471,089 Members | 1,564 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,089 software developers and data experts.

Retrieving if current request is for a resource requiring authentication

Hello all,

We are using Forms Authentication in an application to protect both
sensitive ASP.Net pages and Web services.

This question is relating to Web services and forms authentication,
and I will try to explain the issue by detailing how a client accesses
a secure Web service.

1) The Web service client accesses an unsecured login Web service,
passing in a username and password.
2) If the user is successfully authenticated, the Web service returns
an encrypted Forms Authentication ticket as a string.
3) Secure Web services all sit under a directory secured by Forms
Authentication in the usual manner in the Web.config. Hence
unathenticated access causes a redirect to Login.aspx and the request
is rejected.
4) To call a secured Web service, the client attaches the
authentication ticket in the Soap header of the Web service proxy, and
then calls the required method on the service
5) At the server, we user an HTTP handler to intercept the
AuthenticationRequest event. In this handler, we check for Web service
calls (by checking for HTTP_SOAPACTION in the server variables
collection). If it is a Web service call, we check for the ticket in
the SOAP header. If we find it, we decrypt it and use it to attach the
authenticated principal to the User property of the current context.

This is all great, and works as expected. However, the
AuthenticationRequest event fires for all Web service calls - not just
ones to secure Web services... This means that the ticket being
missing in the header may not be an error, it could just be that the
Web service is not secured. Hence, I cant throw a suitable exception
in the handler when I dont find the ticket as I dont know if I was to
expect one or not. This means users of the secure Web services dont
get a useful exception passed back to them explaining that the ticket
was missing. Instead, they get redirected to login.aspx which is
secure but hard to handle at the client.

So, after all this long winded explanation, my question is....
- How can I test in the AuthenticationRequest event if the current
request is to a page secured by Forms Authentication?
Something like Context.Request.IsPageSecuredByFormsAuthentication
would be nice ;)
For now I am just hacking this by testing if the URL of the request is
in the "secure/" directory.

Thanks for any help,
Nov 18 '05 #1
0 1069

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by Rafa® | last post: by
1 post views Thread by jimmyfo | last post: by
3 posts views Thread by Madhur | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.