Security

Re: AuthenticateRequest always fires

Ashiki — Tue, 11 Apr 2006 10:42:12 GMT

I think that's the answer! I've set the loginUrl in web.config to the external site and handle the FormsAuthenticationModule Authenticate event in a HTTP Module to check for authenticated users being redirected back from the external site. It seems to work fine.

Re: AuthenticateRequest always fires

sschack — Mon, 10 Apr 2006 21:09:05 GMT

It looks like the forms authentication module is always going to get in the way. I see two solutions to this:

1.) Hook the EndRequest event. Look for a Response.StatusCode of 302 and Response.RedirectLocation set to the login page for the application. This combination of data indicates that the current request failed authorization to the requested page.

2.) Set the "loginUrl" attribute for your application to the remote application that has the real login page: <forms ... loginUrl="http://www.myloginapp.com/login.aspx" />

Re: AuthenticateRequest always fires

Ashiki — Mon, 10 Apr 2006 08:03:44 GMT

The login page is on another domain. That's why I want to handle the page request before forms authentication does, but only if the page is configured in web.config to disallow anonymous access.

Re: AuthenticateRequest always fires

sschack — Fri, 07 Apr 2006 17:57:57 GMT

I guess the question is what do you need to do in the app? If you just want to change the login page, you can set the "loginUrl" attribute on the <forms /> element to your sign in page.

Re: AuthenticateRequest always fires

Ashiki — Fri, 07 Apr 2006 10:40:24 GMT

I always get statuscodes of 200 or 302 from EndRequest. I think this is because the page is either available to unauthorized users (200) or the user is being redirected by forms authentication (302) and then landing on the login.aspx page (200) (which I haven't configured as "login.aspx" in web.config, that just seems to be the default). So I guess what I want to do is to get access to the HTTP pipeline before forms authentication does - anyone know how to do that? I've tried the code below but without success:

Public Sub Init(ByVal context As System.Web.HttpApplication) Implements System.Web.IHttpModule.Init

Dim instance As FormsAuthenticationModule

AddHandler instance.Authenticate, AddressOf Me.Forms_AuthenticateRequest

End Sub

Private Sub Forms_AuthenticateRequest(ByVal Source As Object, ByVal e As Web.Security.FormsAuthenticationEventArgs)

'do stuff here

End Sub

Re: AuthenticateRequest always fires

sschack — Thu, 06 Apr 2006 19:43:18 GMT

AuthenticateRequest is an event that occurs in the Http pipeline - which is why an event handler that subscribes to this will get called on each request. Usually this is the event where code looks for some value in the request (a cookie, a header, etc...) and if this value is found, converts it into a principal object that is placed on the HttpContext.

If the intent is to determine if authorization failed, and a redirect is needed to a login page, you can hook the EndRequest event. If the value of Response.StatusCode is 401, this indicates that an authorization failure occurred (probably from UrlAuthorization). In this case you can then redirect to an appropriate login page.

AuthenticateRequest always fires

Ashiki — Thu, 06 Apr 2006 09:56:09 GMT

I have a HTTP Module that grabs the AuthenticateRequest and checks the current user's credentials. It all works fine and I thought that I could specify the pages that should be under this system by using web.config like so:

.. in which case users.aspx would require authorization but signup.aspx would not. It seems that AuthenticateRequest fires on every page no matter what and there's no method I can find to check whether to run code - such as a FormsAuthentication.IsRequired, or something like that. I've tried using AuthorizeRequest instead but that gives the same result and I've found the UrlAuthorizationModule.CheckUrlAccessForPrincipal method in 2.0, but I'm using 1.1 !

So, how do you check if authorization is required?

'example code from httpmodule

Private Sub Application_AuthenticateRequest(ByVal Source As Object, ByVal e As EventArgs)

'do stuff here

End Sub

Public Sub Init(ByVal context As System.Web.HttpApplication) Implements System.Web.IHttpModule.Init

AddHandler context.AuthenticateRequest, AddressOf Me.Application_AuthenticateRequest

End Sub