.. in which case users.aspx would require authorization but signup.aspx would not. It seems that AuthenticateRequest fires on every page no matter what and there's no method I can find to check whether to run code - such as a FormsAuthentication.IsRequired, or something like that. I've tried using AuthorizeRequest instead but that gives the same result and I've found the UrlAuthorizationModule.CheckUrlAccessForPrincipal method in 2.0, but I'm using 1.1 !

So, how do you check if authorization is required?

'example code from httpmodule

'do stuff here

End Sub

AddHandler context.AuthenticateRequest, AddressOf Me.Application_AuthenticateRequest

End Sub

AuthenticateRequest is an event that occurs in the Http pipeline - which is why an event handler that subscribes to this will get called on each request.  Usually this is the event where code looks for some value in the request (a cookie, a header, etc...) and if this value is found, converts it into a principal object that is placed on the HttpContext.

If the intent is to determine if authorization failed, and a redirect is needed to a login page, you can hook the EndRequest event.  If the value of Response.StatusCode is 401, this indicates that an authorization failure occurred (probably from UrlAuthorization).  In this case you can then redirect to an appropriate login page.

I always get statuscodes of 200 or 302 from EndRequest. I think this is because the page is either available to unauthorized users (200) or the user is being redirected by forms authentication (302) and then landing on the login.aspx page (200) (which I haven't configured as "login.aspx" in web.config, that just seems to be the default). So I guess what I want to do is to get access to the HTTP pipeline before forms authentication does - anyone know how to do that? I've tried the code below but without success:

Dim instance As FormsAuthenticationModule

AddHandler instance.Authenticate, AddressOf  Me.Forms_AuthenticateRequest

End Sub

It looks like the forms authentication module is always going to get in the way.  I see two solutions to this:

1.)  Hook the EndRequest event.  Look for a Response.StatusCode of 302 and Response.RedirectLocation set to the login page for the application.  This combination of data indicates that the current request failed authorization to the requested page.

2.)  Set the "loginUrl" attribute for your application to the remote application that has the real login page:  <forms ... loginUrl="http://www.myloginapp.com/login.aspx" />

I think that's the answer! I've set the loginUrl in web.config to the external site and handle the FormsAuthenticationModule Authenticate event in a HTTP Module to check for authenticated users being redirected back from the external site. It seems to work fine.