Themelia Pro A powerful new development platform built on ASP.NET.
Understanding Themelia Pro Login Security

Themelia Pro has a built in per-web domain security model to allow the creation of a simple to use custom login system. This system allows you to block (if allowed by default) or allow (if blocked by default) specific endpoints of a web site.

Upon access to a secured portion of a web domain, a custom validator is accessed to see if the specific user is authenticated to the system. If not, the user is sent to the user's current endpoint with a suffix of /login (this text is customizabale via the loginText attribute). For example, if a user attempts to access a secured endpoint "/member", the user will be sent to /member/login. Themelia Pro will know to show your custom login screen at this point. When login is successful, user is allowed access to the restricted portion of the web domain he or she was originally attempting to access.

To implement Themelia Pro security, you first add a security configuration element to a web domain. This element has the following attributes:

  • defaultAccessMode (required)
  • loginTarget (required)
  • validatorType (required)
  • loginText (optional)
  • defaultLoggedInTarget (optional)

Below is a complete example of the security configuration element:

<security defaultAccessMode="Deny"
        validatorType="ABCCorp.Web.Security.SecurityValidator, ABCCorp.Web" />

Parameter Details

defaultAccessMode specifies whether the current web domain is secure with exceptions for allowing public access or is non-secure with exceptions for blocking access. Available settings for this setting are Allow and Deny.

loginTarget is the actualy physical ASP.NET page that represents the login page. This page will show your custom login controls and will handle all your custom security logic (i.e. it may call the middle-tier to do database authentication).

validatorType is the name of the .NET class to be used as the Themelia Pro security validator. This is explained in more detail in the next section.

loginText (optional) is the text to be used in the endpoint text to signify to the user that he or she is on the login page. By default this text is "login".

defaultLoggedInTarget (optional) is the relative logical path that represents to what path a user should be sent when accessing the login page if he or she is already logged in. By default this is /.

Adding Exceptions

When defaultAccessMode is set to "Allow", any exceptions added represent endpoints that are secured. When defaultAccessMode is set to "Deny" any exceptions added represent endpoints that are not secured. To add exceptions, use the exceptions configuration collection. Below is ane example:

The exception key matches to the text of the endpoint.


A security validator is made by creating a class which inherits from the Themelia.Web.Security.ISecurityValidator abstract class. This abstract class requires that you implement the following signature:

Boolean IsValid();

When authentication is successful, true should be returned; otherwise false should be returned.

Below is a sample of a security validator checking for proper authorization:

using System;
using ABCCorp.Token.Service.Agent;
using ABCCorp.Web.Security;
namespace ABCCorp.Web.Security
    public class SecurityValidator : Themelia.Web.Security.ISecurityValidator
        //- @Info -//
        public class Info
            public const String Scope = "__$Security$";
            public const String UserData = "UserData";
            public const String Token = "Token";
            public const String PersonGuid = "PersonGuid";
            public const String FirstName = "FirstName";
            public const String LastName = "LastName";
        //- @IsValid -//
        public Boolean IsValid()
            if (Themelia.Web.HttpData.GetScopedSessionItem<ABCCorp.Token.Service.UserData>(Info.Scope, Info.UserData) != null)
                return true;
            return false;

The above example would be used with something like the following code in your login ASP.NET code-file:

//- $OnSubmit -//
private void OnSubmit(Object sender, EventArgs e)
    ABCCorp.Token.Service.UserData userData = TokenAgent.Login(txtUsername.Text, txtPassword.Text);
    if (userData != null && !String.IsNullOrEmpty(userData.Token))
        Themelia.Web.HttpData.SetScopedSessionItem<ABCCorp.Token.Service.UserData>(SecurityValidatorInfo.Scope, SecurityValidatorInfo.UserData, userData);
        Themelia.Web.Http.Redirect("/" + String.Join("/", Themelia.ArrayModifier.Strip<String>(Themelia.Web.Http.UrlPartArray)));
        litStatusMessage.Text = "Invalid username or password.";

In this example, the user's username and password and verified by a token service. If successful, the user is redirected to the following path:

Themelia.Web.Http.Redirect("/" + String.Join("/", Themelia.ArrayModifier.Strip<String>(Themelia.Web.Http.UrlPartArray)));

This path represents the original path accessed (i.e. the current path without the final URL segment).