Framework 1.1 Multiple Authentication?

Xenophon try looking through this article at:-
http://aspalliance.com/articleViewer.aspx?aId=501&pId=1
It should guide you.
Patrick

"xenophon" <xe******@online.nospam> wrote in message
news:4p********************************@4ax.com...

I have a web site with forms authentication and a single logon page. I
have 4 subdirectories, each that should be protected by a different
username/password combination. For testing purposes, the
username/password are hardcoded into the code-behind C# code.

How can I write my web.config to make this happen?

Thanks.

: I have a web site with forms authentication and a single logon page. I
: have 4 subdirectories, each that should be protected by a different
: username/password combination. For testing purposes, the
: username/password are hardcoded into the code-behind C# code.
:
: How can I write my web.config to make this happen?

Use <location> element on top of <system.web>
For example:
<location path="firstDir">
<system.web>
<authorization>
<allow ... />
<deny ... />
</authorization>
</system.web>
</location>
--
Cheers,
Gaurav Vaish
-----------

Thanks for Gaurav and Patrick's informative inputs.

Hi xenophon,

For providing separate authorization schema for mutiple sub dirs in asp.net
web application, generally we have the following two options:
1. Put a separate web.config in each sub dir which need formsauthentication
protection. And override the <authorization> section in that web.config.
Thus, all the pages in that sub dir is protected to that <authorization >
setting.

2. Use the <location> element as Gaurav has mentioned, this can help us put
the configuration for sub dir in the main web.config so as to avoid put
multiple sub web.config in each sub dir.

#Configuration <location> Settings
http://msdn.microsoft.com/library/en...igurationlocat
ionsettings.asp?frame=true

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| From: "Patrick.O.Ige" <pa********@optusnet.com.au>
| References: <4p********************************@4ax.com>
| Subject: Re: Framework 1.1 Multiple Authentication?
| Date: Sun, 30 Oct 2005 12:27:29 +1100
| Lines: 19
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| Message-ID: <OG**************@TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: d58-105-58-245.dsl.vic.optusnet.com.au 58.105.58.245
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:134781
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Xenophon try looking through this article at:-
| http://aspalliance.com/articleViewer.aspx?aId=501&pId=1
| It should guide you.
| Patrick
|
| "xenophon" <xe******@online.nospam> wrote in message
| news:4p********************************@4ax.com...
| >
| > I have a web site with forms authentication and a single logon page. I
| > have 4 subdirectories, each that should be protected by a different
| > username/password combination. For testing purposes, the
| > username/password are hardcoded into the code-behind C# code.
| >
| > How can I write my web.config to make this happen?
| >
| > Thanks.
| >
|
|
|

Thanks to you and Gustav and Patrick.

I am using cookieless sessions and cannot use cookies at all for my
clients. How will Forms auth work in that case?

n Mon, 31 Oct 2005 04:15:24 GMT, st*****@online.microsoft.com (Steven
Cheng[MSFT]) wrote:

Thanks for Gaurav and Patrick's informative inputs.

Hi xenophon,

For providing separate authorization schema for mutiple sub dirs in asp.net
web application, generally we have the following two options:
1. Put a separate web.config in each sub dir which need formsauthentication
protection. And override the <authorization> section in that web.config.
Thus, all the pages in that sub dir is protected to that <authorization >
setting.

2. Use the <location> element as Gaurav has mentioned, this can help us put
the configuration for sub dir in the main web.config so as to avoid put
multiple sub web.config in each sub dir.

#Configuration <location> Settings
http://msdn.microsoft.com/library/en...igurationlocat
ionsettings.asp?frame=true

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| From: "Patrick.O.Ige" <pa********@optusnet.com.au>
| References: <4p********************************@4ax.com>
| Subject: Re: Framework 1.1 Multiple Authentication?
| Date: Sun, 30 Oct 2005 12:27:29 +1100
| Lines: 19
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| Message-ID: <OG**************@TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: d58-105-58-245.dsl.vic.optusnet.com.au 58.105.58.245
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:134781
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Xenophon try looking through this article at:-
| http://aspalliance.com/articleViewer.aspx?aId=501&pId=1
| It should guide you.
| Patrick
|
| "xenophon" <xe******@online.nospam> wrote in message
| news:4p********************************@4ax.com...
| >
| > I have a web site with forms authentication and a single logon page. I
| > have 4 subdirectories, each that should be protected by a different
| > username/password combination. For testing purposes, the
| > username/password are hardcoded into the code-behind C# code.
| >
| > How can I write my web.config to make this happen?
| >
| > Thanks.
| >
|
|
|

Thanks for your response Xenophon,

Unfortunately to hear that you're using cookieless session state which
means using cookie is not possible in your web application. Because the
ASP.NET webapplicaiton's forms authentication support only cookie based
authenticate ticket, if our web application does not use cookie, I'm afraid
we have to build our own form based autentication module which will store
and retrieve authenticate ticket from session state( this is what we used
to do in some classic ASP app...), we store a identify in session state
after user login and then check that variable in each page's request to
validate user.....

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| NNTP-Posting-Date: Tue, 01 Nov 2005 12:55:08 -0600
| From: xenophon <xe******@online.nospam>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Subject: Re: Framework 1.1 Multiple Authentication?
| Date: Tue, 01 Nov 2005 13:44:38 -0500
| Message-ID: <8p********************************@4ax.com>
| References: <4p********************************@4ax.com>
<OG**************@TK2MSFTNGP10.phx.gbl>
<DR**************@TK2MSFTNGXA01.phx.gbl>
| X-Newsreader: Forte Agent 2.0/32.646
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Lines: 82
| X-Trace:
sv3-bew6JhvVx9oLcRhELIGxliI1rf7309fefGlkpCqU8WZfMYNi5B iJcihbRIcASjA9j6mDUzTi
x0i5nwl!Puz0JJTJHTGqofprR1TopTbQjY+PIurZ+0secGlEzs fUJvilAg/AurXLOOBGBArZbNfg
2g==
| X-Complaints-To: ab***@giganews.com
| X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfee d00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.d ca.giganews.com!nntp.gigan
ews.com!local01.nntp.dca.giganews.com!news.giganew s.com.POSTED!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:135314
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| Thanks to you and Gustav and Patrick.
|
| I am using cookieless sessions and cannot use cookies at all for my
| clients. How will Forms auth work in that case?
|
|
|
| n Mon, 31 Oct 2005 04:15:24 GMT, st*****@online.microsoft.com (Steven
| Cheng[MSFT]) wrote:
|
| >Thanks for Gaurav and Patrick's informative inputs.
| >
| >Hi xenophon,
| >
| >For providing separate authorization schema for mutiple sub dirs in
asp.net
| >web application, generally we have the following two options:
| >1. Put a separate web.config in each sub dir which need
formsauthentication
| >protection. And override the <authorization> section in that web.config.
| >Thus, all the pages in that sub dir is protected to that <authorization

| >setting.
| >
| >2. Use the <location> element as Gaurav has mentioned, this can help us
put
| >the configuration for sub dir in the main web.config so as to avoid put
| >multiple sub web.config in each sub dir.
| >
| >#Configuration <location> Settings
|http://msdn.microsoft.com/library/en...figurationloca

t
| >ionsettings.asp?frame=true
| >
| >Thanks,
| >
| >Steven Cheng
| >Microsoft Online Support
| >
| >Get Secure! www.microsoft.com/security
| >(This posting is provided "AS IS", with no warranties, and confers no
| >rights.)
| >
| >
| >
| >
| >
| >
| >--------------------
| >| From: "Patrick.O.Ige" <pa********@optusnet.com.au>
| >| References: <4p********************************@4ax.com>
| >| Subject: Re: Framework 1.1 Multiple Authentication?
| >| Date: Sun, 30 Oct 2005 12:27:29 +1100
| >| Lines: 19
| >| X-Priority: 3
| >| X-MSMail-Priority: Normal
| >| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| >| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| >| Message-ID: <OG**************@TK2MSFTNGP10.phx.gbl>
| >| Newsgroups: microsoft.public.dotnet.framework.aspnet
| >| NNTP-Posting-Host: d58-105-58-245.dsl.vic.optusnet.com.au 58.105.58.245
| >| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP10.phx.gbl
| >| Xref: TK2MSFTNGXA01.phx.gbl
| >microsoft.public.dotnet.framework.aspnet:134781
| >| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| >|
| >| Xenophon try looking through this article at:-
| >| http://aspalliance.com/articleViewer.aspx?aId=501&pId=1
| >| It should guide you.
| >| Patrick
| >|
| >| "xenophon" <xe******@online.nospam> wrote in message
| >| news:4p********************************@4ax.com...
| >| >
| >| > I have a web site with forms authentication and a single logon page.
I
| >| > have 4 subdirectories, each that should be protected by a different
| >| > username/password combination. For testing purposes, the
| >| > username/password are hardcoded into the code-behind C# code.
| >| >
| >| > How can I write my web.config to make this happen?
| >| >
| >| > Thanks.
| >| >
| >|
| >|
| >|
|
|

Hi xenophon,

How are you doing on this issue, have you got any further ideas? If
there're anything else we can help, please feel free to post here. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| X-Tomcat-ID: 113841816
| References: <4p********************************@4ax.com>
<OG**************@TK2MSFTNGP10.phx.gbl>
<DR**************@TK2MSFTNGXA01.phx.gbl>
<8p********************************@4ax.com>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: st*****@online.microsoft.com (Steven Cheng[MSFT])
| Organization: Microsoft
| Date: Wed, 02 Nov 2005 06:42:14 GMT
| Subject: Re: Framework 1.1 Multiple Authentication?
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| Message-ID: <Q#**************@TK2MSFTNGXA01.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Lines: 132
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet:135429
| NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
|
| Thanks for your response Xenophon,
|
| Unfortunately to hear that you're using cookieless session state which
| means using cookie is not possible in your web application. Because the
| ASP.NET webapplicaiton's forms authentication support only cookie based
| authenticate ticket, if our web application does not use cookie, I'm
afraid
| we have to build our own form based autentication module which will store
| and retrieve authenticate ticket from session state( this is what we used
| to do in some classic ASP app...), we store a identify in session state
| after user login and then check that variable in each page's request to
| validate user.....
|
| Thanks,
|
| Steven Cheng
| Microsoft Online Support
|
| Get Secure! www.microsoft.com/security
| (This posting is provided "AS IS", with no warranties, and confers no
| rights.)
|
|
|
| --------------------
| | NNTP-Posting-Date: Tue, 01 Nov 2005 12:55:08 -0600
| | From: xenophon <xe******@online.nospam>
| | Newsgroups: microsoft.public.dotnet.framework.aspnet
| | Subject: Re: Framework 1.1 Multiple Authentication?
| | Date: Tue, 01 Nov 2005 13:44:38 -0500
| | Message-ID: <8p********************************@4ax.com>
| | References: <4p********************************@4ax.com>
| <OG**************@TK2MSFTNGP10.phx.gbl>
| <DR**************@TK2MSFTNGXA01.phx.gbl>
| | X-Newsreader: Forte Agent 2.0/32.646
| | MIME-Version: 1.0
| | Content-Type: text/plain; charset=us-ascii
| | Content-Transfer-Encoding: 7bit
| | Lines: 82
| | X-Trace:
|
sv3-bew6JhvVx9oLcRhELIGxliI1rf7309fefGlkpCqU8WZfMYNi5B iJcihbRIcASjA9j6mDUzTi
|
x0i5nwl!Puz0JJTJHTGqofprR1TopTbQjY+PIurZ+0secGlEzs fUJvilAg/AurXLOOBGBArZbNfg
| 2g==
| | X-Complaints-To: ab***@giganews.com
| | X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
| complaint properly
| | X-Postfilter: 1.3.32
| | Path:
|
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfee d00.sul.t-online.de!t-onli
|
ne.de!border2.nntp.dca.giganews.com!border1.nntp.d ca.giganews.com!nntp.gigan
|
ews.com!local01.nntp.dca.giganews.com!news.giganew s.com.POSTED!not-for-mail
| | Xref: TK2MSFTNGXA01.phx.gbl
| microsoft.public.dotnet.framework.aspnet:135314
| | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| |
| | Thanks to you and Gustav and Patrick.
| |
| | I am using cookieless sessions and cannot use cookies at all for my
| | clients. How will Forms auth work in that case?
| |
| |
| |
| | n Mon, 31 Oct 2005 04:15:24 GMT, st*****@online.microsoft.com (Steven
| | Cheng[MSFT]) wrote:
| |
| | >Thanks for Gaurav and Patrick's informative inputs.
| | >
| | >Hi xenophon,
| | >
| | >For providing separate authorization schema for mutiple sub dirs in
| asp.net
| | >web application, generally we have the following two options:
| | >1. Put a separate web.config in each sub dir which need
| formsauthentication
| | >protection. And override the <authorization> section in that
web.config.
| | >Thus, all the pages in that sub dir is protected to that
<authorization
| >
| | >setting.
| | >
| | >2. Use the <location> element as Gaurav has mentioned, this can help
us
| put
| | >the configuration for sub dir in the main web.config so as to avoid
put
| | >multiple sub web.config in each sub dir.
| | >
| | >#Configuration <location> Settings
| |
|

http://msdn.microsoft.com/library/en...figurationloca

| t
| | >ionsettings.asp?frame=true
| | >
| | >Thanks,
| | >
| | >Steven Cheng
| | >Microsoft Online Support
| | >
| | >Get Secure! www.microsoft.com/security
| | >(This posting is provided "AS IS", with no warranties, and confers no
| | >rights.)
| | >
| | >
| | >
| | >
| | >
| | >
| | >--------------------
| | >| From: "Patrick.O.Ige" <pa********@optusnet.com.au>
| | >| References: <4p********************************@4ax.com>
| | >| Subject: Re: Framework 1.1 Multiple Authentication?
| | >| Date: Sun, 30 Oct 2005 12:27:29 +1100
| | >| Lines: 19
| | >| X-Priority: 3
| | >| X-MSMail-Priority: Normal
| | >| X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
| | >| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
| | >| Message-ID: <OG**************@TK2MSFTNGP10.phx.gbl>
| | >| Newsgroups: microsoft.public.dotnet.framework.aspnet
| | >| NNTP-Posting-Host: d58-105-58-245.dsl.vic.optusnet.com.au
58.105.58.245
| | >| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP10.phx.gbl
| | >| Xref: TK2MSFTNGXA01.phx.gbl
| | >microsoft.public.dotnet.framework.aspnet:134781
| | >| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| | >|
| | >| Xenophon try looking through this article at:-
| | >| http://aspalliance.com/articleViewer.aspx?aId=501&pId=1
| | >| It should guide you.
| | >| Patrick
| | >|
| | >| "xenophon" <xe******@online.nospam> wrote in message
| | >| news:4p********************************@4ax.com...
| | >| >
| | >| > I have a web site with forms authentication and a single logon
page.
| I
| | >| > have 4 subdirectories, each that should be protected by a different
| | >| > username/password combination. For testing purposes, the
| | >| > username/password are hardcoded into the code-behind C# code.
| | >| >
| | >| > How can I write my web.config to make this happen?
| | >| >
| | >| > Thanks.
| | >| >
| | >|
| | >|
| | >|
| |
| |
|
|

Could you show a sample of "our own form based authentication module"?
I think that is what I really need to do. I must rely on cookieless
sessions.

Thanks.

On Wed, 02 Nov 2005 06:42:14 GMT, st*****@online.microsoft.com (Steven
Cheng[MSFT]) wrote:

Thanks for your response Xenophon,

Unfortunately to hear that you're using cookieless session state which
means using cookie is not possible in your web application. Because the
ASP.NET webapplicaiton's forms authentication support only cookie based
authenticate ticket, if our web application does not use cookie, I'm afraid
we have to build our own form based autentication module which will store
and retrieve authenticate ticket from session state( this is what we used
to do in some classic ASP app...), we store a identify in session state
after user login and then check that variable in each page's request to
validate user.....

Thanks,

Hi Xenophon,

So for your scenario, a quick idea come to my mind is building a custom
HttpModule to handle such authentication task. Assume that we manually do
the Forms Authenticaiton and after user login, we store the encrypted
authentication ticket in the URL(since the clients are cookieless....). And
in our custom HttpModule, we intercept the "AuthenticateRequest" event
where we parse the URL string and validating the encrypted ticket in the
url's querystring.... If invalid, end this request or redirect to a login
page.... In fact, the buildin ASP.NET FormsAuthentiation and Session
State just use a HttpModule to do the work for each comming asp.net
request...

Here are some reference on creating custom HttpModule:

#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
http://support.microsoft.com/default...b;en-us;307985

#Custom HttpModule Example
http://msdn.microsoft.com/library/en...tomhttpmodules.
asp?frame=true

Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
| NNTP-Posting-Date: Wed, 09 Nov 2005 07:57:54 -0600
| From: xenophon <xe******@online.nospam>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Subject: Re: Framework 1.1 Multiple Authentication?
| Date: Wed, 09 Nov 2005 08:47:24 -0500
| Message-ID: <vd********************************@4ax.com>
| References: <4p********************************@4ax.com>
<OG**************@TK2MSFTNGP10.phx.gbl>
<DR**************@TK2MSFTNGXA01.phx.gbl>
<8p********************************@4ax.com>
<Q#**************@TK2MSFTNGXA01.phx.gbl>
| X-Newsreader: Forte Agent 2.0/32.646
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Lines: 25
| X-Trace:
sv3-abxqkl0KV3/vSuR2YN6CNZj1xPMByI27kIYQQqrnXqYXKD50VuYWq/QmArYhf2RwKhX7pEn0
QPmeID6!Y2HkzHZz7i6EerZ+HMBwwxHaje4i6s/4KgD4MAIYCnDDHcP2Gi7P0cw6Crtrtdvojb2d
//k=
| X-Complaints-To: ab***@giganews.com
| X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfee d00.sul.t-online.de!t-onli
ne.de!border2.nntp.dca.giganews.com!border1.nntp.d ca.giganews.com!nntp.gigan
ews.com!local01.nntp.dca.giganews.com!news.giganew s.com.POSTED!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:356646
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
|
| Could you show a sample of "our own form based authentication module"?
| I think that is what I really need to do. I must rely on cookieless
| sessions.
|
| Thanks.
|
|
|
| On Wed, 02 Nov 2005 06:42:14 GMT, st*****@online.microsoft.com (Steven
| Cheng[MSFT]) wrote:
|
| >Thanks for your response Xenophon,
| >
| >Unfortunately to hear that you're using cookieless session state which
| >means using cookie is not possible in your web application. Because the
| >ASP.NET webapplicaiton's forms authentication support only cookie based
| >authenticate ticket, if our web application does not use cookie, I'm
afraid
| >we have to build our own form based autentication module which will
store
| >and retrieve authenticate ticket from session state( this is what we
used
| >to do in some classic ASP app...), we store a identify in session state
| >after user login and then check that variable in each page's request to
| >validate user.....
| >
| >Thanks,
|

Thanks for the help. I have writen HttpModules before, but not as you
say. Could you show the "skeleton code" with events and methods to
use/override for the module?

Thanks.
On Thu, 10 Nov 2005 09:43:59 GMT, st*****@online.microsoft.com (Steven
Cheng[MSFT]) wrote:

Hi Xenophon,

So for your scenario, a quick idea come to my mind is building a custom
HttpModule to handle such authentication task. Assume that we manually do
the Forms Authenticaiton and after user login, we store the encrypted
authentication ticket in the URL(since the clients are cookieless....). And
in our custom HttpModule, we intercept the "AuthenticateRequest" event
where we parse the URL string and validating the encrypted ticket in the
url's querystring.... If invalid, end this request or redirect to a login
page.... In fact, the buildin ASP.NET FormsAuthentiation and Session
State just use a HttpModule to do the work for each comming asp.net
request...

Here are some reference on creating custom HttpModule:

#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
http://support.microsoft.com/default...b;en-us;307985

#Custom HttpModule Example
http://msdn.microsoft.com/library/en...tomhttpmodules.
asp?frame=true

Hope helps. Thanks,

Steven Cheng

Hi Xenophon,

Genearlly, we just need to register the event handler for whatever events
we want to intercept in our custom HttpModule, e.g:

=========================
public class CustomAuthModule : IHttpModule
{
public CustomAuthModule()
{}
#region IHttpModule Members

public void Dispose()
{ }

public void Init(HttpApplication context)
{
context.AuthenticateRequest += new EventHandler(Auth_Request);
}

protected void Auth_Request(object sender, EventArgs e)
{
HttpApplication app = sender as HttpApplication;
HttpContext context = app.Context;
HttpRequest req = context.Request;
HttpResponse rep = context.Response;

string url = req.RawUrl;

//do string parsing to retrieve the
//authentication ticket from the url string
}
#endregion
}
===========================

We can retreive the request' URL string and parse the authentication ticket
in the url string. Also, this is based on that each request after the
client user login through the login page should contains the authentication
ticket in URL string (just like cookieless session....). This is also a
problem since we need to adjust each linked page's url (of the same
application...) which should be protected by our custom authentication...

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| NNTP-Posting-Date: Sat, 12 Nov 2005 20:24:11 -0600
| From: xenophon <xe******@online.nospam>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Subject: Re: Framework 1.1 Multiple Authentication?
| Date: Sat, 12 Nov 2005 21:13:23 -0500
| Message-ID: <b8********************************@4ax.com>
| References: <4p********************************@4ax.com>
<OG**************@TK2MSFTNGP10.phx.gbl>
<DR**************@TK2MSFTNGXA01.phx.gbl>
<8p********************************@4ax.com>
<Q#**************@TK2MSFTNGXA01.phx.gbl>
<vd********************************@4ax.com>
<GZ**************@TK2MSFTNGXA02.phx.gbl>
| X-Newsreader: Forte Agent 2.0/32.646
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Lines: 36
| X-Trace:
sv3-K5GqfXvTKiZclM3pezkCfGerkK4GFXSoTiHsjfbPQC5jJpBDsN 1Srg7MgUr5WKIqzEJg95gh
R9HfVSE!AN4Y6xQrW/MlIyDOfdgHyoxl79BAkoOC7dVckUwOU/zTbUk3NJZWCGmTQiVYnjGXDktS
qGY=
| X-Complaints-To: ab***@giganews.com
| X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfee d00.sul.t-online.de!t-onli
ne.de!news.glorb.com!border1.nntp.dca.giganews.com !nntp.giganews.com!local01
nntp.dca.giganews.com!news.giganews.com.POSTED!not-for-mail
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:357680
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
|
| Thanks for the help. I have writen HttpModules before, but not as you
| say. Could you show the "skeleton code" with events and methods to
| use/override for the module?
|
| Thanks.
|
|
| On Thu, 10 Nov 2005 09:43:59 GMT, st*****@online.microsoft.com (Steven
| Cheng[MSFT]) wrote:
|
| >Hi Xenophon,
| >
| >So for your scenario, a quick idea come to my mind is building a custom
| >HttpModule to handle such authentication task. Assume that we manually
do
| >the Forms Authenticaiton and after user login, we store the encrypted
| >authentication ticket in the URL(since the clients are cookieless....).
And
| >in our custom HttpModule, we intercept the "AuthenticateRequest" event
| >where we parse the URL string and validating the encrypted ticket in the
| >url's querystring.... If invalid, end this request or redirect to a
login
| >page.... In fact, the buildin ASP.NET FormsAuthentiation and
Session
| >State just use a HttpModule to do the work for each comming asp.net
| >request...
| >
| >Here are some reference on creating custom HttpModule:
| >
| >#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
| >http://support.microsoft.com/default...b;en-us;307985
| >
| >#Custom HttpModule Example
|

http://msdn.microsoft.com/library/en...tomhttpmodules

Hi Xenophon,

Does the further things I mentioend helps some? If there're anything else
we can help, please don't hesitate to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| X-Tomcat-ID: 244553380
| References: <4p********************************@4ax.com>
<OG**************@TK2MSFTNGP10.phx.gbl>
<DR**************@TK2MSFTNGXA01.phx.gbl>
<8p********************************@4ax.com>
<Q#**************@TK2MSFTNGXA01.phx.gbl>
<vd********************************@4ax.com>
<GZ**************@TK2MSFTNGXA02.phx.gbl>
<b8********************************@4ax.com>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: st*****@online.microsoft.com (Steven Cheng[MSFT])
| Organization: Microsoft
| Date: Mon, 14 Nov 2005 13:12:58 GMT
| Subject: Re: Framework 1.1 Multiple Authentication?
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| Message-ID: <eW*************@TK2MSFTNGXA02.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| Lines: 117
| Path: TK2MSFTNGXA02.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:357906
| NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
|
| Hi Xenophon,
|
| Genearlly, we just need to register the event handler for whatever events
| we want to intercept in our custom HttpModule, e.g:
|
| =========================
| public class CustomAuthModule : IHttpModule
| {
| public CustomAuthModule()
| {}
| #region IHttpModule Members
|
| public void Dispose()
| { }
|
| public void Init(HttpApplication context)
| {
| context.AuthenticateRequest += new EventHandler(Auth_Request);
| }
|
| protected void Auth_Request(object sender, EventArgs e)
| {
| HttpApplication app = sender as HttpApplication;
| HttpContext context = app.Context;
| HttpRequest req = context.Request;
| HttpResponse rep = context.Response;
|
| string url = req.RawUrl;
|
| //do string parsing to retrieve the
| //authentication ticket from the url string
| }
| #endregion
| }
| ===========================
|
| We can retreive the request' URL string and parse the authentication
ticket
| in the url string. Also, this is based on that each request after the
| client user login through the login page should contains the
authentication
| ticket in URL string (just like cookieless session....). This is also a
| problem since we need to adjust each linked page's url (of the same
| application...) which should be protected by our custom authentication...
|
| Thanks,
|
| Steven Cheng
| Microsoft Online Support
|
| Get Secure! www.microsoft.com/security
| (This posting is provided "AS IS", with no warranties, and confers no
| rights.)
|
|
| --------------------
| | NNTP-Posting-Date: Sat, 12 Nov 2005 20:24:11 -0600
| | From: xenophon <xe******@online.nospam>
| | Newsgroups: microsoft.public.dotnet.framework.aspnet
| | Subject: Re: Framework 1.1 Multiple Authentication?
| | Date: Sat, 12 Nov 2005 21:13:23 -0500
| | Message-ID: <b8********************************@4ax.com>
| | References: <4p********************************@4ax.com>
| <OG**************@TK2MSFTNGP10.phx.gbl>
| <DR**************@TK2MSFTNGXA01.phx.gbl>
| <8p********************************@4ax.com>
| <Q#**************@TK2MSFTNGXA01.phx.gbl>
| <vd********************************@4ax.com>
| <GZ**************@TK2MSFTNGXA02.phx.gbl>
| | X-Newsreader: Forte Agent 2.0/32.646
| | MIME-Version: 1.0
| | Content-Type: text/plain; charset=us-ascii
| | Content-Transfer-Encoding: 7bit
| | Lines: 36
| | X-Trace:
|
sv3-K5GqfXvTKiZclM3pezkCfGerkK4GFXSoTiHsjfbPQC5jJpBDsN 1Srg7MgUr5WKIqzEJg95gh
|
R9HfVSE!AN4Y6xQrW/MlIyDOfdgHyoxl79BAkoOC7dVckUwOU/zTbUk3NJZWCGmTQiVYnjGXDktS
| qGY=
| | X-Complaints-To: ab***@giganews.com
| | X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
| | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
| complaint properly
| | X-Postfilter: 1.3.32
| | Path:
|
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfee d00.sul.t-online.de!t-onli
|
ne.de!news.glorb.com!border1.nntp.dca.giganews.com !nntp.giganews.com!local01
| .nntp.dca.giganews.com!news.giganews.com.POSTED!no t-for-mail
| | Xref: TK2MSFTNGXA02.phx.gbl
| microsoft.public.dotnet.framework.aspnet:357680
| | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| |
| |
| | Thanks for the help. I have writen HttpModules before, but not as you
| | say. Could you show the "skeleton code" with events and methods to
| | use/override for the module?
| |
| | Thanks.
| |
| |
| | On Thu, 10 Nov 2005 09:43:59 GMT, st*****@online.microsoft.com (Steven
| | Cheng[MSFT]) wrote:
| |
| | >Hi Xenophon,
| | >
| | >So for your scenario, a quick idea come to my mind is building a
custom
| | >HttpModule to handle such authentication task. Assume that we manually
| do
| | >the Forms Authenticaiton and after user login, we store the encrypted
| | >authentication ticket in the URL(since the clients are
cookieless....).
| And
| | >in our custom HttpModule, we intercept the "AuthenticateRequest" event
| | >where we parse the URL string and validating the encrypted ticket in
the
| | >url's querystring.... If invalid, end this request or redirect to a
| login
| | >page.... In fact, the buildin ASP.NET FormsAuthentiation and
| Session
| | >State just use a HttpModule to do the work for each comming asp.net
| | >request...
| | >
| | >Here are some reference on creating custom HttpModule:
| | >
| | >#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
| | >http://support.microsoft.com/default...b;en-us;307985
| | >
| | >#Custom HttpModule Example
| |
|

http://msdn.microsoft.com/library/en...tomhttpmodules

|