Difference from Application_AuthenticateRequest and FormsAuthenticationTicket

J

Jaime

Hi all,

I'm a bit confused on this one. I'm implementing a role-base authentication
schema and from what I've read on different articles, there seems to be two
approaches to this. First on is add code to the Global.asax
Application_AuthenticateRequest to create a GenericPrincipal with the user's
roles simply doing something like HttpContext.Current.User = new
GenericPrincipal( userName, roles ).

Now the second one is creating a FormAuthenticationTicket with all the
parameters for the cookie in the LoginButton_Click member and add the roles
as the userData.

Now my questions is what are the differences between these approaches? ups?
downs?

Thanks
 
J

Jaime

Thanks for the info Dominick, let me see if I got it correcly

1. Authenticate the user against whatever (db, xml, etc)
2. If IsAuthenticated
- Create a ticket with the user data/roles and set it as a cookie
(SetAuthCookie)

3. For each AuthenticationRequest (either on the global.asax's
Application_OnAuthenticationRequest or through a custom handler)
- get the user identity through the current context (basically the
cookie)
- get the roles from the identity (again stored in the ticket/cookie)
- create a principal and assign it to the user so now it has the roles

and now I can use User.IsInRole("somerole") to handle the access to specific
resources and let .net handle directory security

Correct?

Thanks again
 
M

Manohar Kamath

Dominick,

Out of curiosity, when can the User set to a GenericPrincipal, in the
Application_AuthenticateRequest, or even later -- say within an ASP.NET
page? I am asking this because I would like to store the ticket in a
session, but the session does not get attached to an HTTP request until
after the AuthenticateRequest has been processed.

Thank you!

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com
 
D

Dominick Baier [DevelopMentor]

Hello Manohar,

you can do it also later.

but when you do it later you have to set both Context.User and Thread.CurrentPrincipal
to have a consisten behaviour.

the population of Thread.CurrentPrincipal is normally done by some magic
happening directly after AuthenticateRequest
 
M

Manohar Kamath

From what I know, the ASP.NET checks the User AFTER the AuthenticateRequest,
and checks if the user has been set. If not, you are sent back to the login
page, otherwise the thread principal is set to the context.User.

Thanks for the clarification!

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com
 
D

Dominick Baier [DevelopMentor]

Hello Manohar,

The FormsAuthenticationModule subscribes to the AuthenticateRequest event
also - but it runs earlier than code in global.asax or the HttpModule (if
you don't rewire the order in the HTTP Pipeline).

FormsAuth decrypts the cookie and sets Context.User accordingly. If no cookie
is present but authorization settings requires authentication then you get
redirected by this module (basically by converting the 401 into a 302 to
the login page).

When your code runs you can choose to manipulate Context.User (e.g. by creating
a GenericPrincipal and coupling with roles). Directly after AuthenticateRequest
fires a undocumented event called DefaultAuthentication which copies Context.User
to Thread.CurrentPrincipal to make PrincipalPermissions work.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
From what I know, the ASP.NET checks the User AFTER the
AuthenticateRequest, and checks if the user has been set. If not, you
are sent back to the login page, otherwise the thread principal is set
to the context.User.

Thanks for the clarification!

Hello Manohar,

you can do it also later.

but when you do it later you have to set both Context.User and
Thread.CurrentPrincipal to have a consisten behaviour.

the population of Thread.CurrentPrincipal is normally done by some
magic happening directly after AuthenticateRequest

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Dominick,

Out of curiosity, when can the User set to a GenericPrincipal, in
the Application_AuthenticateRequest, or even later -- say within an
ASP.NET page? I am asking this because I would like to store the
ticket in a session, but the session does not get attached to an
HTTP request until after the AuthenticateRequest has been processed.

Thank you!

"Dominick Baier [DevelopMentor]"

Hello Jaime,

the UserData is only used to store those roles somewhere -
otherwise
you
would have to hit e.g. a database on every request to get the roles
for
the user.
You still have to extract the roles from the ticket on every
request
to
populate the GenericPrincipal.
i have some sample code which shows how to do it correctly:
http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6
f- 98d0-bc8cfbec4c3a

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi all,

I'm a bit confused on this one. I'm implementing a role-base
authentication schema and from what I've read on different
articles, there seems to be two approaches to this. First on is
add code to the Global.asax Application_AuthenticateRequest to
create a GenericPrincipal with the user's roles simply doing
something like HttpContext.Current.User = new GenericPrincipal(
userName, roles ).

Now the second one is creating a FormAuthenticationTicket with all
the parameters for the cookie in the LoginButton_Click member and
add the roles as the userData.

Now my questions is what are the differences between these
approaches? ups? downs?

Thanks
Click to expand...
Click to expand...
Click to expand...
 
M

Manohar Kamath

Now, how did you get this "undocumented" method? :)

--
Manohar Kamath
Editor, .netBooks
www.dotnetbooks.com


Dominick Baier said:
Hello Manohar,

The FormsAuthenticationModule subscribes to the AuthenticateRequest event
also - but it runs earlier than code in global.asax or the HttpModule (if
you don't rewire the order in the HTTP Pipeline).

FormsAuth decrypts the cookie and sets Context.User accordingly. If no
cookie is present but authorization settings requires authentication then
you get redirected by this module (basically by converting the 401 into a
302 to the login page).

When your code runs you can choose to manipulate Context.User (e.g. by
creating a GenericPrincipal and coupling with roles). Directly after
AuthenticateRequest fires a undocumented event called
DefaultAuthentication which copies Context.User to Thread.CurrentPrincipal
to make PrincipalPermissions work.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
From what I know, the ASP.NET checks the User AFTER the
AuthenticateRequest, and checks if the user has been set. If not, you
are sent back to the login page, otherwise the thread principal is set
to the context.User.

Thanks for the clarification!

Hello Manohar,

you can do it also later.

but when you do it later you have to set both Context.User and
Thread.CurrentPrincipal to have a consisten behaviour.

the population of Thread.CurrentPrincipal is normally done by some
magic happening directly after AuthenticateRequest

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Dominick,

Out of curiosity, when can the User set to a GenericPrincipal, in
the Application_AuthenticateRequest, or even later -- say within an
ASP.NET page? I am asking this because I would like to store the
ticket in a session, but the session does not get attached to an
HTTP request until after the AuthenticateRequest has been processed.

Thank you!

"Dominick Baier [DevelopMentor]"

Hello Jaime,

the UserData is only used to store those roles somewhere -
otherwise
you
would have to hit e.g. a database on every request to get the roles
for
the user.
You still have to extract the roles from the ticket on every
request
to
populate the GenericPrincipal.
i have some sample code which shows how to do it correctly:
http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4a6
f- 98d0-bc8cfbec4c3a

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi all,

I'm a bit confused on this one. I'm implementing a role-base
authentication schema and from what I've read on different
articles, there seems to be two approaches to this. First on is
add code to the Global.asax Application_AuthenticateRequest to
create a GenericPrincipal with the user's roles simply doing
something like HttpContext.Current.User = new GenericPrincipal(
userName, roles ).

Now the second one is creating a FormAuthenticationTicket with all
the parameters for the cookie in the LoginButton_Click member and
add the roles as the userData.

Now my questions is what are the differences between these
approaches? ups? downs?

Thanks
Click to expand...
Click to expand...
Click to expand...
 
D

Dominick Baier [DevelopMentor]

Hello Manohar,

reflector....and http://www.develop.com/technology/resourcedetail.aspx?id=c8c560c9-1313-4539-b98d-6338d6a43eda

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Now, how did you get this "undocumented" method? :)

Hello Manohar,

The FormsAuthenticationModule subscribes to the AuthenticateRequest
event also - but it runs earlier than code in global.asax or the
HttpModule (if you don't rewire the order in the HTTP Pipeline).

FormsAuth decrypts the cookie and sets Context.User accordingly. If
no cookie is present but authorization settings requires
authentication then you get redirected by this module (basically by
converting the 401 into a 302 to the login page).

When your code runs you can choose to manipulate Context.User (e.g.
by creating a GenericPrincipal and coupling with roles). Directly
after AuthenticateRequest fires a undocumented event called
DefaultAuthentication which copies Context.User to
Thread.CurrentPrincipal to make PrincipalPermissions work.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
From what I know, the ASP.NET checks the User AFTER the
AuthenticateRequest, and checks if the user has been set. If not,
you are sent back to the login page, otherwise the thread principal
is set to the context.User.

Thanks for the clarification!

"Dominick Baier [DevelopMentor]"

Hello Manohar,

you can do it also later.

but when you do it later you have to set both Context.User and
Thread.CurrentPrincipal to have a consisten behaviour.

the population of Thread.CurrentPrincipal is normally done by some
magic happening directly after AuthenticateRequest

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Dominick,

Out of curiosity, when can the User set to a GenericPrincipal, in
the Application_AuthenticateRequest, or even later -- say within
an ASP.NET page? I am asking this because I would like to store
the ticket in a session, but the session does not get attached to
an HTTP request until after the AuthenticateRequest has been
processed.

Thank you!

"Dominick Baier [DevelopMentor]"

Hello Jaime,

the UserData is only used to store those roles somewhere -
otherwise
you
would have to hit e.g. a database on every request to get the
roles
for
the user.
You still have to extract the roles from the ticket on every
request
to
populate the GenericPrincipal.
i have some sample code which shows how to do it correctly:
http://www.leastprivilege.com/PermaLink.aspx?guid=b0e51388-71d1-4
a6
f- 98d0-bc8cfbec4c3a
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi all,

I'm a bit confused on this one. I'm implementing a role-base
authentication schema and from what I've read on different
articles, there seems to be two approaches to this. First on is
add code to the Global.asax Application_AuthenticateRequest to
create a GenericPrincipal with the user's roles simply doing
something like HttpContext.Current.User = new GenericPrincipal(
userName, roles ).

Now the second one is creating a FormAuthenticationTicket with
all the parameters for the cookie in the LoginButton_Click
member and add the roles as the userData.

Now my questions is what are the differences between these
approaches? ups? downs?

Thanks
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Application_AuthenticateRequest and ASP.NET 2.0 0
FormsAuthenticationTicket looses UserData 4
Application_AuthenticateRequest 0
Why do we need more code in Application_AuthenticateRequest()? 1
DESPERATE: FormsAuthentication Problem 4
Sitemap trimming with Forms auth (Active Directory) 4
Roles and Forms Authentication problems 1
IsInRole problem 3

Members online

No members online now.
Total: 29 (members: 0, guests: 29)
Robots: 241

Forum statistics

Threads
473,756
Messages
2,569,535
Members
45,008
Latest member
obedient dusk

Latest Threads

Top