. If you also need to access user permissions on the HTML client in order to enable/disable UI elements then see my post: Using LightSwitch ServerApplicationContext and WebAPI to Get User Permissions.
In order to add a desktop client (our administration console), right-click on the project and select “Add Client”.
Then give it a name and click OK.
Now your solution will contain a desktop client. (Note: Once you add it, the desktop client will be set as the startup client for debug. Right-click on the HTMLClient and select “Set as StartUp Client” to switch it back.)
You actually do not need to add any screens to the desktop client. The Users and Roles admin screens will appear to anyone logged in with the SecurityAdministration permission. In order to get the first administrator into the database, you need to deploy your application, but first there’s a couple options to consider around the desktop client.
Right-click on the DesktopClient and select Properties. This will open the client-specific properties where you can specify a logo, icon, theme, etc. You can also change the screen navigation here. On the Client Type tab you can decide whether you want to deploy the desktop client as in-browser or out-of-browser. The LightSwitch desktop client is a Silverlight 5 client so it will run on a variety of desktop browsers (see system requirements here).
By default, when you add a Desktop client to a LightSwitch application the client type will be set to Web. This is a good choice if you are simply managing administrative data. If you need to automate other programs or devices on the Windows desktop via COM (i.e. Excel, Word, eye scanners, etc.) then you will want to choose “Desktop” option. This option will only run on Windows machines but it runs with higher trust so you can talk to other programs.
For this simple administrative console, leave it as Web. Now right-click on the LightSwitch application in the Solution Explorer and select Publish. The key piece of information that the publish wizard needs is the Application Administrator information on the Security Settings tab. This is the user that will be added to the database the first time the application runs.
For more information on deploying see: How to: Deploy a 3-tier Application
Once we’ve deployed the application navigate to the DesktopClient and provide the same credentials you specified in the Publish Wizard. The application now has two clients so remember to navigate the correct virtual directory to run the associated client. For example, the name of our desktop client is “DesktopClient” so to run this one navigate to: http://www.mydomain.com/DesktopClient and to run the mobile client named “HTMLClient’ navigate to: http://www.mydomain.com/HTMLClient
When you open the desktop client and log in, you will see the Users and Roles screens under the Administration menu.
Once the administrator sets up the Roles and Users, those users can navigate to the HTMLClient on their mobile devices and log in.
This is great but is there a way to configure OWIN Forms authentication in LightSwitch?
Any plans to add the Administration menu to the HTML client?
Any plans to add support for external authentication services, which include several OAuth/OpenID and social media authentication services: Microsoft Accounts, Twitter, Facebook, and Google.
Like here www.asp.net/.../external-authentication-services
@Roger, @rbrogan - You can plug in your own membership providers into LightSwitch. See this article on how: blogs.msdn.com/.../customizing-lightswitch-user-management.aspx
@Beth Thanks for the info. Good to know that Lightswitch users the standard asp.net providers. What I was more interested in was the way to configure Lightswitch to use the new OWIN based authentication model like in the new ASP.NET SPA template. You can use the same setup with Webforms, MVC, Web API, SignalR and why not Lightswitch? I love this tool and think it has great potential!
Thanks for the article.
But we are getting following error, when we have added Desktop Client into VS2012 LS HTML Client App Solution.
"Could not resolve reference property 'Application.Shell' with reference string
'CosmopolitanExtension:CosmopolitanShell'. Reason: 'NoItemMatched'."
"Could not resolve reference property 'Application.Theme' with reference string 'CosmopolitanExtension:CosmopolitanTheme'. Reason: 'NoItemMatched'."
We are using VS2012 LightSwitch HTML Client.
Quick Response expected.
Thanks in Advance.
Thank you Beth, very nice article it helped me alot, but is there a way to authorize the user before opening a page. or in other way how to prevent user from opening page if he is not authorized in lightswitch html client app. i know about _canRun method in lightswitch apps but is there any thing can do that in html client apps ?
I laughed when I read 'eye scanners'. Anyway here is a a way to admin security roles without the desktop client.
Beth, I have a problem. I created my HTML Client first, published it and the database, then I created my Desktop Client outside of that project using an External Datasource connection to the one created with the HTML Client. If I look into the Databases aspnet_Applications table, I see both applications. I can log into both applications using the same login found under aspnet_Users, however, both applications are showing different data when logged in :( how is this possible, I only see one entity underneath my parent table, yet two are showing up inside the Desktop Client as if there are two totally different records in the Database that I can see are obviously not there. Any Help??
After adding desktop client getting error "Nested Transaction not supported", I have latest version of MYSQL, connector/net, , please help I have OS win 8.1, VS 2013 update3, please help..