Re: Forms Authentication to protect a cgi application
From: Stephen Davies (StephenDavies_at_nospam.nospam)
Date: Wed, 5 Jan 2005 13:37:02 -0800
Thanks for the pointer Steve
That looks like the issue here
>Snipped from Wade A. Hilmo's post
>I believe that an ISAPI is your only alternative, for exactly the reasons
>that you state below. ASP.NET does not utilize HSE_REQ_EXEC_URL,
>so if you set up a wildcard mapping for it, there is no way to get the
>request back out of the managed code environment.
Darn, there is always a catch....
I don't suppose there is any way I can confirm that authorisation has been
processed from within the ISAPI, I know its unmanaged but I presence of the
session cookie from the System.Web.Security.FormsAuthentication methods might
do the trick. Its just how can I at lest retrieve the cookie from the cookies
collection (in the ISAPI) and ideally decode the cookie? (this might be
pushing it though!)
The only other (a bit dodgy though) method I can think of is to provide my
own hashed token as a querystring variable to be verified and redirected by
the ISAPI extension (to either the login page or the cgi) accordingly.
Any pointer on this would be appreciated.
"Steve Schuler" wrote:
> Unfortunately, I believe you are probably SOL with your preferred approach.
> Here's a link to a thread I was researching a while back on a different
> Wildcard usage (URL Authorization), but it has a bearing on this issue:
> Note the first response from Wade Hilmo of MS.
> It's a lot more work than what you wanted, and adds layers of ASP.NET
> overhead on top of the CGI processing, but you could probably still use
> ASP.NET forms authentication if you created your own handler that used
> Platform Invoke to launch the CGI via CreateProcess.
> Probably not the answer you were after... :-(
> "Stephen Davies" <email@example.com> wrote in message
> > I have enabled forms authentication on an IIS 6 W2k3 server to protect
> > to the application files until authenticated.
> > The actual application apart from the login/logout files is .cgi based so
> > have added a "Wildcard Application Map" entry
> > site properties
> > home directory tab
> > Configuration
> > Application Configuration
> > to point to the "aspnet_isapi.dll" so that .cgi application files must be
> > authenticated before they can run.
> > So far all seems to be working well, direct invocation of the .cgi
> > application is trapped and redirected to the login screen but after
> > in I am prompted with a download dialog (as if there were no mime type)
> > 1. If I remove the Wildcard Application Mapping the .cgi application runs
> > 2. If I allow users="*" in the authorization section of the web config
> > the wildcard application mapping in place) it also works perfectly.
> > On top of this I also have an httphandler routine to perform a URLRewrite
> > catch the application logout command, although the symptoms above are
> > the same when its removed from the web config.
> > Any help on this would be greatly appreciated.
> > Regards
> > Stephen Davies