Forms Authentication: login page in a separate web app

Discussion in 'ASP .Net Security' started by Hari Menon, Oct 15, 2003.

  1. Hari Menon

    Hari Menon Guest

    Hi,

    I would like to create a WebApp, say MySecurityProvider,
    that just contains a login page that knows how to
    authenticate a user. And I want other web apps, e.g.
    MyTestWebApp, that require authentication to point their
    loginUrl to the login page in my web app.

    Is that possible? I tried setting the loginUrl in
    MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
    What happens is that the redirect to the login page
    succeeds and the login goes through as well and the
    cookie gets issued (I set the path to "/" in both the
    RedirectFromLoginPage() as well as in the <forms> tag).
    But the protected resource in MyTestWebApp still cannot
    be accessed. When I access an unprotected resource in
    MyTestWebApp and check the cookies that are set, I do see
    that the auth cookie IS there. But somehow I do not seem
    to be able to access the protected resource on
    MyTestWebApp - it always redirects me to the login page.

    Am I doing something wrong or is this not supposed to
    work?
     
    Hari Menon, Oct 15, 2003
    #1
    1. Advertising

  2. Hari,

    Forms authentication is designed to be used on a per-application basis.
    The login page must be located in the Web application you are
    authenticating for.

    Jim Cheshire [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >Content-Class: urn:content-classes:message
    >From: "Hari Menon" <>
    >Sender: "Hari Menon" <>
    >Subject: Forms Authentication: login page in a separate web app
    >Date: Wed, 15 Oct 2003 12:03:55 -0700
    >Lines: 23
    >Message-ID: <042201c3934f$14869690$>
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > charset="iso-8859-1"
    >Content-Transfer-Encoding: 7bit
    >X-Newsreader: Microsoft CDO for Windows 2000
    >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
    >Thread-Index: AcOTTxSEI1Dfpp+IT5WKtWF9Eq+N4Q==
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >Path: cpmsftngxa06.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:7189
    >NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >Hi,
    >
    >I would like to create a WebApp, say MySecurityProvider,
    >that just contains a login page that knows how to
    >authenticate a user. And I want other web apps, e.g.
    >MyTestWebApp, that require authentication to point their
    >loginUrl to the login page in my web app.
    >
    >Is that possible? I tried setting the loginUrl in
    >MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
    >What happens is that the redirect to the login page
    >succeeds and the login goes through as well and the
    >cookie gets issued (I set the path to "/" in both the
    >RedirectFromLoginPage() as well as in the <forms> tag).
    >But the protected resource in MyTestWebApp still cannot
    >be accessed. When I access an unprotected resource in
    >MyTestWebApp and check the cookies that are set, I do see
    >that the auth cookie IS there. But somehow I do not seem
    >to be able to access the protected resource on
    >MyTestWebApp - it always redirects me to the login page.
    >
    >Am I doing something wrong or is this not supposed to
    >work?
    >
     
    Jim Cheshire [MSFT], Oct 15, 2003
    #2
    1. Advertising

  3. Hari Menon

    Brad Guest

    Hari - This is quite possible and in fact we're using it; our portal app
    manages all logins for all apps. You should read up on how to do this in
    Building Secure Microsoft ASP.NET Applications
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp



    "Hari Menon" <> wrote in message
    news:042201c3934f$14869690$...
    > Hi,
    >
    > I would like to create a WebApp, say MySecurityProvider,
    > that just contains a login page that knows how to
    > authenticate a user. And I want other web apps, e.g.
    > MyTestWebApp, that require authentication to point their
    > loginUrl to the login page in my web app.
    >
    > Is that possible? I tried setting the loginUrl in
    > MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
    > What happens is that the redirect to the login page
    > succeeds and the login goes through as well and the
    > cookie gets issued (I set the path to "/" in both the
    > RedirectFromLoginPage() as well as in the <forms> tag).
    > But the protected resource in MyTestWebApp still cannot
    > be accessed. When I access an unprotected resource in
    > MyTestWebApp and check the cookies that are set, I do see
    > that the auth cookie IS there. But somehow I do not seem
    > to be able to access the protected resource on
    > MyTestWebApp - it always redirects me to the login page.
    >
    > Am I doing something wrong or is this not supposed to
    > work?
     
    Brad, Nov 24, 2003
    #3
  4. Brad,

    I'm not aware of any part of that book that indicates that you can point
    multiple applications to one login page. Maybe I'm not completely aware of
    what Hari is asking about.

    Hari, if you want to have one login page for multiple applications, you
    can't do that. However, if you want to allow a user to login using a login
    page and then have that login valid for other applications, that IS
    possible.

    The two do not accomplish the same thing. In the latter, it is assumed
    that a user will always log in to your application from one specific
    application. The scenario you originally described did not seem to relate
    to that requirement.

    Jim Cheshire, MCSE, MCSD [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >From: "Brad" <>
    >References: <042201c3934f$14869690$>
    >Subject: Re: Forms Authentication: login page in a separate web app
    >Date: Mon, 24 Nov 2003 11:04:38 -0800
    >Lines: 34
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.3790.0
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >Message-ID: <>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >NNTP-Posting-Host: risxlr5.ris.lane.or.us 199.79.46.126
    >Path:

    cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.
    phx.gbl
    >Xref: cpmsftngxa07.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:7659
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >Hari - This is quite possible and in fact we're using it; our portal app
    >manages all logins for all apps. You should read up on how to do this in
    >Building Secure Microsoft ASP.NET Applications
    >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h

    tml/secnetlpMSDN.asp
    >
    >
    >
    >"Hari Menon" <> wrote in message
    >news:042201c3934f$14869690$...
    >> Hi,
    >>
    >> I would like to create a WebApp, say MySecurityProvider,
    >> that just contains a login page that knows how to
    >> authenticate a user. And I want other web apps, e.g.
    >> MyTestWebApp, that require authentication to point their
    >> loginUrl to the login page in my web app.
    >>
    >> Is that possible? I tried setting the loginUrl in
    >> MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
    >> What happens is that the redirect to the login page
    >> succeeds and the login goes through as well and the
    >> cookie gets issued (I set the path to "/" in both the
    >> RedirectFromLoginPage() as well as in the <forms> tag).
    >> But the protected resource in MyTestWebApp still cannot
    >> be accessed. When I access an unprotected resource in
    >> MyTestWebApp and check the cookies that are set, I do see
    >> that the auth cookie IS there. But somehow I do not seem
    >> to be able to access the protected resource on
    >> MyTestWebApp - it always redirects me to the login page.
    >>
    >> Am I doing something wrong or is this not supposed to
    >> work?

    >
    >
    >
     
    Jim Cheshire [MSFT], Nov 24, 2003
    #4
  5. Hari Menon

    Brad Guest

    Jim & Hari,
    Here's the section from the book (and t's definitely worth having a hard
    copy of this as I do)

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp
    =================================================
    Hosting Multiple Applications Using Forms Authentication

    If you are hosting multiple Web applications that use Forms authentication
    on the same Web server, it is possible for a user who is authenticated in
    one application to make a request to another application without being
    redirected to that application's logon page. The URL authorization rules
    within the second application may deny access to the user, without providing
    the opportunity to supply logon credentials using the logon form.
    This only happens if the name and path attributes on the <forms> element are
    the same across multiple applications and each application uses a common
    <machineKey> element in Web.config.
    =================================================

    Is our case we have one web application that is our intranet portal. The
    portal app has the login page and handles creating the forms
    authenctication. All other web apps point to this one login page. When the
    login is completed login page redirects back to the calling page...and now
    the user is back in the web app which required the authenication. All
    that's left for a web app to do is populate the app sepcific roles in the
    authenication ticket and retreive the roles....which we do in common base
    class for the global.asax. The portal app even manages the roles for all
    of the other apps and serves them up to the other apps via a web service.

    In the end all our web apps can implement the basic of common security with
    very few lines of code.

    Brad



    "Jim Cheshire [MSFT]" <> wrote in message
    news:707$...
    > Brad,
    >
    > I'm not aware of any part of that book that indicates that you can point
    > multiple applications to one login page. Maybe I'm not completely aware

    of
    > what Hari is asking about.
    >
    > Hari, if you want to have one login page for multiple applications, you
    > can't do that. However, if you want to allow a user to login using a

    login
    > page and then have that login valid for other applications, that IS
    > possible.
    >
    > The two do not accomplish the same thing. In the latter, it is assumed
    > that a user will always log in to your application from one specific
    > application. The scenario you originally described did not seem to relate
    > to that requirement.
    >
    > Jim Cheshire, MCSE, MCSD [MSFT]
    > Developer Support
    > ASP.NET
    >
    >
    > This post is provided as-is with no warranties and confers no rights.
    >
    > --------------------
    > >From: "Brad" <>
    > >References: <042201c3934f$14869690$>
    > >Subject: Re: Forms Authentication: login page in a separate web app
    > >Date: Mon, 24 Nov 2003 11:04:38 -0800
    > >Lines: 34
    > >X-Priority: 3
    > >X-MSMail-Priority: Normal
    > >X-Newsreader: Microsoft Outlook Express 6.00.3790.0
    > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > >Message-ID: <>
    > >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    > >NNTP-Posting-Host: risxlr5.ris.lane.or.us 199.79.46.126
    > >Path:

    >

    cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.
    > phx.gbl
    > >Xref: cpmsftngxa07.phx.gbl

    > microsoft.public.dotnet.framework.aspnet.security:7659
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    > >
    > >Hari - This is quite possible and in fact we're using it; our portal app
    > >manages all logins for all apps. You should read up on how to do this

    in
    > >Building Secure Microsoft ASP.NET Applications

    >
    >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
    > tml/secnetlpMSDN.asp
    > >
    > >
    > >
    > >"Hari Menon" <> wrote in message
    > >news:042201c3934f$14869690$...
    > >> Hi,
    > >>
    > >> I would like to create a WebApp, say MySecurityProvider,
    > >> that just contains a login page that knows how to
    > >> authenticate a user. And I want other web apps, e.g.
    > >> MyTestWebApp, that require authentication to point their
    > >> loginUrl to the login page in my web app.
    > >>
    > >> Is that possible? I tried setting the loginUrl in
    > >> MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
    > >> What happens is that the redirect to the login page
    > >> succeeds and the login goes through as well and the
    > >> cookie gets issued (I set the path to "/" in both the
    > >> RedirectFromLoginPage() as well as in the <forms> tag).
    > >> But the protected resource in MyTestWebApp still cannot
    > >> be accessed. When I access an unprotected resource in
    > >> MyTestWebApp and check the cookies that are set, I do see
    > >> that the auth cookie IS there. But somehow I do not seem
    > >> to be able to access the protected resource on
    > >> MyTestWebApp - it always redirects me to the login page.
    > >>
    > >> Am I doing something wrong or is this not supposed to
    > >> work?

    > >
    > >
    > >

    >
     
    Brad, Nov 25, 2003
    #5
  6. Brad,

    This is referring to the same thing that I said in my last post. It is
    possible to share a FormsAuthenticationTicket between applications.
    However, what Hari asked is how to have all applications point back to a
    single login page. That is a different scenario.

    Suppose you have three applications; AppA, AppB, and AppC. You use the
    method of making sure that <machineKey> settings are identical for each
    application and you have removed the isolatedApps attribute in the
    machine.config if running 1.1. It is still going to use the loginURL for
    the application you are accessing on first browse. It will still now allow
    you to have, for example, AppA and AppB redirect to AppC's login page.

    As per my post yesterday to Hari, if the goal here is to share
    authentication between Forms Authentication applications, that is easy to
    implement. If the goal is to share one single login page for all
    applications, that is not possible.

    Jim Cheshire, MCSE, MCSD [MSFT]
    Developer Support
    ASP.NET


    This post is provided as-is with no warranties and confers no rights.

    --------------------
    >From: "Brad" <>
    >References: <042201c3934f$14869690$>

    <>
    <707$>
    >Subject: Re: Forms Authentication: login page in a separate web app
    >Date: Mon, 24 Nov 2003 19:55:54 -0800
    >Lines: 125
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    >Message-ID: <>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >NNTP-Posting-Host: dialup-ras16-220.eug.or.uspops.net 64.28.52.220
    >Path:

    cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.
    phx.gbl
    >Xref: cpmsftngxa07.phx.gbl

    microsoft.public.dotnet.framework.aspnet.security:7669
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
    >
    >Jim & Hari,
    >Here's the section from the book (and t's definitely worth having a hard
    >copy of this as I do)
    >
    >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h

    tml/SecNetch08.asp
    >=================================================
    >Hosting Multiple Applications Using Forms Authentication
    >
    >If you are hosting multiple Web applications that use Forms authentication
    >on the same Web server, it is possible for a user who is authenticated in
    >one application to make a request to another application without being
    >redirected to that application's logon page. The URL authorization rules
    >within the second application may deny access to the user, without

    providing
    >the opportunity to supply logon credentials using the logon form.
    >This only happens if the name and path attributes on the <forms> element

    are
    >the same across multiple applications and each application uses a common
    ><machineKey> element in Web.config.
    >=================================================
    >
    >Is our case we have one web application that is our intranet portal. The
    >portal app has the login page and handles creating the forms
    >authenctication. All other web apps point to this one login page. When

    the
    >login is completed login page redirects back to the calling page...and now
    >the user is back in the web app which required the authenication. All
    >that's left for a web app to do is populate the app sepcific roles in the
    >authenication ticket and retreive the roles....which we do in common base
    >class for the global.asax. The portal app even manages the roles for all
    >of the other apps and serves them up to the other apps via a web service.
    >
    >In the end all our web apps can implement the basic of common security

    with
    >very few lines of code.
    >
    >Brad
    >
    >
    >
    >"Jim Cheshire [MSFT]" <> wrote in message
    >news:707$...
    >> Brad,
    >>
    >> I'm not aware of any part of that book that indicates that you can point
    >> multiple applications to one login page. Maybe I'm not completely aware

    >of
    >> what Hari is asking about.
    >>
    >> Hari, if you want to have one login page for multiple applications, you
    >> can't do that. However, if you want to allow a user to login using a

    >login
    >> page and then have that login valid for other applications, that IS
    >> possible.
    >>
    >> The two do not accomplish the same thing. In the latter, it is assumed
    >> that a user will always log in to your application from one specific
    >> application. The scenario you originally described did not seem to

    relate
    >> to that requirement.
    >>
    >> Jim Cheshire, MCSE, MCSD [MSFT]
    >> Developer Support
    >> ASP.NET
    >>
    >>
    >> This post is provided as-is with no warranties and confers no rights.
    >>
    >> --------------------
    >> >From: "Brad" <>
    >> >References: <042201c3934f$14869690$>
    >> >Subject: Re: Forms Authentication: login page in a separate web app
    >> >Date: Mon, 24 Nov 2003 11:04:38 -0800
    >> >Lines: 34
    >> >X-Priority: 3
    >> >X-MSMail-Priority: Normal
    >> >X-Newsreader: Microsoft Outlook Express 6.00.3790.0
    >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >> >Message-ID: <>
    >> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    >> >NNTP-Posting-Host: risxlr5.ris.lane.or.us 199.79.46.126
    >> >Path:

    >>

    >cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
     
    Jim Cheshire [MSFT], Nov 25, 2003
    #6
  7. Hari Menon

    Brad Guest

    Hari - What you're doing will work but you may be missing one of a couple of
    things

    1) The protected resource must be a aspx or something processed by the
    aspnet_isapi.dll
    2) If your protected resource is protected by roles then you must load the
    roles into the context.user (iprincipal ) during the
    Application_AuthenicateRequest event of the global.asax code of the
    application which contains the protected resource.
    Brad

    "Hari Menon" <> wrote in message
    news:042201c3934f$14869690$...
    > Hi,
    >
    > I would like to create a WebApp, say MySecurityProvider,
    > that just contains a login page that knows how to
    > authenticate a user. And I want other web apps, e.g.
    > MyTestWebApp, that require authentication to point their
    > loginUrl to the login page in my web app.
    >
    > Is that possible? I tried setting the loginUrl in
    > MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
    > What happens is that the redirect to the login page
    > succeeds and the login goes through as well and the
    > cookie gets issued (I set the path to "/" in both the
    > RedirectFromLoginPage() as well as in the <forms> tag).
    > But the protected resource in MyTestWebApp still cannot
    > be accessed. When I access an unprotected resource in
    > MyTestWebApp and check the cookies that are set, I do see
    > that the auth cookie IS there. But somehow I do not seem
    > to be able to access the protected resource on
    > MyTestWebApp - it always redirects me to the login page.
    >
    > Am I doing something wrong or is this not supposed to
    > work?
     
    Brad, Nov 25, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pascal Blanchard
    Replies:
    0
    Views:
    279
    Pascal Blanchard
    Aug 17, 2004
  2. Pascal Blanchard
    Replies:
    1
    Views:
    310
    Pascal Blanchard
    Aug 18, 2004
  3. Keltex
    Replies:
    1
    Views:
    453
    Dominick Baier [DevelopMentor]
    Jan 24, 2006
  4. Eric
    Replies:
    2
    Views:
    644
  5. Felix Wafytech
    Replies:
    2
    Views:
    154
    Steven Cheng[MSFT]
    Jul 19, 2006
Loading...

Share This Page