Re: AuthenticateRequest Before or After User has been Authenticated?

Hi,

events in the http pipeline get always fired - if you subscribe to one, you get called. The AuthenticateRequest event is always handled by the built in authentication module (FormsAuthenticationModule in your case) - and if you have not reordered the pipeline your code (either in global.asax or a HttpModule) runs after the built-in one.

You will be called regardless of authentication has taken place (e.g. in the case of an anonymous request) so if you have to do any work that relies on an authenticated user, do a

if (Request.IsAuthenticated)
{}

The first request to an app and the redirect (up to where the formsauth ticket is placed) are anonymous request - thats why you have to check that.

at the beginning of your code.

The same applies also for AuthorizeRequest - you get called on every request, but you can be sure the the File and UrlAuthorizationModule already did their work.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

I'm implementing an HttpModule for authorization. I want to authorize
the user after I know they have been authenticated. The documentation
for the HttpApplication AuthenticateRequest event states:

The AuthenticateRequest event signals that the configured
authentication mechanism has authenticated the current request.
Subscribing to the AuthenticateRequest event ensures that the request
will be authenticated prior to processing the attached module or event
handler.

This leads me to believe that a user would be authenticated before the
AuthenticationRequest event is fired. However, this is not the case
when I run the code. If I set a location as <deny users="?"/> and
then set a handler for the AuthenticateRequest event, my handler gets
called with the URL before the login screen allows the user to
authenticate. If I set the event in the AuthorizeRequest handler then
it works as I want, the user is first redirected to the login page and
then after he authenticates I get the URL in my handler.

Is the documentation wrong? Shouldn't forms authentication route the
user to the loginUrl page before the AuthorizationRequest event occurs
if the user is not authorized?

Thanks,
Tyler


.

Relevant Pages

  • Re: AuthenticateRequest Before or After User has been Authenticate
    ... Now a new request starts - for login.aspx - same eventing occurs - but login.aspx is handled differently - and requests are allowed regardless of authZ settings. ... if you handle AuthenticateRequest you can be sure the builtin Auth has already run - which means the user is either anonymous or a specific IPrincipal - if you handle AuthorizeRequest you can be sure that the user is authorized by the builtin AuthZ modules. ... Now change the handler in the module to catch the AuthorizeRequest ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Difference from Application_AuthenticateRequest and FormsAuthenticationTicket
    ... Manohar Kamath ... > The FormsAuthenticationModule subscribes to the AuthenticateRequest event ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Difference from Application_AuthenticateRequest and FormsAuthenticationTicket
    ... The FormsAuthenticationModule subscribes to the AuthenticateRequest event ... to Thread.CurrentPrincipal to make PrincipalPermissions work. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Custom Authentication
    ... its an ihttp module which handles the authenticaterequest event. ... with all of my page permissions and load it into application variable. ...
    (microsoft.public.dotnet.security)
  • Re: Custom Authentication
    ... its an ihttp module which handles the authenticaterequest event. ... with all of my page permissions and load it into application variable. ...
    (microsoft.public.dotnet.framework.aspnet.security)