Re: Forms Authentication to protect a cgi application

From: Stephen Davies (StephenDavies_at_nospam.nospam)
Date: 01/05/05

Date: Wed, 5 Jan 2005 13:37:02 -0800

Thanks for the pointer Steve

That looks like the issue here

>Snipped from Wade A. Hilmo's post
>I believe that an ISAPI is your only alternative, for exactly the reasons
>that you state below. ASP.NET does not utilize HSE_REQ_EXEC_URL,
>so if you set up a wildcard mapping for it, there is no way to get the
>request back out of the managed code environment.

Darn, there is always a catch....

I don't suppose there is any way I can confirm that authorisation has been
processed from within the ISAPI, I know its unmanaged but I presence of the
session cookie from the System.Web.Security.FormsAuthentication methods might
do the trick. Its just how can I at lest retrieve the cookie from the cookies
collection (in the ISAPI) and ideally decode the cookie? (this might be
pushing it though!)

The only other (a bit dodgy though) method I can think of is to provide my
own hashed token as a querystring variable to be verified and redirected by
the ISAPI extension (to either the login page or the cgi) accordingly.

Any pointer on this would be appreciated.

Stephen Davies

"Steve Schuler" wrote:

> Unfortunately, I believe you are probably SOL with your preferred approach.
> Here's a link to a thread I was researching a while back on a different
> Wildcard usage (URL Authorization), but it has a bearing on this issue:
> Note the first response from Wade Hilmo of MS.
> It's a lot more work than what you wanted, and adds layers of ASP.NET
> overhead on top of the CGI processing, but you could probably still use
> ASP.NET forms authentication if you created your own handler that used
> Platform Invoke to launch the CGI via CreateProcess.
> Probably not the answer you were after... :-(
> "Stephen Davies" <steve@newsgroup.nospam> wrote in message
> > I have enabled forms authentication on an IIS 6 W2k3 server to protect
> access
> > to the application files until authenticated.
> >
> > The actual application apart from the login/logout files is .cgi based so
> I
> > have added a "Wildcard Application Map" entry
> >
> > site properties
> > home directory tab
> > Configuration
> > Application Configuration
> >
> > to point to the "aspnet_isapi.dll" so that .cgi application files must be
> > authenticated before they can run.
> >
> > So far all seems to be working well, direct invocation of the .cgi
> > application is trapped and redirected to the login screen but after
> logging
> > in I am prompted with a download dialog (as if there were no mime type)
> >
> > 1. If I remove the Wildcard Application Mapping the .cgi application runs
> > 2. If I allow users="*" in the authorization section of the web config
> (with
> > the wildcard application mapping in place) it also works perfectly.
> >
> > On top of this I also have an httphandler routine to perform a URLRewrite
> to
> > catch the application logout command, although the symptoms above are
> exactly
> > the same when its removed from the web config.
> >
> > Any help on this would be greatly appreciated.
> >
> > Regards
> > Stephen Davies
> >