I've been reading this article:
http://msdn2.microsoft.com/EN-US/library/aa302401.aspx
Building Secure ASP.NET Applications: Authentication, Authorization, and
Secure Communication
(the article is for 1.1)
(i'm using 2.0)
The article is good. Then you get to the part about
:::::::::::::
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
}
That you have to "hack in" a way to keep your custom IPrincipal alive and
well.
(I discovered this because when I did the following:
CustomPrincipal customPrinc = new CustomPrincipal(ident);
System.Web.HttpContext.Current.User = customPrinc ;
then you went to the next page, the System.Web.HttpContext.Current.User was
a GenericPrincipal) and not an instance of CustomPrincipal like I would
expect.
.............
Is there a better way to handle this in 2.0, rather than hacking into the
Application_AuthenticateRequest method?
With the provider model in 2.0 I would expect something (similar) to:
<authentication mode= "MyCustomAuthenicator"/>
But no go on that.
There's gotta be a better way in 2.0 ?!?
Thanks!