Windows Authentication and Anonymous Access

C

Competitive Dad

I have a requirement that I need to create a website running on IIS6 that
needs to be anonymous access by default with Windows once a "Sign in" button
is clicked.

I've pondered about this and have come up with a solution, but I just want
to check it here to make sure I'm not going to get caught in any nasty traps.

I have created a website with ONLY Windows Authentication enabled, and have
created an HttpModule as follows:

public class MySecurityModule : IHttpModule
{
#region IHttpModule Members

void IHttpModule.Dispose()
{
return;
}

void IHttpModule.Init(HttpApplication context)
{
context.PreRequestHandlerExecute += new
EventHandler(context_PreRequestHandlerExecute);
}

void context_PreRequestHandlerExecute(object sender, EventArgs e)
{
HttpApplication appl = (HttpApplication)sender;

bool signInPressed = false;
IEnumerator enumerator = appl.Request.Form.GetEnumerator();
while (enumerator.MoveNext())
{
if ((string)enumerator.Current == "btnSignIn")
{
signInPressed = true;
}
}
WindowsIdentity ident = null;
if (appl.Session["anon"] == null)
{
appl.Session["anon"] = true;
ident = WindowsIdentity.GetAnonymous();
}
else if (appl.Session["anon"] != null && !signInPressed)
{
if ((bool)appl.Session["anon"])
{
ident = WindowsIdentity.GetAnonymous();
}
else
{
ident = WindowsIdentity.GetCurrent();
}
}
else
{
if ((bool)appl.Session["anon"])
{
ident = WindowsIdentity.GetCurrent();
appl.Session["anon"] = false;
}
else
{
ident = WindowsIdentity.GetAnonymous();
appl.Session["anon"] = true;
}
}
WindowsPrincipal princip = new WindowsPrincipal(ident);
appl.Context.User = princip;
}

#endregion
}

The obvious downsides to this are that I need to store the "status" of the
user in a Session variable and that the Sign In "action" needs to be coded in
as well (btnSignIn in code above) so that I can pick it up in the
Request.Form collection. Obviously this last point could be a config item, so
no biggy with that one.

The other obvious downside is that this will happen on every request. It
seems to work really well, and it's trivial to create a button that has a
text change from Sign In to Sign Out depending on the value of the Session
variable.

I've not done any hardcore error handling or optimisation on the code as I'd
like to know whether this is a legit approach before I bulletproof it.

Thanks,

CD
 
C

Competitive Dad

I still need a mechanism to log in and use the Windows credential of the
currently logged on user. Will the approach below give this?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,904
Latest member
HealthyVisionsCBDPrice

Latest Threads

Top