Forms Authentication & Application_AuthenticateRequest

From: Ernesto Torres (ernesto_torres@hirschfeld.com)
Date: 10/04/02


From: "Ernesto Torres" <ernesto_torres@hirschfeld.com>
Date: Fri, 4 Oct 2002 08:50:21 -0500


I am having problems with getting my forms set up with the right security.

This is the structure of the files

/Intranet
/Intranet/Global
/Intranet/Global/Page1.aspx
/Intranet/Pub
/Intranet/Pub/PasswordChange.aspx
/Intranet/Pub/Registration.aspx
/Intranet/Default.aspx - Starting page
/Intranet/Login.aspx
/Intranet/Page2.aspx
/Intranet/Web.config

This is what is happening. . .

It starts out with the Default page, but checks to see if you are
authenticated. If not then it goes to Login.aspx
If you don't have a login, then a person clicks on the Registration button
and sets up an account, then gets redirected to the login page. From there
you can persist your cookie or not. The person logs in, then the user gets
redirected to the Default page. This works fine. but when a person clicks
on another link, the user gets redirected to the login page with a reference
to redirect to the page of their choice. I don't want this...the user
should have been authenticate and the only thing it should have done was
check the Application_AuthenticatteRequest for the users roles, but the
Context.User is not available. Why?

I am also including the portion of Web.Config and
Application_AuthenticateRequest below:

Web.Config;
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>
    <compilation
         defaultLanguage="c#"
         debug="true"
    />

    <customErrors
    mode="Off"
    />

    <trace
        enabled="false"
        requestLimit="10"
        pageOutput="false"
        traceMode="SortByTime"
  localOnly="true"
    />

    <sessionState
            mode="InProc"
            stateConnectionString="tcpip=TCPIP"
            sqlConnectionString="data source=DS;user id=ID;password="
            cookieless="false"
            timeout="20"
    />

    <globalization
            requestEncoding="utf-8"
            responseEncoding="utf-8"
   />

 <!-- Configuration information for this directory -->
    <authentication mode="Forms">
  <forms
   loginUrl = "LoginPage.aspx"
   name = ".ASPXAUTH"
   path = "/" />
    </authentication>
 </system.web>
 <location path = "">
  <system.web>
   <authorization>
    <allow roles = "Guest" />
    <deny users = "*" />
   </authorization>
  </system.web>
 </location>
 <!-- Configuration information for Protected Directory -->
 <location path = "Protected">
  <system.web>
   <authorization>
    <allow roles = "Guest" />
    <deny users = "*" />
   </authorization>
  </system.web>
 </location>
 <!-- Configuration information for Global Directory -->
 <location path = "Global">
  <system.web>
   <authorization>
    <allow roles = "Guest" />
    <deny users = "*" />
   </authorization>
  </system.web>
 </location>
 <location path = "Pub">
  <system.web>
   <authorization>
    <allow users = "*" />
   </authorization>
  </system.web>
 </location>
</configuration>

Global.asax Application_AuthenticateRequest:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
  {
 HttpApplication app = (HttpApplication) sender;

 if(app.Request.IsAuthenticated && app.User.Identity is FormsIdentity)
 {
  FormsIdentity identity = (FormsIdentity) app.User.Identity;

  // Create a GenericPrincipal containg the role name
  // and assign it to the current request

  String[] roles = WwwLogin.GetLoginRoles(identity.Name);
  if(roles != null)
   app.Context.User = new GenericPrincipal (identity, roles );
 }
}

Any help would be appreciated