T
Tyler Carver
I'm implementing an HttpModule for authorization. I want to authorize the
user after I know they have been authenticated. The documentation for the
HttpApplication AuthenticateRequest event states:
The AuthenticateRequest event signals that the configured authentication
mechanism has authenticated the current request. Subscribing to the
AuthenticateRequest event ensures that the request will be authenticated
prior to processing the attached module or event handler.
This leads me to believe that a user would be authenticated before the
AuthenticationRequest event is fired. However, this is not the case when I
run the code. If I set a location as <deny users="?"/> and then set a
handler for the AuthenticateRequest event, my handler gets called with the
URL before the login screen allows the user to authenticate. If I set the
event in the AuthorizeRequest handler then it works as I want, the user is
first redirected to the login page and then after he authenticates I get the
URL in my handler.
Is the documentation wrong? Shouldn't forms authentication route the user
to the loginUrl page before the AuthorizationRequest event occurs if the user
is not authorized?
Thanks,
Tyler
user after I know they have been authenticated. The documentation for the
HttpApplication AuthenticateRequest event states:
The AuthenticateRequest event signals that the configured authentication
mechanism has authenticated the current request. Subscribing to the
AuthenticateRequest event ensures that the request will be authenticated
prior to processing the attached module or event handler.
This leads me to believe that a user would be authenticated before the
AuthenticationRequest event is fired. However, this is not the case when I
run the code. If I set a location as <deny users="?"/> and then set a
handler for the AuthenticateRequest event, my handler gets called with the
URL before the login screen allows the user to authenticate. If I set the
event in the AuthorizeRequest handler then it works as I want, the user is
first redirected to the login page and then after he authenticates I get the
URL in my handler.
Is the documentation wrong? Shouldn't forms authentication route the user
to the loginUrl page before the AuthorizationRequest event occurs if the user
is not authorized?
Thanks,
Tyler