Retrieving if current request is for a resource requiring authentication

Discussion in 'ASP .Net' started by Matt, Jun 30, 2004.

  1. Matt

    Matt Guest

    Hello all,

    We are using Forms Authentication in an application to protect both
    sensitive ASP.Net pages and Web services.

    This question is relating to Web services and forms authentication,
    and I will try to explain the issue by detailing how a client accesses
    a secure Web service.

    1) The Web service client accesses an unsecured login Web service,
    passing in a username and password.
    2) If the user is successfully authenticated, the Web service returns
    an encrypted Forms Authentication ticket as a string.
    3) Secure Web services all sit under a directory secured by Forms
    Authentication in the usual manner in the Web.config. Hence
    unathenticated access causes a redirect to Login.aspx and the request
    is rejected.
    4) To call a secured Web service, the client attaches the
    authentication ticket in the Soap header of the Web service proxy, and
    then calls the required method on the service
    5) At the server, we user an HTTP handler to intercept the
    AuthenticationRequest event. In this handler, we check for Web service
    calls (by checking for HTTP_SOAPACTION in the server variables
    collection). If it is a Web service call, we check for the ticket in
    the SOAP header. If we find it, we decrypt it and use it to attach the
    authenticated principal to the User property of the current context.

    This is all great, and works as expected. However, the
    AuthenticationRequest event fires for all Web service calls - not just
    ones to secure Web services... This means that the ticket being
    missing in the header may not be an error, it could just be that the
    Web service is not secured. Hence, I cant throw a suitable exception
    in the handler when I dont find the ticket as I dont know if I was to
    expect one or not. This means users of the secure Web services dont
    get a useful exception passed back to them explaining that the ticket
    was missing. Instead, they get redirected to login.aspx which is
    secure but hard to handle at the client.

    So, after all this long winded explanation, my question is....
    - How can I test in the AuthenticationRequest event if the current
    request is to a page secured by Forms Authentication?
    Something like Context.Request.IsPageSecuredByFormsAuthentication
    would be nice ;)
    For now I am just hacking this by testing if the URL of the request is
    in the "secure/" directory.

    Thanks for any help,
    Matt, Jun 30, 2004
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Feb 13, 2004
  2. Dirc Khan-Evans
    Karl Seguin
    Oct 17, 2005
  3. avishosh
    Aug 8, 2004
  4. sripathi
    Dec 31, 2009
  5. sajuptpm
    Saju M
    Jan 29, 2013

Share This Page