Retrieving if current request is for a resource requiring authentication

M

Matt

Hello all,

We are using Forms Authentication in an application to protect both
sensitive ASP.Net pages and Web services.

This question is relating to Web services and forms authentication,
and I will try to explain the issue by detailing how a client accesses
a secure Web service.

1) The Web service client accesses an unsecured login Web service,
passing in a username and password.
2) If the user is successfully authenticated, the Web service returns
an encrypted Forms Authentication ticket as a string.
3) Secure Web services all sit under a directory secured by Forms
Authentication in the usual manner in the Web.config. Hence
unathenticated access causes a redirect to Login.aspx and the request
is rejected.
4) To call a secured Web service, the client attaches the
authentication ticket in the Soap header of the Web service proxy, and
then calls the required method on the service
5) At the server, we user an HTTP handler to intercept the
AuthenticationRequest event. In this handler, we check for Web service
calls (by checking for HTTP_SOAPACTION in the server variables
collection). If it is a Web service call, we check for the ticket in
the SOAP header. If we find it, we decrypt it and use it to attach the
authenticated principal to the User property of the current context.

This is all great, and works as expected. However, the
AuthenticationRequest event fires for all Web service calls - not just
ones to secure Web services... This means that the ticket being
missing in the header may not be an error, it could just be that the
Web service is not secured. Hence, I cant throw a suitable exception
in the handler when I dont find the ticket as I dont know if I was to
expect one or not. This means users of the secure Web services dont
get a useful exception passed back to them explaining that the ticket
was missing. Instead, they get redirected to login.aspx which is
secure but hard to handle at the client.

So, after all this long winded explanation, my question is....
- How can I test in the AuthenticationRequest event if the current
request is to a page secured by Forms Authentication?
Something like Context.Request.IsPageSecuredByFormsAuthentication
would be nice ;)
For now I am just hacking this by testing if the URL of the request is
in the "secure/" directory.

Thanks for any help,
Regards,
Matt
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top