Last post May 01, 2014 01:55 AM by noJedi
Apr 28, 2014 04:00 AM|noJedi|LINK
I've got a custom role provider that looks to some database tables for info via a webservice.
I've also got some area's that I DON'T want restricted to "authorized" users but the problem is that I've got a DI module that I'm trying to get to buildup all the ASPX pages - but when (for example) my user is not a valid user, I want to basically say "fine
- but you can't access anything but this 401 page (and related stylesheets), problem is that because the module runs for "everything" with te IIS pipeline able to work for any file not just ASPX then it still trying to run the DI stuff on stylesheets and so
forth, but fails because user is not Authz'd and so things are "NULL" (like current handler) and so this throws null reference error and the user gets a "NULL REFERENCE" error rather than the "you are not authorized...
What is the solution to this?
I don't think I want to turn off "all managed modules to
run for all requests" - but perhaps this is the answer? - UPDATE: No it's not because it still happens... unless there's something missing in IIS Express... I'm thinking that this has nothing to do with role provider... and
its something about the Module and its operation...
How does this affect things like files protected directly by ROLE if I do this (*I* think this is why I don't want to turn this off)...?
<allow users="?" />
<allow users="*" />
<allow users="?" />
<allow users="*" />
<authentication mode="Windows" />
<deny users="?" />
<allow roles="megaUser,megaAdmin" />
<roleManager enabled="true" defaultProvider="AdminCustomRoleManager">
<add name="AdminCustomRoleManager" type="AdminServiceRoleProvider" />
</roleManager> <customErrors defaultRedirect="~/error/default.aspx" mode="On" redirectMode="ResponseRewrite"> <error statusCode="401" redirect="~/error/denied.html" /> </customErrors> </system.web>
<system.webServer> <modules> <add name="UnityModule" type="Unity.Web.UnityHttpModule, CommonLib" /> </modules>
Apr 29, 2014 01:54 AM|Michelle Ge - MSFT|LINK
So far as I know, the IIS core engine uses preconditions to determine when to enable a particular module. If we add code below to web.config:
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />
It enables the forms authentication module for requests that are also handled by a managed handler, such as requests to .aspx or .asmx files. If we want Forms Authentication also applies to content that is not served by managed handlers, such as .html,
.jpg, .doc, but also for classic ASP (.asp) or PHP (.php) extensions, we can try to remove preCondition="managedHandler" property.
For more information, please refer to the links below:
Hope it's useful for you.
May 01, 2014 01:55 AM|noJedi|LINK
Thanks very much for that info, it helped me to understand better.
I am a little surprised by the various behaviours but I guess I understand it... I guess I was thinking that "runall for all= false" would fall back to the precondition equivalent of "managedHandler==false" but it doesn't appear to work
Those links really helped clarify thank you!
ASIDE: While the above IS the direct answer, I've realised (with my new found understanding) that the whole DI via this handler/module setup (possibly even in MVC although I'm dealing wiht aSP.NET forms) raises some issues with this problem:
DI -> managed
other stuff -> not managed... eg .css, images, html
security -> authN/Z ...
Now if I wanted to "cover" non-managed stuff, with my security stuff that has a dependency on the DI stuff which is only covered by the managed stuff... then I'm stuck...
I *assume* the answer would be SOME kind of modification to the handler to COPE with the "currentHandler" being null... somehow...
Has anyone made these mods (if that is even the correct way to go about doing that)?
http://msdn.microsoft.com/en-us/library/ff664534(v=PandP.50).aspx module from the Patterns and Practices team incase that wasn't stated...)