C
Competitive Dad
I have a requirement that I need to create a website running on IIS6 that
needs to be anonymous access by default with Windows once a "Sign in" button
is clicked.
I've pondered about this and have come up with a solution, but I just want
to check it here to make sure I'm not going to get caught in any nasty traps.
I have created a website with ONLY Windows Authentication enabled, and have
created an HttpModule as follows:
public class MySecurityModule : IHttpModule
{
#region IHttpModule Members
void IHttpModule.Dispose()
{
return;
}
void IHttpModule.Init(HttpApplication context)
{
context.PreRequestHandlerExecute += new
EventHandler(context_PreRequestHandlerExecute);
}
void context_PreRequestHandlerExecute(object sender, EventArgs e)
{
HttpApplication appl = (HttpApplication)sender;
bool signInPressed = false;
IEnumerator enumerator = appl.Request.Form.GetEnumerator();
while (enumerator.MoveNext())
{
if ((string)enumerator.Current == "btnSignIn")
{
signInPressed = true;
}
}
WindowsIdentity ident = null;
if (appl.Session["anon"] == null)
{
appl.Session["anon"] = true;
ident = WindowsIdentity.GetAnonymous();
}
else if (appl.Session["anon"] != null && !signInPressed)
{
if ((bool)appl.Session["anon"])
{
ident = WindowsIdentity.GetAnonymous();
}
else
{
ident = WindowsIdentity.GetCurrent();
}
}
else
{
if ((bool)appl.Session["anon"])
{
ident = WindowsIdentity.GetCurrent();
appl.Session["anon"] = false;
}
else
{
ident = WindowsIdentity.GetAnonymous();
appl.Session["anon"] = true;
}
}
WindowsPrincipal princip = new WindowsPrincipal(ident);
appl.Context.User = princip;
}
#endregion
}
The obvious downsides to this are that I need to store the "status" of the
user in a Session variable and that the Sign In "action" needs to be coded in
as well (btnSignIn in code above) so that I can pick it up in the
Request.Form collection. Obviously this last point could be a config item, so
no biggy with that one.
The other obvious downside is that this will happen on every request. It
seems to work really well, and it's trivial to create a button that has a
text change from Sign In to Sign Out depending on the value of the Session
variable.
I've not done any hardcore error handling or optimisation on the code as I'd
like to know whether this is a legit approach before I bulletproof it.
Thanks,
CD
needs to be anonymous access by default with Windows once a "Sign in" button
is clicked.
I've pondered about this and have come up with a solution, but I just want
to check it here to make sure I'm not going to get caught in any nasty traps.
I have created a website with ONLY Windows Authentication enabled, and have
created an HttpModule as follows:
public class MySecurityModule : IHttpModule
{
#region IHttpModule Members
void IHttpModule.Dispose()
{
return;
}
void IHttpModule.Init(HttpApplication context)
{
context.PreRequestHandlerExecute += new
EventHandler(context_PreRequestHandlerExecute);
}
void context_PreRequestHandlerExecute(object sender, EventArgs e)
{
HttpApplication appl = (HttpApplication)sender;
bool signInPressed = false;
IEnumerator enumerator = appl.Request.Form.GetEnumerator();
while (enumerator.MoveNext())
{
if ((string)enumerator.Current == "btnSignIn")
{
signInPressed = true;
}
}
WindowsIdentity ident = null;
if (appl.Session["anon"] == null)
{
appl.Session["anon"] = true;
ident = WindowsIdentity.GetAnonymous();
}
else if (appl.Session["anon"] != null && !signInPressed)
{
if ((bool)appl.Session["anon"])
{
ident = WindowsIdentity.GetAnonymous();
}
else
{
ident = WindowsIdentity.GetCurrent();
}
}
else
{
if ((bool)appl.Session["anon"])
{
ident = WindowsIdentity.GetCurrent();
appl.Session["anon"] = false;
}
else
{
ident = WindowsIdentity.GetAnonymous();
appl.Session["anon"] = true;
}
}
WindowsPrincipal princip = new WindowsPrincipal(ident);
appl.Context.User = princip;
}
#endregion
}
The obvious downsides to this are that I need to store the "status" of the
user in a Session variable and that the Sign In "action" needs to be coded in
as well (btnSignIn in code above) so that I can pick it up in the
Request.Form collection. Obviously this last point could be a config item, so
no biggy with that one.
The other obvious downside is that this will happen on every request. It
seems to work really well, and it's trivial to create a button that has a
text change from Sign In to Sign Out depending on the value of the Session
variable.
I've not done any hardcore error handling or optimisation on the code as I'd
like to know whether this is a legit approach before I bulletproof it.
Thanks,
CD