Re: Forms Authentication to protect a cgi application
From: Stephen Davies (StephenDavies_at_nospam.nospam)
Date: 01/09/05
- Previous message: Eddie B: "Stupid Authentication Question"
- In reply to: Steve Schuler: "Re: Forms Authentication to protect a cgi application"
- Next in thread: Stephen Davies: "Re: Forms Authentication to protect a cgi application"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 9 Jan 2005 13:35:03 -0800
My response was based on some digging around where I found people were having
problems getting hold of cookie information from within the ISAPI. I was
imagining d retaining forms authentication and only processing .cgi only with
the ISAPI confirming the existence of the session cookie (and confirming its
a session cookie). That’s what ideally I would have liked a cut and paste
example.... humm.
I am leaning towards encrypted token which can be parsed from the forms
authentication redirect and processed by the ISAPI and if not verified
redirect to the Forms Authentication login page.
I took a look at the IIS6 resource kit but no source supplied urggg. The
CustomAuth example is dll and help only, I have some specific authorisation
requirements that negate the use of the example dll.
Thanks again
Regards Stephen Davies
"Steve Schuler" wrote:
> I'm not sure which ISAPI you're talking about? In the post from Wade Hilmo,
> the suggestion was to write an ISAPI that would do the forms authentication,
> rather than relying on ASP.NET forms auth. Or were you proposing to host an
> app domain from the ISAPI in order to use forms auth? I'm not sure that
> would be possible because forms auth is probably bolted pretty tightly to
> ASP.NET pipeline infrastructure, and in any case, it would probably be more
> trouble than simply writing the forms auth stuff yourself in an ISAPI. In
> fact there's a CustomAuth sample in the IIS6 resource kit that provides a
> great start on that approach.
>
> OTOH, if you can delay a while, supposedly ASP.NET 2.0 on IIS6 can do this.
> (I say supposedly, since I've only seen a few mentions of this, and no
> official MS documentation or samples.)
>
> Sorry I don't have better news!
>
> --Steve
>
> "Stephen Davies" <StephenDavies@nospam.nospam> wrote in message
> news:15626856-553B-4EE1-B4CA-07CA5DE15683@microsoft.com...
> > Thanks for the pointer Steve
> >
> > That looks like the issue here
> >
> > >Snipped from Wade A. Hilmo's post
> > >I believe that an ISAPI is your only alternative, for exactly the reasons
> > >that you state below. ASP.NET does not utilize HSE_REQ_EXEC_URL,
> > >so if you set up a wildcard mapping for it, there is no way to get the
> > >request back out of the managed code environment.
> >
> > Darn, there is always a catch....
> >
> > I don't suppose there is any way I can confirm that authorisation has been
> > processed from within the ISAPI, I know its unmanaged but I presence of
> the
> > session cookie from the System.Web.Security.FormsAuthentication methods
> might
> > do the trick. Its just how can I at lest retrieve the cookie from the
> cookies
> > collection (in the ISAPI) and ideally decode the cookie? (this might be
> > pushing it though!)
> >
> > The only other (a bit dodgy though) method I can think of is to provide my
> > own hashed token as a querystring variable to be verified and redirected
> by
> > the ISAPI extension (to either the login page or the cgi) accordingly.
> >
> > Any pointer on this would be appreciated.
> >
> > Regards
> > Stephen Davies
> >
> > "Steve Schuler" wrote:
> >
> > > Unfortunately, I believe you are probably SOL with your preferred
> approach.
> > > Here's a link to a thread I was researching a while back on a different
> > > Wildcard usage (URL Authorization), but it has a bearing on this issue:
> > >
> http://groups-beta.google.com/group/microsoft.public.platformsdk.internet.server.isapi-dev/browse_frm/thread/562445758770b6fa?hl=en&lr=&ie=UTF-8&oe=UTF-8&rnum=1&prev=/groups%3Fq%3DAzBizRuleContext%2B%2522url%2Bauthorization%2522%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3D7818d64c.0401090736.76126185%2540posting.google.com%26rnum%3D1
>
> [snip]
>
>
>
- Previous message: Eddie B: "Stupid Authentication Question"
- In reply to: Steve Schuler: "Re: Forms Authentication to protect a cgi application"
- Next in thread: Stephen Davies: "Re: Forms Authentication to protect a cgi application"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
