Re: How to bypass Forms Authentication on selected pages programma
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 14 Feb 2007 06:25:45 +0000 (UTC)
The authenticate request event fires for every request
have you tried setting a break point??
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Yeah!
web.config looks like
<authorization>
<deny users="?" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="/TestProject/login.aspx" name="XYZ" />
</authentication>
Login.aspx checks to see if there's a cookie. if not one has to login
on
that page.
that information is looked up in the database and so on.
I don't think that Global_AuthenticateRequest in global.asax is
getting
fired when I request a page in the browser.
Do I have to do something to invoke this method?
Thanks,
AJ
"Joe Kaplan" wrote:
Are you still setting that in the authenticate event in global.asax?
That should work. I've never seen that not work. :)
How is the <authorization> section configured in your web.config?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"ajmehra" <ajmehra@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:29AD7225-67F1-4649-B91E-635B75229783@xxxxxxxxxxxxxxxx
Hey Joe,
I tried setting this:
HttpContext.Current.SkipAuthorization = True
without any condition, basically for every page. but I am still
getting
redirected to the login page. can I set this property somewhere
else?
Thanks,
AJ
"Joe Kaplan" wrote:
Which part isn't working? Is your If condition not matching or is
the SkipAuthorization actually not working. Dominick is definitely
right, it has to be set to true.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"ajmehra" <ajmehra@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B2C9EC52-4B8D-4270-B0ED-87D29B548F29@xxxxxxxxxxxxxxxx
Hey Dominick,
That is not working either.
Thanks,
AJ
"Dominick Baier" wrote:
you have to set SkipAuthorization to true
HttpContext.Current.SkipAuthorization = true;
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
Hey Joe, thanks for the last post.
I am using the following code in Global.asax:
Private Sub Global_AuthenticateRequest(ByVal sender As Object,
ByVal e
As System.EventArgs) Handles MyBase.AuthenticateRequest
Dim instance As HttpContext
If Request.Path = "/TestProject/FileUpload.aspx" Then
instance.SkipAuthorization = False
End If
End Sub
I know what you said seems very staright forward. But it hasn't
worked
in my case yet. I know I am missing something somewhere. I have
tried
this in Application_AuthenticateRequest as well. Let me know
Appreciate your help,
AJ
"Joe Kaplan" wrote:
Not the query string, but the Request.Url or Request.Path
property. I don't really have a sample for you, but basically
your code would do this:
In the appropriate event (probably the Authenticate event so
this
runs after authentication but before authorization) check the
Url
of
the Request to see if it matches one of the resources you want
to
exclude. If so, set SkipAuthorization to false. Be very
careful
with how you do the matching of the path against your list of
exclusions. There isn't really much to it. Just play around
with
it.
:)
There are also probably some fancier ways you can do this. You
might
apply some kind of marker to the actual page via a base class,
marker
interface or custom attribute on your pages and determine that
from
the IHttpHandler that is set up in the HttpContext for the
request.
I haven't tried that, but I don't see why it wouldn't work.
Part
of
it depends on how you want to maintain the list of excluded
resources. If you want to do this from the code in the page,
I'd
take this approach. If you want to maintain a list of their
URLs,
then the previous approach is better. However, that kind of
thing
might be easier to deal with through the standard location tags
in
web.config.
I'm curious if Dominick (or anyone else) sees this thread and
has a strong opinion about this.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"ajmehra" <ajmehra@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@xxxxxxxxxxxxxxxx
Thanks Joe.
Do you have an example of this property being used in
Global.asax?
I
am
not
sure about how to check to see if -- this is the right page
to be
left
out
for authentication.
Should I use a QueryString for this check?
Thanks again
AJ
"Joe Kaplan" wrote:
Use the HttpContext.SkipAuthorization property to turn
authorization on
or
off programmatically on a page by page basis. You probably
want
to
put
this
code in global.asax or an IHttpModule.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory
Services
Programming"
http://www.directoryprogramming.net
--
"ajmehra" <ajmehra@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:A9894367-B2BC-496D-9FD7-057381022AC6@xxxxxxxxxxxxxxxx
Hi
I am trying to bypass Forms Authentication on certain pages
programmatically. Any thoughts will be appreciated.
Thanks,
AJ
.
- Follow-Ups:
- References:
- Prev by Date: Re: How to bypass Forms Authentication on selected pages programma
- Next by Date: Re: How to bypass Forms Authentication on selected pages programma
- Previous by thread: Re: How to bypass Forms Authentication on selected pages programma
- Next by thread: Re: How to bypass Forms Authentication on selected pages programma
- Index(es):
Relevant Pages
|
