Forms Authentication & Application_AuthenticateRequest

From: Ernesto Torres (ernesto_torres@hirschfeld.com)
Date: 10/04/02


From: "Ernesto Torres" <ernesto_torres@hirschfeld.com>
Date: Fri, 4 Oct 2002 08:50:21 -0500


I am having problems with getting my forms set up with the right security.

This is the structure of the files

/Intranet
/Intranet/Global
/Intranet/Global/Page1.aspx
/Intranet/Pub
/Intranet/Pub/PasswordChange.aspx
/Intranet/Pub/Registration.aspx
/Intranet/Default.aspx - Starting page
/Intranet/Login.aspx
/Intranet/Page2.aspx
/Intranet/Web.config

This is what is happening. . .

It starts out with the Default page, but checks to see if you are
authenticated. If not then it goes to Login.aspx
If you don't have a login, then a person clicks on the Registration button
and sets up an account, then gets redirected to the login page. From there
you can persist your cookie or not. The person logs in, then the user gets
redirected to the Default page. This works fine. but when a person clicks
on another link, the user gets redirected to the login page with a reference
to redirect to the page of their choice. I don't want this...the user
should have been authenticate and the only thing it should have done was
check the Application_AuthenticatteRequest for the users roles, but the
Context.User is not available. Why?

I am also including the portion of Web.Config and
Application_AuthenticateRequest below:

Web.Config;
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>
    <compilation
         defaultLanguage="c#"
         debug="true"
    />

    <customErrors
    mode="Off"
    />

    <trace
        enabled="false"
        requestLimit="10"
        pageOutput="false"
        traceMode="SortByTime"
  localOnly="true"
    />

    <sessionState
            mode="InProc"
            stateConnectionString="tcpip=TCPIP"
            sqlConnectionString="data source=DS;user id=ID;password="
            cookieless="false"
            timeout="20"
    />

    <globalization
            requestEncoding="utf-8"
            responseEncoding="utf-8"
   />

 <!-- Configuration information for this directory -->
    <authentication mode="Forms">
  <forms
   loginUrl = "LoginPage.aspx"
   name = ".ASPXAUTH"
   path = "/" />
    </authentication>
 </system.web>
 <location path = "">
  <system.web>
   <authorization>
    <allow roles = "Guest" />
    <deny users = "*" />
   </authorization>
  </system.web>
 </location>
 <!-- Configuration information for Protected Directory -->
 <location path = "Protected">
  <system.web>
   <authorization>
    <allow roles = "Guest" />
    <deny users = "*" />
   </authorization>
  </system.web>
 </location>
 <!-- Configuration information for Global Directory -->
 <location path = "Global">
  <system.web>
   <authorization>
    <allow roles = "Guest" />
    <deny users = "*" />
   </authorization>
  </system.web>
 </location>
 <location path = "Pub">
  <system.web>
   <authorization>
    <allow users = "*" />
   </authorization>
  </system.web>
 </location>
</configuration>

Global.asax Application_AuthenticateRequest:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
  {
 HttpApplication app = (HttpApplication) sender;

 if(app.Request.IsAuthenticated && app.User.Identity is FormsIdentity)
 {
  FormsIdentity identity = (FormsIdentity) app.User.Identity;

  // Create a GenericPrincipal containg the role name
  // and assign it to the current request

  String[] roles = WwwLogin.GetLoginRoles(identity.Name);
  if(roles != null)
   app.Context.User = new GenericPrincipal (identity, roles );
 }
}

Any help would be appreciated



Relevant Pages

  • Re: Forms Authentication behavior on request denial
    ... "Access Denied" page as opposed to the Login page? ... I get the same behavior when I set the <authorization> as ... But ALL authenticated users who redirect back to the originally requested ... Shouldn't the authenticated users NOT in the setting be denied ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Redirect To Login Page - Forms Authentication
    ... Login Form is redisplayed. ... Authentication is verification of who a person is. ... Authorization is whether the person is allowed to see something. ... redirect to login is based on authorization. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Forms Authentication: <location> authorization not bypasssing login page.
    ... Here's a location tag the way I have it setup to avoid the authentication: ... >subject to a redirect to the login page. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Forms Authentication & Application_AuthenticateRequest
    ... it's own authentication. ... > and sets up an account, then gets redirected to the login page. ... > to redirect to the page of their choice. ... > HttpApplication app = sender; ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Default.aspx - newbie Q`
    ... check and redirect to the ReturnURL or Selected.aspx depending on the case. ... > and replace it with something that takes then straight to the login page. ... >> Curt Christianson ... >>> authentication ...
    (microsoft.public.dotnet.framework.aspnet)