Forms Authentication: login page in a separate web app

[Hari Menon]

Hi,

I would like to create a WebApp, say MySecurityProvider,
that just contains a login page that knows how to
authenticate a user. And I want other web apps, e.g.
MyTestWebApp, that require authentication to point their
loginUrl to the login page in my web app.

Is that possible? I tried setting the loginUrl in
MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
What happens is that the redirect to the login page
succeeds and the login goes through as well and the
cookie gets issued (I set the path to "/" in both the
RedirectFromLoginPage() as well as in the <forms> tag).
But the protected resource in MyTestWebApp still cannot
be accessed. When I access an unprotected resource in
MyTestWebApp and check the cookies that are set, I do see
that the auth cookie IS there. But somehow I do not seem
to be able to access the protected resource on
MyTestWebApp - it always redirects me to the login page.

Am I doing something wrong or is this not supposed to
work?

 

[Jim Cheshire [MSFT]]

Hari,

Forms authentication is designed to be used on a per-application basis.
The login page must be located in the Web application you are
authenticating for.

Jim Cheshire [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

 

[Brad]

Hari - This is quite possible and in fact we're using it; our portal app
manages all logins for all apps. You should read up on how to do this in
Building Secure Microsoft ASP.NET Applications
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp

 

[Jim Cheshire [MSFT]]

Brad,

I'm not aware of any part of that book that indicates that you can point
multiple applications to one login page. Maybe I'm not completely aware of
what Hari is asking about.

Hari, if you want to have one login page for multiple applications, you
can't do that. However, if you want to allow a user to login using a login
page and then have that login valid for other applications, that IS
possible.

The two do not accomplish the same thing. In the latter, it is assumed
that a user will always log in to your application from one specific
application. The scenario you originally described did not seem to relate
to that requirement.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

 

[Brad]

Jim & Hari,
Here's the section from the book (and t's definitely worth having a hard
copy of this as I do)

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp
=================================================
Hosting Multiple Applications Using Forms Authentication

If you are hosting multiple Web applications that use Forms authentication
on the same Web server, it is possible for a user who is authenticated in
one application to make a request to another application without being
redirected to that application's logon page. The URL authorization rules
within the second application may deny access to the user, without providing
the opportunity to supply logon credentials using the logon form.
This only happens if the name and path attributes on the <forms> element are
the same across multiple applications and each application uses a common
<machineKey> element in Web.config.
=================================================

Is our case we have one web application that is our intranet portal. The
portal app has the login page and handles creating the forms
authenctication. All other web apps point to this one login page. When the
login is completed login page redirects back to the calling page...and now
the user is back in the web app which required the authenication. All
that's left for a web app to do is populate the app sepcific roles in the
authenication ticket and retreive the roles....which we do in common base
class for the global.asax. The portal app even manages the roles for all
of the other apps and serves them up to the other apps via a web service.

In the end all our web apps can implement the basic of common security with
very few lines of code.

Brad

Brad,

I'm not aware of any part of that book that indicates that you can point
multiple applications to one login page. Maybe I'm not completely aware of
what Hari is asking about.

Hari, if you want to have one login page for multiple applications, you
can't do that. However, if you want to allow a user to login using a login
page and then have that login valid for other applications, that IS
possible.

The two do not accomplish the same thing. In the latter, it is assumed
that a user will always log in to your application from one specific
application. The scenario you originally described did not seem to relate
to that requirement.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Brad" <[email protected]>
References: <[email protected]>
Subject: Re: Forms Authentication: login page in a separate web app
Date: Mon, 24 Nov 2003 11:04:38 -0800
Lines: 34
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.3790.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: risxlr5.ris.lane.or.us 199.79.46.126
Path:

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.

phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet.security:7659
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

Hari - This is quite possible and in fact we're using it; our portal app
manages all logins for all apps. You should read up on how to do this in
Building Secure Microsoft ASP.NET Applications
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/secnetlpMSDN.asp

 

[Jim Cheshire [MSFT]]

Brad,

This is referring to the same thing that I said in my last post. It is
possible to share a FormsAuthenticationTicket between applications.
However, what Hari asked is how to have all applications point back to a
single login page. That is a different scenario.

Suppose you have three applications; AppA, AppB, and AppC. You use the
method of making sure that <machineKey> settings are identical for each
application and you have removed the isolatedApps attribute in the
machine.config if running 1.1. It is still going to use the loginURL for
the application you are accessing on first browse. It will still now allow
you to have, for example, AppA and AppB redirect to AppC's login page.

As per my post yesterday to Hari, if the goal here is to share
authentication between Forms Authentication applications, that is easy to
implement. If the goal is to share one single login page for all
applications, that is not possible.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Brad" <[email protected]>
References: <[email protected]>

Subject: Re: Forms Authentication: login page in a separate web app
Date: Mon, 24 Nov 2003 19:55:54 -0800
Lines: 125
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: dialup-ras16-220.eug.or.uspops.net 64.28.52.220
Path: cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.
phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet.security:7669
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

Jim & Hari,
Here's the section from the book (and t's definitely worth having a hard
copy of this as I do)

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h tml/SecNetch08.asp
=================================================
Hosting Multiple Applications Using Forms Authentication

If you are hosting multiple Web applications that use Forms authentication
on the same Web server, it is possible for a user who is authenticated in
one application to make a request to another application without being
redirected to that application's logon page. The URL authorization rules
within the second application may deny access to the user, without providing
the opportunity to supply logon credentials using the logon form.
This only happens if the name and path attributes on the <forms> element are
the same across multiple applications and each application uses a common
<machineKey> element in Web.config.
=================================================

Is our case we have one web application that is our intranet portal. The
portal app has the login page and handles creating the forms
authenctication. All other web apps point to this one login page. When the
login is completed login page redirects back to the calling page...and now
the user is back in the web app which required the authenication. All
that's left for a web app to do is populate the app sepcific roles in the
authenication ticket and retreive the roles....which we do in common base
class for the global.asax. The portal app even manages the roles for all
of the other apps and serves them up to the other apps via a web service.

In the end all our web apps can implement the basic of common security with
very few lines of code.

Brad

Brad,

I'm not aware of any part of that book that indicates that you can point
multiple applications to one login page. Maybe I'm not completely aware of
what Hari is asking about.

Hari, if you want to have one login page for multiple applications, you
can't do that. However, if you want to allow a user to login using a login
page and then have that login valid for other applications, that IS
possible.

The two do not accomplish the same thing. In the latter, it is assumed
that a user will always log in to your application from one specific
application. The scenario you originally described did not seem to relate
to that requirement.

Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
(e-mail address removed)

This post is provided as-is with no warranties and confers no rights.

--------------------

From: "Brad" <[email protected]>
References: <[email protected]>
Subject: Re: Forms Authentication: login page in a separate web app
Date: Mon, 24 Nov 2003 11:04:38 -0800
Lines: 34
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.3790.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: risxlr5.ris.lane.or.us 199.79.46.126
Path:

cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11

 

[Brad]

Hari - What you're doing will work but you may be missing one of a couple of
things

1) The protected resource must be a aspx or something processed by the
aspnet_isapi.dll
2) If your protected resource is protected by roles then you must load the
roles into the context.user (iprincipal ) during the
Application_AuthenicateRequest event of the global.asax code of the
application which contains the protected resource.
Brad