Framework 1.1 Multiple Authentication?

Discussion in 'ASP .Net' started by xenophon, Oct 30, 2005.

  1. xenophon

    xenophon Guest

    I have a web site with forms authentication and a single logon page. I
    have 4 subdirectories, each that should be protected by a different
    username/password combination. For testing purposes, the
    username/password are hardcoded into the code-behind C# code.

    How can I write my web.config to make this happen?

    Thanks.
     
    xenophon, Oct 30, 2005
    #1
    1. Advertisements

  2. Patrick.O.Ige, Oct 30, 2005
    #2
    1. Advertisements

  3. xenophon

    Gaurav Vaish Guest

    : I have a web site with forms authentication and a single logon page. I
    : have 4 subdirectories, each that should be protected by a different
    : username/password combination. For testing purposes, the
    : username/password are hardcoded into the code-behind C# code.
    :
    : How can I write my web.config to make this happen?

    Use <location> element on top of <system.web>


    For example:
    <location path="firstDir">
    <system.web>
    <authorization>
    <allow ... />
    <deny ... />
    </authorization>
    </system.web>
    </location>
     
    Gaurav Vaish, Oct 30, 2005
    #3
  4. Thanks for Gaurav and Patrick's informative inputs.

    Hi xenophon,

    For providing separate authorization schema for mutiple sub dirs in asp.net
    web application, generally we have the following two options:
    1. Put a separate web.config in each sub dir which need formsauthentication
    protection. And override the <authorization> section in that web.config.
    Thus, all the pages in that sub dir is protected to that <authorization >
    setting.

    2. Use the <location> element as Gaurav has mentioned, this can help us put
    the configuration for sub dir in the main web.config so as to avoid put
    multiple sub web.config in each sub dir.

    #Configuration <location> Settings
    http://msdn.microsoft.com/library/en-us/cpguide/html/cpconconfigurationlocat
    ionsettings.asp?frame=true

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)






    --------------------
    | From: "Patrick.O.Ige" <>
    | References: <>
    | Subject: Re: Framework 1.1 Multiple Authentication?
    | Date: Sun, 30 Oct 2005 12:27:29 +1100
    | Lines: 19
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
    | Message-ID: <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | NNTP-Posting-Host: d58-105-58-245.dsl.vic.optusnet.com.au 58.105.58.245
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.dotnet.framework.aspnet:134781
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    | Xenophon try looking through this article at:-
    | http://aspalliance.com/articleViewer.aspx?aId=501&pId=1
    | It should guide you.
    | Patrick
    |
    | | >
    | > I have a web site with forms authentication and a single logon page. I
    | > have 4 subdirectories, each that should be protected by a different
    | > username/password combination. For testing purposes, the
    | > username/password are hardcoded into the code-behind C# code.
    | >
    | > How can I write my web.config to make this happen?
    | >
    | > Thanks.
    | >
    |
    |
    |
     
    Steven Cheng[MSFT], Oct 31, 2005
    #4
  5. xenophon

    xenophon Guest

    Thanks to you and Gustav and Patrick.

    I am using cookieless sessions and cannot use cookies at all for my
    clients. How will Forms auth work in that case?



    n Mon, 31 Oct 2005 04:15:24 GMT, (Steven
     
    xenophon, Nov 1, 2005
    #5
  6. Thanks for your response Xenophon,

    Unfortunately to hear that you're using cookieless session state which
    means using cookie is not possible in your web application. Because the
    ASP.NET webapplicaiton's forms authentication support only cookie based
    authenticate ticket, if our web application does not use cookie, I'm afraid
    we have to build our own form based autentication module which will store
    and retrieve authenticate ticket from session state( this is what we used
    to do in some classic ASP app...), we store a identify in session state
    after user login and then check that variable in each page's request to
    validate user.....

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)



    --------------------
    | NNTP-Posting-Date: Tue, 01 Nov 2005 12:55:08 -0600
    | From: xenophon <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | Subject: Re: Framework 1.1 Multiple Authentication?
    | Date: Tue, 01 Nov 2005 13:44:38 -0500
    | Message-ID: <>
    | References: <>
    <>
    <>
    | X-Newsreader: Forte Agent 2.0/32.646
    | MIME-Version: 1.0
    | Content-Type: text/plain; charset=us-ascii
    | Content-Transfer-Encoding: 7bit
    | Lines: 82
    | X-Trace:
    sv3-bew6JhvVx9oLcRhELIGxliI1rf7309fefGlkpCqU8WZfMYNi5BiJcihbRIcASjA9j6mDUzTi
    x0i5nwl!Puz0JJTJHTGqofprR1TopTbQjY+PIurZ+0secGlEzsfUJvilAg/AurXLOOBGBArZbNfg
    2g==
    | X-Complaints-To:
    | X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
    | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
    | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
    complaint properly
    | X-Postfilter: 1.3.32
    | Path:
    TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
    ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
    ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
    | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.dotnet.framework.aspnet:135314
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    | Thanks to you and Gustav and Patrick.
    |
    | I am using cookieless sessions and cannot use cookies at all for my
    | clients. How will Forms auth work in that case?
    |
    |
    |
    | n Mon, 31 Oct 2005 04:15:24 GMT, (Steven
    | Cheng[MSFT]) wrote:
    |
    | >Thanks for Gaurav and Patrick's informative inputs.
    | >
    | >Hi xenophon,
    | >
    | >For providing separate authorization schema for mutiple sub dirs in
    asp.net
    | >web application, generally we have the following two options:
    | >1. Put a separate web.config in each sub dir which need
    formsauthentication
    | >setting.
    | >
    | >2. Use the <location> element as Gaurav has mentioned, this can help us
    put
    | >the configuration for sub dir in the main web.config so as to avoid put
    | >multiple sub web.config in each sub dir.
    | >
    t
    | >ionsettings.asp?frame=true
    | >
    | >Thanks,
    | >
    | >Steven Cheng
    | >Microsoft Online Support
    | >
    | >Get Secure! www.microsoft.com/security
    | >(This posting is provided "AS IS", with no warranties, and confers no
    | >rights.)
    | >
    | >
    | >
    | >
    | >
    | >
    | >--------------------
    | >| From: "Patrick.O.Ige" <>
    | >| References: <>
    | >| Subject: Re: Framework 1.1 Multiple Authentication?
    | >| Date: Sun, 30 Oct 2005 12:27:29 +1100
    | >| Lines: 19
    | >| X-Priority: 3
    | >| X-MSMail-Priority: Normal
    | >| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
    | >| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
    | >| Message-ID: <>
    | >| Newsgroups: microsoft.public.dotnet.framework.aspnet
    | >| NNTP-Posting-Host: d58-105-58-245.dsl.vic.optusnet.com.au 58.105.58.245
    | >| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    | >| Xref: TK2MSFTNGXA01.phx.gbl
    | >microsoft.public.dotnet.framework.aspnet:134781
    | >| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    | >|
    | >| Xenophon try looking through this article at:-
    | >| http://aspalliance.com/articleViewer.aspx?aId=501&pId=1
    | >| It should guide you.
    | >| Patrick
    | >|
    | >| | >| >
    | >| > I have a web site with forms authentication and a single logon page.
    I
    | >| > have 4 subdirectories, each that should be protected by a different
    | >| > username/password combination. For testing purposes, the
    | >| > username/password are hardcoded into the code-behind C# code.
    | >| >
    | >| > How can I write my web.config to make this happen?
    | >| >
    | >| > Thanks.
    | >| >
    | >|
    | >|
    | >|
    |
    |
     
    Steven Cheng[MSFT], Nov 2, 2005
    #6
  7. Hi xenophon,

    How are you doing on this issue, have you got any further ideas? If
    there're anything else we can help, please feel free to post here. Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)

    --------------------
    | X-Tomcat-ID: 113841816
    | References: <>
    <>
    <>
    <>
    | MIME-Version: 1.0
    | Content-Type: text/plain
    | Content-Transfer-Encoding: 7bit
    | From: (Steven Cheng[MSFT])
    | Organization: Microsoft
    | Date: Wed, 02 Nov 2005 06:42:14 GMT
    | Subject: Re: Framework 1.1 Multiple Authentication?
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    | Message-ID: <Q#>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | Lines: 132
    | Path: TK2MSFTNGXA01.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl
    microsoft.public.dotnet.framework.aspnet:135429
    | NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
    |
    | Thanks for your response Xenophon,
    |
    | Unfortunately to hear that you're using cookieless session state which
    | means using cookie is not possible in your web application. Because the
    | ASP.NET webapplicaiton's forms authentication support only cookie based
    | authenticate ticket, if our web application does not use cookie, I'm
    afraid
    | we have to build our own form based autentication module which will store
    | and retrieve authenticate ticket from session state( this is what we used
    | to do in some classic ASP app...), we store a identify in session state
    | after user login and then check that variable in each page's request to
    | validate user.....
    |
    | Thanks,
    |
    | Steven Cheng
    | Microsoft Online Support
    |
    | Get Secure! www.microsoft.com/security
    | (This posting is provided "AS IS", with no warranties, and confers no
    | rights.)
    |
    |
    |
    | --------------------
    | | NNTP-Posting-Date: Tue, 01 Nov 2005 12:55:08 -0600
    | | From: xenophon <>
    | | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | | Subject: Re: Framework 1.1 Multiple Authentication?
    | | Date: Tue, 01 Nov 2005 13:44:38 -0500
    | | Message-ID: <>
    | | References: <>
    | <>
    | <>
    | | X-Newsreader: Forte Agent 2.0/32.646
    | | MIME-Version: 1.0
    | | Content-Type: text/plain; charset=us-ascii
    | | Content-Transfer-Encoding: 7bit
    | | Lines: 82
    | | X-Trace:
    |
    sv3-bew6JhvVx9oLcRhELIGxliI1rf7309fefGlkpCqU8WZfMYNi5BiJcihbRIcASjA9j6mDUzTi
    |
    x0i5nwl!Puz0JJTJHTGqofprR1TopTbQjY+PIurZ+0secGlEzsfUJvilAg/AurXLOOBGBArZbNfg
    | 2g==
    | | X-Complaints-To:
    | | X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
    | | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
    | | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
    | complaint properly
    | | X-Postfilter: 1.3.32
    | | Path:
    |
    TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
    |
    ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
    |
    ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
    | | Xref: TK2MSFTNGXA01.phx.gbl
    | microsoft.public.dotnet.framework.aspnet:135314
    | | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    | |
    | | Thanks to you and Gustav and Patrick.
    | |
    | | I am using cookieless sessions and cannot use cookies at all for my
    | | clients. How will Forms auth work in that case?
    | |
    | |
    | |
    | | n Mon, 31 Oct 2005 04:15:24 GMT, (Steven
    | | Cheng[MSFT]) wrote:
    | |
    | | >Thanks for Gaurav and Patrick's informative inputs.
    | | >
    | | >Hi xenophon,
    | | >
    | | >For providing separate authorization schema for mutiple sub dirs in
    | asp.net
    | | >web application, generally we have the following two options:
    | | >1. Put a separate web.config in each sub dir which need
    | formsauthentication
    | | >protection. And override the <authorization> section in that
    web.config.
    | | >Thus, all the pages in that sub dir is protected to that
    <authorization
    | >
    | | >setting.
    | | >
    | | >2. Use the <location> element as Gaurav has mentioned, this can help
    us
    | put
    | | >the configuration for sub dir in the main web.config so as to avoid
    put
    | | >multiple sub web.config in each sub dir.
    | | >
    | | >#Configuration <location> Settings
    | |
    | | t
    | | >ionsettings.asp?frame=true
    | | >
    | | >Thanks,
    | | >
    | | >Steven Cheng
    | | >Microsoft Online Support
    | | >
    | | >Get Secure! www.microsoft.com/security
    | | >(This posting is provided "AS IS", with no warranties, and confers no
    | | >rights.)
    | | >
    | | >
    | | >
    | | >
    | | >
    | | >
    | | >--------------------
    | | >| From: "Patrick.O.Ige" <>
    | | >| References: <>
    | | >| Subject: Re: Framework 1.1 Multiple Authentication?
    | | >| Date: Sun, 30 Oct 2005 12:27:29 +1100
    | | >| Lines: 19
    | | >| X-Priority: 3
    | | >| X-MSMail-Priority: Normal
    | | >| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
    | | >| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
    | | >| Message-ID: <>
    | | >| Newsgroups: microsoft.public.dotnet.framework.aspnet
    | | >| NNTP-Posting-Host: d58-105-58-245.dsl.vic.optusnet.com.au
    58.105.58.245
    | | >| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    | | >| Xref: TK2MSFTNGXA01.phx.gbl
    | | >microsoft.public.dotnet.framework.aspnet:134781
    | | >| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    | | >|
    | | >| Xenophon try looking through this article at:-
    | | >| http://aspalliance.com/articleViewer.aspx?aId=501&pId=1
    | | >| It should guide you.
    | | >| Patrick
    | | >|
    | | >| | | >| >
    | | >| > I have a web site with forms authentication and a single logon
    page.
    | I
    | | >| > have 4 subdirectories, each that should be protected by a different
    | | >| > username/password combination. For testing purposes, the
    | | >| > username/password are hardcoded into the code-behind C# code.
    | | >| >
    | | >| > How can I write my web.config to make this happen?
    | | >| >
    | | >| > Thanks.
    | | >| >
    | | >|
    | | >|
    | | >|
    | |
    | |
    |
    |
     
    Steven Cheng[MSFT], Nov 7, 2005
    #7
  8. xenophon

    xenophon Guest

    Could you show a sample of "our own form based authentication module"?
    I think that is what I really need to do. I must rely on cookieless
    sessions.

    Thanks.
     
    xenophon, Nov 9, 2005
    #8
  9. Hi Xenophon,

    So for your scenario, a quick idea come to my mind is building a custom
    HttpModule to handle such authentication task. Assume that we manually do
    the Forms Authenticaiton and after user login, we store the encrypted
    authentication ticket in the URL(since the clients are cookieless....). And
    in our custom HttpModule, we intercept the "AuthenticateRequest" event
    where we parse the URL string and validating the encrypted ticket in the
    url's querystring.... If invalid, end this request or redirect to a login
    page.... In fact, the buildin ASP.NET FormsAuthentiation and Session
    State just use a HttpModule to do the work for each comming asp.net
    request...

    Here are some reference on creating custom HttpModule:

    #INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
    http://support.microsoft.com/default.aspx?scid=kb;en-us;307985

    #Custom HttpModule Example
    http://msdn.microsoft.com/library/en-us/cpguide/html/cpconcustomhttpmodules.
    asp?frame=true

    Hope helps. Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)






    --------------------
    | NNTP-Posting-Date: Wed, 09 Nov 2005 07:57:54 -0600
    | From: xenophon <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | Subject: Re: Framework 1.1 Multiple Authentication?
    | Date: Wed, 09 Nov 2005 08:47:24 -0500
    | Message-ID: <>
    | References: <>
    <>
    <>
    <>
    <Q#>
    | X-Newsreader: Forte Agent 2.0/32.646
    | MIME-Version: 1.0
    | Content-Type: text/plain; charset=us-ascii
    | Content-Transfer-Encoding: 7bit
    | Lines: 25
    | X-Trace:
    sv3-abxqkl0KV3/vSuR2YN6CNZj1xPMByI27kIYQQqrnXqYXKD50VuYWq/QmArYhf2RwKhX7pEn0
    QPmeID6!Y2HkzHZz7i6EerZ+HMBwwxHaje4i6s/4KgD4MAIYCnDDHcP2Gi7P0cw6Crtrtdvojb2d
    //k=
    | X-Complaints-To:
    | X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
    | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
    | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
    complaint properly
    | X-Postfilter: 1.3.32
    | Path:
    TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
    ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
    ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet:356646
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    |
    | Could you show a sample of "our own form based authentication module"?
    | I think that is what I really need to do. I must rely on cookieless
    | sessions.
    |
    | Thanks.
    |
    |
    |
    | On Wed, 02 Nov 2005 06:42:14 GMT, (Steven
    | Cheng[MSFT]) wrote:
    |
    | >Thanks for your response Xenophon,
    | >
    | >Unfortunately to hear that you're using cookieless session state which
    | >means using cookie is not possible in your web application. Because the
    | >ASP.NET webapplicaiton's forms authentication support only cookie based
    | >authenticate ticket, if our web application does not use cookie, I'm
    afraid
    | >we have to build our own form based autentication module which will
    store
    | >and retrieve authenticate ticket from session state( this is what we
    used
    | >to do in some classic ASP app...), we store a identify in session state
    | >after user login and then check that variable in each page's request to
    | >validate user.....
    | >
    | >Thanks,
    |
     
    Steven Cheng[MSFT], Nov 10, 2005
    #9
  10. xenophon

    xenophon Guest

    Thanks for the help. I have writen HttpModules before, but not as you
    say. Could you show the "skeleton code" with events and methods to
    use/override for the module?

    Thanks.
     
    xenophon, Nov 13, 2005
    #10
  11. Hi Xenophon,

    Genearlly, we just need to register the event handler for whatever events
    we want to intercept in our custom HttpModule, e.g:

    =========================
    public class CustomAuthModule : IHttpModule
    {
    public CustomAuthModule()
    {}
    #region IHttpModule Members

    public void Dispose()
    { }

    public void Init(HttpApplication context)
    {
    context.AuthenticateRequest += new EventHandler(Auth_Request);
    }

    protected void Auth_Request(object sender, EventArgs e)
    {
    HttpApplication app = sender as HttpApplication;
    HttpContext context = app.Context;
    HttpRequest req = context.Request;
    HttpResponse rep = context.Response;

    string url = req.RawUrl;

    //do string parsing to retrieve the
    //authentication ticket from the url string
    }
    #endregion
    }
    ===========================

    We can retreive the request' URL string and parse the authentication ticket
    in the url string. Also, this is based on that each request after the
    client user login through the login page should contains the authentication
    ticket in URL string (just like cookieless session....). This is also a
    problem since we need to adjust each linked page's url (of the same
    application...) which should be protected by our custom authentication...

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)


    --------------------
    | NNTP-Posting-Date: Sat, 12 Nov 2005 20:24:11 -0600
    | From: xenophon <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | Subject: Re: Framework 1.1 Multiple Authentication?
    | Date: Sat, 12 Nov 2005 21:13:23 -0500
    | Message-ID: <>
    | References: <>
    <>
    <>
    <>
    <Q#>
    <>
    <>
    | X-Newsreader: Forte Agent 2.0/32.646
    | MIME-Version: 1.0
    | Content-Type: text/plain; charset=us-ascii
    | Content-Transfer-Encoding: 7bit
    | Lines: 36
    | X-Trace:
    sv3-K5GqfXvTKiZclM3pezkCfGerkK4GFXSoTiHsjfbPQC5jJpBDsN1Srg7MgUr5WKIqzEJg95gh
    R9HfVSE!AN4Y6xQrW/MlIyDOfdgHyoxl79BAkoOC7dVckUwOU/zTbUk3NJZWCGmTQiVYnjGXDktS
    qGY=
    | X-Complaints-To:
    | X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
    | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
    | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
    complaint properly
    | X-Postfilter: 1.3.32
    | Path:
    TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
    ne.de!news.glorb.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local01
    nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet:357680
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    |
    |
    | Thanks for the help. I have writen HttpModules before, but not as you
    | say. Could you show the "skeleton code" with events and methods to
    | use/override for the module?
    |
    | Thanks.
    |
    |
    | On Thu, 10 Nov 2005 09:43:59 GMT, (Steven
    | Cheng[MSFT]) wrote:
    |
    | >Hi Xenophon,
    | >
    | >So for your scenario, a quick idea come to my mind is building a custom
    | >HttpModule to handle such authentication task. Assume that we manually
    do
    | >the Forms Authenticaiton and after user login, we store the encrypted
    | >authentication ticket in the URL(since the clients are cookieless....).
    And
    | >in our custom HttpModule, we intercept the "AuthenticateRequest" event
    | >where we parse the URL string and validating the encrypted ticket in the
    | >url's querystring.... If invalid, end this request or redirect to a
    login
    | >page.... In fact, the buildin ASP.NET FormsAuthentiation and
    Session
    | >State just use a HttpModule to do the work for each comming asp.net
    | >request...
    | >
    | >Here are some reference on creating custom HttpModule:
    | >
    | >#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
    | >http://support.microsoft.com/default.aspx?scid=kb;en-us;307985
    | >
    | >#Custom HttpModule Example
    |
     
    Steven Cheng[MSFT], Nov 14, 2005
    #11
  12. Hi Xenophon,

    Does the further things I mentioend helps some? If there're anything else
    we can help, please don't hesitate to post here.

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    --------------------
    | X-Tomcat-ID: 244553380
    | References: <>
    <>
    <>
    <>
    <Q#>
    <>
    <>
    <>
    | MIME-Version: 1.0
    | Content-Type: text/plain
    | Content-Transfer-Encoding: 7bit
    | From: (Steven Cheng[MSFT])
    | Organization: Microsoft
    | Date: Mon, 14 Nov 2005 13:12:58 GMT
    | Subject: Re: Framework 1.1 Multiple Authentication?
    | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    | Message-ID: <>
    | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | Lines: 117
    | Path: TK2MSFTNGXA02.phx.gbl
    | Xref: TK2MSFTNGXA02.phx.gbl
    microsoft.public.dotnet.framework.aspnet:357906
    | NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
    |
    | Hi Xenophon,
    |
    | Genearlly, we just need to register the event handler for whatever events
    | we want to intercept in our custom HttpModule, e.g:
    |
    | =========================
    | public class CustomAuthModule : IHttpModule
    | {
    | public CustomAuthModule()
    | {}
    | #region IHttpModule Members
    |
    | public void Dispose()
    | { }
    |
    | public void Init(HttpApplication context)
    | {
    | context.AuthenticateRequest += new EventHandler(Auth_Request);
    | }
    |
    | protected void Auth_Request(object sender, EventArgs e)
    | {
    | HttpApplication app = sender as HttpApplication;
    | HttpContext context = app.Context;
    | HttpRequest req = context.Request;
    | HttpResponse rep = context.Response;
    |
    | string url = req.RawUrl;
    |
    | //do string parsing to retrieve the
    | //authentication ticket from the url string
    | }
    | #endregion
    | }
    | ===========================
    |
    | We can retreive the request' URL string and parse the authentication
    ticket
    | in the url string. Also, this is based on that each request after the
    | client user login through the login page should contains the
    authentication
    | ticket in URL string (just like cookieless session....). This is also a
    | problem since we need to adjust each linked page's url (of the same
    | application...) which should be protected by our custom authentication...
    |
    | Thanks,
    |
    | Steven Cheng
    | Microsoft Online Support
    |
    | Get Secure! www.microsoft.com/security
    | (This posting is provided "AS IS", with no warranties, and confers no
    | rights.)
    |
    |
    | --------------------
    | | NNTP-Posting-Date: Sat, 12 Nov 2005 20:24:11 -0600
    | | From: xenophon <>
    | | Newsgroups: microsoft.public.dotnet.framework.aspnet
    | | Subject: Re: Framework 1.1 Multiple Authentication?
    | | Date: Sat, 12 Nov 2005 21:13:23 -0500
    | | Message-ID: <>
    | | References: <>
    | <>
    | <>
    | <>
    | <Q#>
    | <>
    | <>
    | | X-Newsreader: Forte Agent 2.0/32.646
    | | MIME-Version: 1.0
    | | Content-Type: text/plain; charset=us-ascii
    | | Content-Transfer-Encoding: 7bit
    | | Lines: 36
    | | X-Trace:
    |
    sv3-K5GqfXvTKiZclM3pezkCfGerkK4GFXSoTiHsjfbPQC5jJpBDsN1Srg7MgUr5WKIqzEJg95gh
    |
    R9HfVSE!AN4Y6xQrW/MlIyDOfdgHyoxl79BAkoOC7dVckUwOU/zTbUk3NJZWCGmTQiVYnjGXDktS
    | qGY=
    | | X-Complaints-To:
    | | X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
    | | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
    | | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
    | complaint properly
    | | X-Postfilter: 1.3.32
    | | Path:
    |
    TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
    |
    ne.de!news.glorb.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local01
    | .nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
    | | Xref: TK2MSFTNGXA02.phx.gbl
    | microsoft.public.dotnet.framework.aspnet:357680
    | | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    | |
    | |
    | | Thanks for the help. I have writen HttpModules before, but not as you
    | | say. Could you show the "skeleton code" with events and methods to
    | | use/override for the module?
    | |
    | | Thanks.
    | |
    | |
    | | On Thu, 10 Nov 2005 09:43:59 GMT, (Steven
    | | Cheng[MSFT]) wrote:
    | |
    | | >Hi Xenophon,
    | | >
    | | >So for your scenario, a quick idea come to my mind is building a
    custom
    | | >HttpModule to handle such authentication task. Assume that we manually
    | do
    | | >the Forms Authenticaiton and after user login, we store the encrypted
    | | >authentication ticket in the URL(since the clients are
    cookieless....).
    | And
    | | >in our custom HttpModule, we intercept the "AuthenticateRequest" event
    | | >where we parse the URL string and validating the encrypted ticket in
    the
    | | >url's querystring.... If invalid, end this request or redirect to a
    | login
    | | >page.... In fact, the buildin ASP.NET FormsAuthentiation and
    | Session
    | | >State just use a HttpModule to do the work for each comming asp.net
    | | >request...
    | | >
    | | >Here are some reference on creating custom HttpModule:
    | | >
    | | >#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
    | | >http://support.microsoft.com/default.aspx?scid=kb;en-us;307985
    | | >
    | | >#Custom HttpModule Example
    | |
    | |
     
    Steven Cheng[MSFT], Nov 16, 2005
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.