FormAuthentication on ascx files

Discussion in 'ASP .Net Security' started by Joey Lee, Dec 5, 2004.

  1. Joey Lee

    Joey Lee Guest

    Hi,

    I have a default.aspx page which has PlaceHolder where it will call
    different *.acx file based on the request url.
    eg http://localhost/default.aspx?module=home
    will put a home.ascx in the place holder
    and
    eg http://localhost/default.aspx?module=admin
    will put a admin.ascx in the place holder

    both the home and admin have its own folder respectively, where home.ascx is
    in /home folder and admin.ascx is in /admin folder.

    So I would like to implement form authentication, that if the user is not
    authenticated, when the default page is called with the parameter of
    module=admin, the user will be rejected.

    As normal i will create another web.config file in the folder and restrict
    all user which is not authenticated. However this did not work in my case
    where the page which is invoked is the default.aspx page regardless of all
    the .ascx files that are called.

    From the look of it only if i create an aspx file in the admin folder and
    call it like
    http://localhost/admin/admin.aspx then the authentication will work where
    the user is rejected.

    Is there any way to use form authentication for this?, or would I have to do
    a different set of coding in the default page which will check if the ascx
    page being called is retricted or not?

    Or, would it be my design is totally wrong where i shouldn't have only a
    single aspx file calling different "module" which are totally coded as ascx
    files?

    Thanks in advance.

    Joey
     
    Joey Lee, Dec 5, 2004
    #1
    1. Advertising

  2. Joey Lee

    ranganh Guest

    Dear Joey,

    Your idea is good. But it doenst work as with normal when it comes to ascx
    files. Basically ascx files are not pages but parts of a page and they are
    rendered before the page is rendered.

    One way to restrict users would be is to put the following code in the
    codebehind of the usercontrol's page_load event as

    If(! Page.User.Identity.IsAuthenticated)
    {
    Response.Redirect("LoginPage.aspx");
    }

    This should help you in filtering anonymous calls to admin sections.

    Does that help.


    "Joey Lee" wrote:

    > Hi,
    >
    > I have a default.aspx page which has PlaceHolder where it will call
    > different *.acx file based on the request url.
    > eg http://localhost/default.aspx?module=home
    > will put a home.ascx in the place holder
    > and
    > eg http://localhost/default.aspx?module=admin
    > will put a admin.ascx in the place holder
    >
    > both the home and admin have its own folder respectively, where home.ascx is
    > in /home folder and admin.ascx is in /admin folder.
    >
    > So I would like to implement form authentication, that if the user is not
    > authenticated, when the default page is called with the parameter of
    > module=admin, the user will be rejected.
    >
    > As normal i will create another web.config file in the folder and restrict
    > all user which is not authenticated. However this did not work in my case
    > where the page which is invoked is the default.aspx page regardless of all
    > the .ascx files that are called.
    >
    > From the look of it only if i create an aspx file in the admin folder and
    > call it like
    > http://localhost/admin/admin.aspx then the authentication will work where
    > the user is rejected.
    >
    > Is there any way to use form authentication for this?, or would I have to do
    > a different set of coding in the default page which will check if the ascx
    > page being called is retricted or not?
    >
    > Or, would it be my design is totally wrong where i shouldn't have only a
    > single aspx file calling different "module" which are totally coded as ascx
    > files?
    >
    > Thanks in advance.
    >
    > Joey
    >
    >
    >
     
    ranganh, Dec 6, 2004
    #2
    1. Advertising

  3. Joey Lee

    Joey Lee Guest

    Thanks. That helps.

    However i am wondering what does it mean by "form authentication protects
    ascx files as well as all other a* files " which i read on the internet.

    Joey

    "ranganh" <> wrote in message
    news:...
    >
    >
    > Dear Joey,
    >
    > Your idea is good. But it doenst work as with normal when it comes to

    ascx
    > files. Basically ascx files are not pages but parts of a page and they

    are
    > rendered before the page is rendered.
    >
    > One way to restrict users would be is to put the following code in the
    > codebehind of the usercontrol's page_load event as
    >
    > If(! Page.User.Identity.IsAuthenticated)
    > {
    > Response.Redirect("LoginPage.aspx");
    > }
    >
    > This should help you in filtering anonymous calls to admin sections.
    >
    > Does that help.
    >
    >
    > "Joey Lee" wrote:
    >
    > > Hi,
    > >
    > > I have a default.aspx page which has PlaceHolder where it will call
    > > different *.acx file based on the request url.
    > > eg http://localhost/default.aspx?module=home
    > > will put a home.ascx in the place holder
    > > and
    > > eg http://localhost/default.aspx?module=admin
    > > will put a admin.ascx in the place holder
    > >
    > > both the home and admin have its own folder respectively, where

    home.ascx is
    > > in /home folder and admin.ascx is in /admin folder.
    > >
    > > So I would like to implement form authentication, that if the user is

    not
    > > authenticated, when the default page is called with the parameter of
    > > module=admin, the user will be rejected.
    > >
    > > As normal i will create another web.config file in the folder and

    restrict
    > > all user which is not authenticated. However this did not work in my

    case
    > > where the page which is invoked is the default.aspx page regardless of

    all
    > > the .ascx files that are called.
    > >
    > > From the look of it only if i create an aspx file in the admin folder

    and
    > > call it like
    > > http://localhost/admin/admin.aspx then the authentication will work

    where
    > > the user is rejected.
    > >
    > > Is there any way to use form authentication for this?, or would I have

    to do
    > > a different set of coding in the default page which will check if the

    ascx
    > > page being called is retricted or not?
    > >
    > > Or, would it be my design is totally wrong where i shouldn't have only a
    > > single aspx file calling different "module" which are totally coded as

    ascx
    > > files?
    > >
    > > Thanks in advance.
    > >
    > > Joey
    > >
    > >
    > >
     
    Joey Lee, Dec 6, 2004
    #3
  4. Joey Lee

    ranganh Guest

    It refers to that forms authentication protects by default, the files
    handled by asp.net (aspnet_isapil.dll) such as aspx, ascx so that you dont
    have to exclusively map the extensions to be handled by asp.net

    Ok, say you want to protect a doc from being downloaded then along with
    forms authentication, you also need to specify the handler in the IIS to make
    asp.net handle the request for the doc type file. Else, it will be ignored
    and will be downloaded regardless of whether the user is logged in or not.

    Hope it clarifies.

    "Joey Lee" wrote:

    > Thanks. That helps.
    >
    > However i am wondering what does it mean by "form authentication protects
    > ascx files as well as all other a* files " which i read on the internet.
    >
    > Joey
    >
    > "ranganh" <> wrote in message
    > news:...
    > >
    > >
    > > Dear Joey,
    > >
    > > Your idea is good. But it doenst work as with normal when it comes to

    > ascx
    > > files. Basically ascx files are not pages but parts of a page and they

    > are
    > > rendered before the page is rendered.
    > >
    > > One way to restrict users would be is to put the following code in the
    > > codebehind of the usercontrol's page_load event as
    > >
    > > If(! Page.User.Identity.IsAuthenticated)
    > > {
    > > Response.Redirect("LoginPage.aspx");
    > > }
    > >
    > > This should help you in filtering anonymous calls to admin sections.
    > >
    > > Does that help.
    > >
    > >
    > > "Joey Lee" wrote:
    > >
    > > > Hi,
    > > >
    > > > I have a default.aspx page which has PlaceHolder where it will call
    > > > different *.acx file based on the request url.
    > > > eg http://localhost/default.aspx?module=home
    > > > will put a home.ascx in the place holder
    > > > and
    > > > eg http://localhost/default.aspx?module=admin
    > > > will put a admin.ascx in the place holder
    > > >
    > > > both the home and admin have its own folder respectively, where

    > home.ascx is
    > > > in /home folder and admin.ascx is in /admin folder.
    > > >
    > > > So I would like to implement form authentication, that if the user is

    > not
    > > > authenticated, when the default page is called with the parameter of
    > > > module=admin, the user will be rejected.
    > > >
    > > > As normal i will create another web.config file in the folder and

    > restrict
    > > > all user which is not authenticated. However this did not work in my

    > case
    > > > where the page which is invoked is the default.aspx page regardless of

    > all
    > > > the .ascx files that are called.
    > > >
    > > > From the look of it only if i create an aspx file in the admin folder

    > and
    > > > call it like
    > > > http://localhost/admin/admin.aspx then the authentication will work

    > where
    > > > the user is rejected.
    > > >
    > > > Is there any way to use form authentication for this?, or would I have

    > to do
    > > > a different set of coding in the default page which will check if the

    > ascx
    > > > page being called is retricted or not?
    > > >
    > > > Or, would it be my design is totally wrong where i shouldn't have only a
    > > > single aspx file calling different "module" which are totally coded as

    > ascx
    > > > files?
    > > >
    > > > Thanks in advance.
    > > >
    > > > Joey
    > > >
    > > >
    > > >

    >
    >
    >
     
    ranganh, Dec 10, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tfs
    Replies:
    1
    Views:
    433
  2. Holger (David) Wagner
    Replies:
    2
    Views:
    1,979
    Holger (David) Wagner
    Jul 3, 2004
  3. T-Bone
    Replies:
    1
    Views:
    363
    SparvHok
    Nov 24, 2004
  4. Pradeep Sabharwal

    Need help in FrameBased FormAuthentication

    Pradeep Sabharwal, Dec 10, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    407
    Pradeep Sabharwal
    Dec 10, 2004
  5. Jamie  Pollard
    Replies:
    4
    Views:
    5,514
    Jamie Pollard
    Jul 15, 2005
Loading...

Share This Page