Wrox Programmer Forums
|
ASP.NET 1.0 and 1.1 Professional For advanced ASP.NET 1.x coders. Beginning-level questions will be redirected to other forums. NOT for "classic" ASP 3 or the newer ASP.NET 2.0 and 3.5
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 1.0 and 1.1 Professional section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old January 17th, 2008, 01:36 AM
Friend of Wrox
  
Join Date: Jun 2004
Posts: 449
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via MSN to r_ganesh76
Default Authentication
Hi Experts,

In my asp.net application, I have a login page which secures the individual pages using session. Basically I want to allow all the people in my LDAP access to the individual pages. This is perfectly done by my login.aspx.

I handle the session thru global.asax events, which will check for the existance of the session variables and redirect thru the login page in case session is missing. This works fine for all the aspx files. But the global.asax event does not capture the session when the request comes for pdf/doc.

So the pdf/doc inside my application are unsecured in the sense any body can access that without login if they know the url or have bookmarked the url.

Is there any way to handle this situation? Please advice

Regards
Ganesh
http://ganeshprof.blogspot.com
Find your solution here...
__________________
Regards
Ganesh
http://ganeshprof.blogspot.com
Find your solution here...
 
Old January 17th, 2008, 11:01 AM
planoie's Avatar
Friend of Wrox
  
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default
Question: Why are you re-inventing what the ASP.NET already does (Forms Authentication)?


Code in your application's Global class can only run for files that are handled by the ASP.NET runtime. This is set by IIS. By default, any file other than those used in a .NET project are not handled by the ASP.NET runtime. Thus you don't get any of the security features for those other files.

One solution is to modify IIS. Go the the web site or virtual directory for this application, then choose Properties from its context menu. Go to the "Directory" tab, and click the "Configuration" button. Under the "Mappings" tab you can add a file extension for all file types you wish to secure. Even though a PDF or DOC file is meaningless to the ASP.NET runtime, the request will be handled by the runtime's isapi and will then be subject to the rules defined in the web config and application code. I just tried it with some XML files and by turning on forms authentication for a test virtual directory. Worked great! You will suffer a performance hit because lots of non-aspx requests will be run through the runtime application instead of just being served by IIS directly. However, this should be negligible and is likely the only solution.

-Peter
 
Old January 18th, 2008, 01:17 AM
Friend of Wrox
  
Join Date: Jun 2004
Posts: 449
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via MSN to r_ganesh76
Default
thanks peter for your reply.

I have done the same thing in my iis configuration. However, the global.asax event does not handle session for such files. Can this be achieved thru forms authentication?

Regards
Ganesh
http://ganeshprof.blogspot.com
Find your solution here...
 
Old January 18th, 2008, 11:34 AM
planoie's Avatar
Friend of Wrox
  
Join Date: Aug 2003
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default
I had success in having the ASP.NET runtime handle the request but I did not try any global code for it. It is possible that only resources that actually require some processing (ASPX, ASMX, ASHX) will result in execution of global events.

The reason I used forms authentication was that it was the fastest way to see that the ASP.NET run actually handling the call without writing any code in the global class. I simply got a redirect to the login page of the app when I requested a file with the extension I added to the IIS configuration. This wasn't a completely accurate test. I guess I made the unfair assumption that the global events would be handled any time the runtime handled a file request. That doesn't seem to be the case.

I'm not sure how you would go about changing this behavior. However, this gets us back to my original question and your last question. What you describe in your first post about redirecting the user based on session var checks is precisely what forms authentication is designed to do (although it's based on the presence of a forms auth ticket cookie). Forms auth handles all the logic to deny requests to unauthenticated users. There are many ways to authenticate the user so you can still use LDAP to authenticate users. I haven't worked with it so I can't provide any concrete examples. I imagine you already have code that works with that so you really just need to implement forms auth and eliminate the global event handlers.

-Peter





Similar Threads
Thread Thread Starter Forum Replies Last Post
Authentication stu9820 ASP.NET 1.0 and 1.1 Professional 4 December 7th, 2009 05:31 AM
Authentication koco ASP.NET 2.0 Professional 1 August 21st, 2007 09:02 AM
Authentication speedyH Beginning PHP 1 September 25th, 2004 11:34 AM
Authentication PbsiGuru General .NET 6 March 24th, 2004 02:41 PM
Authentication dbradley ASP.NET 1.0 and 1.1 Basics 2 August 13th, 2003 10:17 PM




Contact Us - Wrox - Privacy Statement - Top

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.