M
Matt
Hello all,
We are using Forms Authentication in an application to protect both
sensitive ASP.Net pages and Web services.
This question is relating to Web services and forms authentication,
and I will try to explain the issue by detailing how a client accesses
a secure Web service.
1) The Web service client accesses an unsecured login Web service,
passing in a username and password.
2) If the user is successfully authenticated, the Web service returns
an encrypted Forms Authentication ticket as a string.
3) Secure Web services all sit under a directory secured by Forms
Authentication in the usual manner in the Web.config. Hence
unathenticated access causes a redirect to Login.aspx and the request
is rejected.
4) To call a secured Web service, the client attaches the
authentication ticket in the Soap header of the Web service proxy, and
then calls the required method on the service
5) At the server, we user an HTTP handler to intercept the
AuthenticationRequest event. In this handler, we check for Web service
calls (by checking for HTTP_SOAPACTION in the server variables
collection). If it is a Web service call, we check for the ticket in
the SOAP header. If we find it, we decrypt it and use it to attach the
authenticated principal to the User property of the current context.
This is all great, and works as expected. However, the
AuthenticationRequest event fires for all Web service calls - not just
ones to secure Web services... This means that the ticket being
missing in the header may not be an error, it could just be that the
Web service is not secured. Hence, I cant throw a suitable exception
in the handler when I dont find the ticket as I dont know if I was to
expect one or not. This means users of the secure Web services dont
get a useful exception passed back to them explaining that the ticket
was missing. Instead, they get redirected to login.aspx which is
secure but hard to handle at the client.
So, after all this long winded explanation, my question is....
- How can I test in the AuthenticationRequest event if the current
request is to a page secured by Forms Authentication?
Something like Context.Request.IsPageSecuredByFormsAuthentication
would be nice
For now I am just hacking this by testing if the URL of the request is
in the "secure/" directory.
Thanks for any help,
Regards,
Matt
We are using Forms Authentication in an application to protect both
sensitive ASP.Net pages and Web services.
This question is relating to Web services and forms authentication,
and I will try to explain the issue by detailing how a client accesses
a secure Web service.
1) The Web service client accesses an unsecured login Web service,
passing in a username and password.
2) If the user is successfully authenticated, the Web service returns
an encrypted Forms Authentication ticket as a string.
3) Secure Web services all sit under a directory secured by Forms
Authentication in the usual manner in the Web.config. Hence
unathenticated access causes a redirect to Login.aspx and the request
is rejected.
4) To call a secured Web service, the client attaches the
authentication ticket in the Soap header of the Web service proxy, and
then calls the required method on the service
5) At the server, we user an HTTP handler to intercept the
AuthenticationRequest event. In this handler, we check for Web service
calls (by checking for HTTP_SOAPACTION in the server variables
collection). If it is a Web service call, we check for the ticket in
the SOAP header. If we find it, we decrypt it and use it to attach the
authenticated principal to the User property of the current context.
This is all great, and works as expected. However, the
AuthenticationRequest event fires for all Web service calls - not just
ones to secure Web services... This means that the ticket being
missing in the header may not be an error, it could just be that the
Web service is not secured. Hence, I cant throw a suitable exception
in the handler when I dont find the ticket as I dont know if I was to
expect one or not. This means users of the secure Web services dont
get a useful exception passed back to them explaining that the ticket
was missing. Instead, they get redirected to login.aspx which is
secure but hard to handle at the client.
So, after all this long winded explanation, my question is....
- How can I test in the AuthenticationRequest event if the current
request is to a page secured by Forms Authentication?
Something like Context.Request.IsPageSecuredByFormsAuthentication
would be nice
For now I am just hacking this by testing if the URL of the request is
in the "secure/" directory.
Thanks for any help,
Regards,
Matt