Framework 1.1 Multiple Authentication?

[xenophon]

I have a web site with forms authentication and a single logon page. I
have 4 subdirectories, each that should be protected by a different
username/password combination. For testing purposes, the
username/password are hardcoded into the code-behind C# code.

How can I write my web.config to make this happen?

Thanks.

 

[Patrick.O.Ige]

Xenophon try looking through this article at:-
http://aspalliance.com/articleViewer.aspx?aId=501&pId=1
It should guide you.
Patrick

 

[Gaurav Vaish]

: I have a web site with forms authentication and a single logon page. I
: have 4 subdirectories, each that should be protected by a different
: username/password combination. For testing purposes, the
: username/password are hardcoded into the code-behind C# code.
:
: How can I write my web.config to make this happen?

Use <location> element on top of <system.web>


For example:
<location path="firstDir">
<system.web>
<authorization>
<allow ... />
<deny ... />
</authorization>
</system.web>
</location>

 

[Steven Cheng[MSFT]]

Thanks for Gaurav and Patrick's informative inputs.

Hi xenophon,

For providing separate authorization schema for mutiple sub dirs in asp.net
web application, generally we have the following two options:
1. Put a separate web.config in each sub dir which need formsauthentication
protection. And override the <authorization> section in that web.config.
Thus, all the pages in that sub dir is protected to that <authorization >
setting.

2. Use the <location> element as Gaurav has mentioned, this can help us put
the configuration for sub dir in the main web.config so as to avoid put
multiple sub web.config in each sub dir.

#Configuration <location> Settings
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconconfigurationlocat
ionsettings.asp?frame=true

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)






--------------------
| From: "Patrick.O.Ige" <[email protected]>
| References: <[email protected]>
| Subject: Re: Framework 1.1 Multiple Authentication?
| Date: Sun, 30 Oct 2005 12:27:29 +1100
| Lines: 19
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: d58-105-58-245.dsl.vic.optusnet.com.au 58.105.58.245
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:134781
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Xenophon try looking through this article at:-
| http://aspalliance.com/articleViewer.aspx?aId=501&pId=1
| It should guide you.
| Patrick
|
| | >
| > I have a web site with forms authentication and a single logon page. I
| > have 4 subdirectories, each that should be protected by a different
| > username/password combination. For testing purposes, the
| > username/password are hardcoded into the code-behind C# code.
| >
| > How can I write my web.config to make this happen?
| >
| > Thanks.
| >
|
|
|

 

[xenophon]

Thanks to you and Gustav and Patrick.

I am using cookieless sessions and cannot use cookies at all for my
clients. How will Forms auth work in that case?



n Mon, 31 Oct 2005 04:15:24 GMT, (e-mail address removed) (Steven

 

[Steven Cheng[MSFT]]

Thanks for your response Xenophon,

Unfortunately to hear that you're using cookieless session state which
means using cookie is not possible in your web application. Because the
ASP.NET webapplicaiton's forms authentication support only cookie based
authenticate ticket, if our web application does not use cookie, I'm afraid
we have to build our own form based autentication module which will store
and retrieve authenticate ticket from session state( this is what we used
to do in some classic ASP app...), we store a identify in session state
after user login and then check that variable in each page's request to
validate user.....

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)



--------------------
| NNTP-Posting-Date: Tue, 01 Nov 2005 12:55:08 -0600
| From: xenophon <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Subject: Re: Framework 1.1 Multiple Authentication?
| Date: Tue, 01 Nov 2005 13:44:38 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 2.0/32.646
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Lines: 82
| X-Trace:
sv3-bew6JhvVx9oLcRhELIGxliI1rf7309fefGlkpCqU8WZfMYNi5BiJcihbRIcASjA9j6mDUzTi
x0i5nwl!Puz0JJTJHTGqofprR1TopTbQjY+PIurZ+0secGlEzsfUJvilAg/AurXLOOBGBArZbNfg
2g==
| X-Complaints-To: (e-mail address removed)
| X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:135314
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Thanks to you and Gustav and Patrick.
|
| I am using cookieless sessions and cannot use cookies at all for my
| clients. How will Forms auth work in that case?
|
|
|
| n Mon, 31 Oct 2005 04:15:24 GMT, (e-mail address removed) (Steven
| Cheng[MSFT]) wrote:
|
| >Thanks for Gaurav and Patrick's informative inputs.
| >
| >Hi xenophon,
| >
| >For providing separate authorization schema for mutiple sub dirs in
asp.net
| >web application, generally we have the following two options:
| >1. Put a separate web.config in each sub dir which need
formsauthentication
| >setting.
| >
| >2. Use the <location> element as Gaurav has mentioned, this can help us
put
| >the configuration for sub dir in the main web.config so as to avoid put
| >multiple sub web.config in each sub dir.
| >

http://msdn.microsoft.com/library/en-us/cpguide/html/cpconconfigurationloca

t
| >ionsettings.asp?frame=true
| >
| >Thanks,
| >
| >Steven Cheng
| >Microsoft Online Support
| >
| >Get Secure! www.microsoft.com/security
| >(This posting is provided "AS IS", with no warranties, and confers no
| >rights.)
| >
| >
| >
| >
| >
| >
| >--------------------
| >| From: "Patrick.O.Ige" <[email protected]>
| >| References: <[email protected]>
| >| Subject: Re: Framework 1.1 Multiple Authentication?
| >| Date: Sun, 30 Oct 2005 12:27:29 +1100
| >| Lines: 19
| >| X-Priority: 3
| >| X-MSMail-Priority: Normal
| >| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| >| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| >| Message-ID: <[email protected]>
| >| Newsgroups: microsoft.public.dotnet.framework.aspnet
| >| NNTP-Posting-Host: d58-105-58-245.dsl.vic.optusnet.com.au 58.105.58.245
| >| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| >| Xref: TK2MSFTNGXA01.phx.gbl
| >microsoft.public.dotnet.framework.aspnet:134781
| >| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| >|
| >| Xenophon try looking through this article at:-
| >| http://aspalliance.com/articleViewer.aspx?aId=501&pId=1
| >| It should guide you.
| >| Patrick
| >|
| >| | >| >
| >| > I have a web site with forms authentication and a single logon page.
I
| >| > have 4 subdirectories, each that should be protected by a different
| >| > username/password combination. For testing purposes, the
| >| > username/password are hardcoded into the code-behind C# code.
| >| >
| >| > How can I write my web.config to make this happen?
| >| >
| >| > Thanks.
| >| >
| >|
| >|
| >|
|
|

 

[Steven Cheng[MSFT]]

Hi xenophon,

How are you doing on this issue, have you got any further ideas? If
there're anything else we can help, please feel free to post here. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| X-Tomcat-ID: 113841816
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: (e-mail address removed) (Steven Cheng[MSFT])
| Organization: Microsoft
| Date: Wed, 02 Nov 2005 06:42:14 GMT
| Subject: Re: Framework 1.1 Multiple Authentication?
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| Message-ID: <Q#[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Lines: 132
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:135429
| NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
|
| Thanks for your response Xenophon,
|
| Unfortunately to hear that you're using cookieless session state which
| means using cookie is not possible in your web application. Because the
| ASP.NET webapplicaiton's forms authentication support only cookie based
| authenticate ticket, if our web application does not use cookie, I'm
afraid
| we have to build our own form based autentication module which will store
| and retrieve authenticate ticket from session state( this is what we used
| to do in some classic ASP app...), we store a identify in session state
| after user login and then check that variable in each page's request to
| validate user.....
|
| Thanks,
|
| Steven Cheng
| Microsoft Online Support
|
| Get Secure! www.microsoft.com/security
| (This posting is provided "AS IS", with no warranties, and confers no
| rights.)
|
|
|
| --------------------
| | NNTP-Posting-Date: Tue, 01 Nov 2005 12:55:08 -0600
| | From: xenophon <[email protected]>
| | Newsgroups: microsoft.public.dotnet.framework.aspnet
| | Subject: Re: Framework 1.1 Multiple Authentication?
| | Date: Tue, 01 Nov 2005 13:44:38 -0500
| | Message-ID: <[email protected]>
| | References: <[email protected]>
| <[email protected]>
| <[email protected]>
| | X-Newsreader: Forte Agent 2.0/32.646
| | MIME-Version: 1.0
| | Content-Type: text/plain; charset=us-ascii
| | Content-Transfer-Encoding: 7bit
| | Lines: 82
| | X-Trace:
|
sv3-bew6JhvVx9oLcRhELIGxliI1rf7309fefGlkpCqU8WZfMYNi5BiJcihbRIcASjA9j6mDUzTi
|
x0i5nwl!Puz0JJTJHTGqofprR1TopTbQjY+PIurZ+0secGlEzsfUJvilAg/AurXLOOBGBArZbNfg
| 2g==
| | X-Complaints-To: (e-mail address removed)
| | X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
| complaint properly
| | X-Postfilter: 1.3.32
| | Path:
|
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
|
ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
|
ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
| | Xref: TK2MSFTNGXA01.phx.gbl
| microsoft.public.dotnet.framework.aspnet:135314
| | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| |
| | Thanks to you and Gustav and Patrick.
| |
| | I am using cookieless sessions and cannot use cookies at all for my
| | clients. How will Forms auth work in that case?
| |
| |
| |
| | n Mon, 31 Oct 2005 04:15:24 GMT, (e-mail address removed) (Steven
| | Cheng[MSFT]) wrote:
| |
| | >Thanks for Gaurav and Patrick's informative inputs.
| | >
| | >Hi xenophon,
| | >
| | >For providing separate authorization schema for mutiple sub dirs in
| asp.net
| | >web application, generally we have the following two options:
| | >1. Put a separate web.config in each sub dir which need
| formsauthentication
| | >protection. And override the <authorization> section in that
web.config.
| | >Thus, all the pages in that sub dir is protected to that
<authorization
| >
| | >setting.
| | >
| | >2. Use the <location> element as Gaurav has mentioned, this can help
us
| put
| | >the configuration for sub dir in the main web.config so as to avoid
put
| | >multiple sub web.config in each sub dir.
| | >
| | >#Configuration <location> Settings
| |
|

http://msdn.microsoft.com/library/en-us/cpguide/html/cpconconfigurationloca

| t
| | >ionsettings.asp?frame=true
| | >
| | >Thanks,
| | >
| | >Steven Cheng
| | >Microsoft Online Support
| | >
| | >Get Secure! www.microsoft.com/security
| | >(This posting is provided "AS IS", with no warranties, and confers no
| | >rights.)
| | >
| | >
| | >
| | >
| | >
| | >
| | >--------------------
| | >| From: "Patrick.O.Ige" <[email protected]>
| | >| References: <[email protected]>
| | >| Subject: Re: Framework 1.1 Multiple Authentication?
| | >| Date: Sun, 30 Oct 2005 12:27:29 +1100
| | >| Lines: 19
| | >| X-Priority: 3
| | >| X-MSMail-Priority: Normal
| | >| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| | >| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| | >| Message-ID: <[email protected]>
| | >| Newsgroups: microsoft.public.dotnet.framework.aspnet
| | >| NNTP-Posting-Host: d58-105-58-245.dsl.vic.optusnet.com.au
58.105.58.245
| | >| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| | >| Xref: TK2MSFTNGXA01.phx.gbl
| | >microsoft.public.dotnet.framework.aspnet:134781
| | >| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| | >|
| | >| Xenophon try looking through this article at:-
| | >| http://aspalliance.com/articleViewer.aspx?aId=501&pId=1
| | >| It should guide you.
| | >| Patrick
| | >|
| | >| | | >| >
| | >| > I have a web site with forms authentication and a single logon
page.
| I
| | >| > have 4 subdirectories, each that should be protected by a different
| | >| > username/password combination. For testing purposes, the
| | >| > username/password are hardcoded into the code-behind C# code.
| | >| >
| | >| > How can I write my web.config to make this happen?
| | >| >
| | >| > Thanks.
| | >| >
| | >|
| | >|
| | >|
| |
| |
|
|

 

[xenophon]

Could you show a sample of "our own form based authentication module"?
I think that is what I really need to do. I must rely on cookieless
sessions.

Thanks.

 

[Steven Cheng[MSFT]]

Hi Xenophon,

So for your scenario, a quick idea come to my mind is building a custom
HttpModule to handle such authentication task. Assume that we manually do
the Forms Authenticaiton and after user login, we store the encrypted
authentication ticket in the URL(since the clients are cookieless....). And
in our custom HttpModule, we intercept the "AuthenticateRequest" event
where we parse the URL string and validating the encrypted ticket in the
url's querystring.... If invalid, end this request or redirect to a login
page.... In fact, the buildin ASP.NET FormsAuthentiation and Session
State just use a HttpModule to do the work for each comming asp.net
request...

Here are some reference on creating custom HttpModule:

#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
http://support.microsoft.com/default.aspx?scid=kb;en-us;307985

#Custom HttpModule Example
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconcustomhttpmodules.
asp?frame=true

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)






--------------------
| NNTP-Posting-Date: Wed, 09 Nov 2005 07:57:54 -0600
| From: xenophon <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Subject: Re: Framework 1.1 Multiple Authentication?
| Date: Wed, 09 Nov 2005 08:47:24 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<Q#[email protected]>
| X-Newsreader: Forte Agent 2.0/32.646
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Lines: 25
| X-Trace:
sv3-abxqkl0KV3/vSuR2YN6CNZj1xPMByI27kIYQQqrnXqYXKD50VuYWq/QmArYhf2RwKhX7pEn0
QPmeID6!Y2HkzHZz7i6EerZ+HMBwwxHaje4i6s/4KgD4MAIYCnDDHcP2Gi7P0cw6Crtrtdvojb2d
//k=
| X-Complaints-To: (e-mail address removed)
| X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigan
ews.com!local01.nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:356646
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
|
| Could you show a sample of "our own form based authentication module"?
| I think that is what I really need to do. I must rely on cookieless
| sessions.
|
| Thanks.
|
|
|
| On Wed, 02 Nov 2005 06:42:14 GMT, (e-mail address removed) (Steven
| Cheng[MSFT]) wrote:
|
| >Thanks for your response Xenophon,
| >
| >Unfortunately to hear that you're using cookieless session state which
| >means using cookie is not possible in your web application. Because the
| >ASP.NET webapplicaiton's forms authentication support only cookie based
| >authenticate ticket, if our web application does not use cookie, I'm
afraid
| >we have to build our own form based autentication module which will
store
| >and retrieve authenticate ticket from session state( this is what we
used
| >to do in some classic ASP app...), we store a identify in session state
| >after user login and then check that variable in each page's request to
| >validate user.....
| >
| >Thanks,
|

 

[xenophon]

Thanks for the help. I have writen HttpModules before, but not as you
say. Could you show the "skeleton code" with events and methods to
use/override for the module?

Thanks.

 

[Steven Cheng[MSFT]]

Hi Xenophon,

Genearlly, we just need to register the event handler for whatever events
we want to intercept in our custom HttpModule, e.g:

=========================
public class CustomAuthModule : IHttpModule
{
public CustomAuthModule()
{}
#region IHttpModule Members

public void Dispose()
{ }

public void Init(HttpApplication context)
{
context.AuthenticateRequest += new EventHandler(Auth_Request);
}

protected void Auth_Request(object sender, EventArgs e)
{
HttpApplication app = sender as HttpApplication;
HttpContext context = app.Context;
HttpRequest req = context.Request;
HttpResponse rep = context.Response;

string url = req.RawUrl;

//do string parsing to retrieve the
//authentication ticket from the url string
}
#endregion
}
===========================

We can retreive the request' URL string and parse the authentication ticket
in the url string. Also, this is based on that each request after the
client user login through the login page should contains the authentication
ticket in URL string (just like cookieless session....). This is also a
problem since we need to adjust each linked page's url (of the same
application...) which should be protected by our custom authentication...

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| NNTP-Posting-Date: Sat, 12 Nov 2005 20:24:11 -0600
| From: xenophon <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Subject: Re: Framework 1.1 Multiple Authentication?
| Date: Sat, 12 Nov 2005 21:13:23 -0500
| Message-ID: <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<Q#[email protected]>
<[email protected]>
<[email protected]>
| X-Newsreader: Forte Agent 2.0/32.646
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Lines: 36
| X-Trace:
sv3-K5GqfXvTKiZclM3pezkCfGerkK4GFXSoTiHsjfbPQC5jJpBDsN1Srg7MgUr5WKIqzEJg95gh
R9HfVSE!AN4Y6xQrW/MlIyDOfdgHyoxl79BAkoOC7dVckUwOU/zTbUk3NJZWCGmTQiVYnjGXDktS
qGY=
| X-Complaints-To: (e-mail address removed)
| X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!news.glorb.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local01
nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:357680
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
|
| Thanks for the help. I have writen HttpModules before, but not as you
| say. Could you show the "skeleton code" with events and methods to
| use/override for the module?
|
| Thanks.
|
|
| On Thu, 10 Nov 2005 09:43:59 GMT, (e-mail address removed) (Steven
| Cheng[MSFT]) wrote:
|
| >Hi Xenophon,
| >
| >So for your scenario, a quick idea come to my mind is building a custom
| >HttpModule to handle such authentication task. Assume that we manually
do
| >the Forms Authenticaiton and after user login, we store the encrypted
| >authentication ticket in the URL(since the clients are cookieless....).
And
| >in our custom HttpModule, we intercept the "AuthenticateRequest" event
| >where we parse the URL string and validating the encrypted ticket in the
| >url's querystring.... If invalid, end this request or redirect to a
login
| >page.... In fact, the buildin ASP.NET FormsAuthentiation and
Session
| >State just use a HttpModule to do the work for each comming asp.net
| >request...
| >
| >Here are some reference on creating custom HttpModule:
| >
| >#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
| >http://support.microsoft.com/default.aspx?scid=kb;en-us;307985
| >
| >#Custom HttpModule Example
|

 

[Steven Cheng[MSFT]]

Hi Xenophon,

Does the further things I mentioend helps some? If there're anything else
we can help, please don't hesitate to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| X-Tomcat-ID: 244553380
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<Q#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: (e-mail address removed) (Steven Cheng[MSFT])
| Organization: Microsoft
| Date: Mon, 14 Nov 2005 13:12:58 GMT
| Subject: Re: Framework 1.1 Multiple Authentication?
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Lines: 117
| Path: TK2MSFTNGXA02.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:357906
| NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
|
| Hi Xenophon,
|
| Genearlly, we just need to register the event handler for whatever events
| we want to intercept in our custom HttpModule, e.g:
|
| =========================
| public class CustomAuthModule : IHttpModule
| {
| public CustomAuthModule()
| {}
| #region IHttpModule Members
|
| public void Dispose()
| { }
|
| public void Init(HttpApplication context)
| {
| context.AuthenticateRequest += new EventHandler(Auth_Request);
| }
|
| protected void Auth_Request(object sender, EventArgs e)
| {
| HttpApplication app = sender as HttpApplication;
| HttpContext context = app.Context;
| HttpRequest req = context.Request;
| HttpResponse rep = context.Response;
|
| string url = req.RawUrl;
|
| //do string parsing to retrieve the
| //authentication ticket from the url string
| }
| #endregion
| }
| ===========================
|
| We can retreive the request' URL string and parse the authentication
ticket
| in the url string. Also, this is based on that each request after the
| client user login through the login page should contains the
authentication
| ticket in URL string (just like cookieless session....). This is also a
| problem since we need to adjust each linked page's url (of the same
| application...) which should be protected by our custom authentication...
|
| Thanks,
|
| Steven Cheng
| Microsoft Online Support
|
| Get Secure! www.microsoft.com/security
| (This posting is provided "AS IS", with no warranties, and confers no
| rights.)
|
|
| --------------------
| | NNTP-Posting-Date: Sat, 12 Nov 2005 20:24:11 -0600
| | From: xenophon <[email protected]>
| | Newsgroups: microsoft.public.dotnet.framework.aspnet
| | Subject: Re: Framework 1.1 Multiple Authentication?
| | Date: Sat, 12 Nov 2005 21:13:23 -0500
| | Message-ID: <[email protected]>
| | References: <[email protected]>
| <[email protected]>
| <[email protected]>
| <[email protected]>
| <Q#[email protected]>
| <[email protected]>
| <[email protected]>
| | X-Newsreader: Forte Agent 2.0/32.646
| | MIME-Version: 1.0
| | Content-Type: text/plain; charset=us-ascii
| | Content-Transfer-Encoding: 7bit
| | Lines: 36
| | X-Trace:
|
sv3-K5GqfXvTKiZclM3pezkCfGerkK4GFXSoTiHsjfbPQC5jJpBDsN1Srg7MgUr5WKIqzEJg95gh
|
R9HfVSE!AN4Y6xQrW/MlIyDOfdgHyoxl79BAkoOC7dVckUwOU/zTbUk3NJZWCGmTQiVYnjGXDktS
| qGY=
| | X-Complaints-To: (e-mail address removed)
| | X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
| complaint properly
| | X-Postfilter: 1.3.32
| | Path:
|
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
|
ne.de!news.glorb.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local01
| .nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
| | Xref: TK2MSFTNGXA02.phx.gbl
| microsoft.public.dotnet.framework.aspnet:357680
| | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| |
| |
| | Thanks for the help. I have writen HttpModules before, but not as you
| | say. Could you show the "skeleton code" with events and methods to
| | use/override for the module?
| |
| | Thanks.
| |
| |
| | On Thu, 10 Nov 2005 09:43:59 GMT, (e-mail address removed) (Steven
| | Cheng[MSFT]) wrote:
| |
| | >Hi Xenophon,
| | >
| | >So for your scenario, a quick idea come to my mind is building a
custom
| | >HttpModule to handle such authentication task. Assume that we manually
| do
| | >the Forms Authenticaiton and after user login, we store the encrypted
| | >authentication ticket in the URL(since the clients are
cookieless....).
| And
| | >in our custom HttpModule, we intercept the "AuthenticateRequest" event
| | >where we parse the URL string and validating the encrypted ticket in
the
| | >url's querystring.... If invalid, end this request or redirect to a
| login
| | >page.... In fact, the buildin ASP.NET FormsAuthentiation and
| Session
| | >State just use a HttpModule to do the work for each comming asp.net
| | >request...
| | >
| | >Here are some reference on creating custom HttpModule:
| | >
| | >#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
| | >http://support.microsoft.com/default.aspx?scid=kb;en-us;307985
| | >
| | >#Custom HttpModule Example
| |
|

http://msdn.microsoft.com/library/en-us/cpguide/html/cpconcustomhttpmodules

|