|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How to bypass Forms Authentication on selected pages programmaticaHi
I am trying to bypass Forms Authentication on certain pages programmatically. Any thoughts will be appreciated. Thanks, AJ Use the HttpContext.SkipAuthorization property to turn authorization on or
off programmatically on a page by page basis. You probably want to put this code in global.asax or an IHttpModule. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajme***@discussions.microsoft.com> wrote in message news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... > Hi > > I am trying to bypass Forms Authentication on certain pages > programmatically. Any thoughts will be appreciated. > > Thanks, > AJ Thanks Joe.
Do you have an example of this property being used in Global.asax? I am not sure about how to check to see if -- this is the right page to be left out for authentication. Should I use a QueryString for this check? Thanks again AJ Show quoteHide quote "Joe Kaplan" wrote: > Use the HttpContext.SkipAuthorization property to turn authorization on or > off programmatically on a page by page basis. You probably want to put this > code in global.asax or an IHttpModule. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... > > Hi > > > > I am trying to bypass Forms Authentication on certain pages > > programmatically. Any thoughts will be appreciated. > > > > Thanks, > > AJ > > > Not the query string, but the Request.Url or Request.Path property. I don't
really have a sample for you, but basically your code would do this: In the appropriate event (probably the Authenticate event so this runs after authentication but before authorization) check the Url of the Request to see if it matches one of the resources you want to exclude. If so, set SkipAuthorization to false. Be very careful with how you do the matching of the path against your list of exclusions. There isn't really much to it. Just play around with it. :) There are also probably some fancier ways you can do this. You might apply some kind of marker to the actual page via a base class, marker interface or custom attribute on your pages and determine that from the IHttpHandler that is set up in the HttpContext for the request. I haven't tried that, but I don't see why it wouldn't work. Part of it depends on how you want to maintain the list of excluded resources. If you want to do this from the code in the page, I'd take this approach. If you want to maintain a list of their URLs, then the previous approach is better. However, that kind of thing might be easier to deal with through the standard location tags in web.config. I'm curious if Dominick (or anyone else) sees this thread and has a strong opinion about this. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajme***@discussions.microsoft.com> wrote in message news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@microsoft.com... > Thanks Joe. > > Do you have an example of this property being used in Global.asax? I am > not > sure about how to check to see if -- this is the right page to be left > out > for authentication. > > Should I use a QueryString for this check? > > > Thanks again > AJ > > "Joe Kaplan" wrote: > >> Use the HttpContext.SkipAuthorization property to turn authorization on >> or >> off programmatically on a page by page basis. You probably want to put >> this >> code in global.asax or an IHttpModule. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message >> news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... >> > Hi >> > >> > I am trying to bypass Forms Authentication on certain pages >> > programmatically. Any thoughts will be appreciated. >> > >> > Thanks, >> > AJ >> >> >> Hey Joe, thanks for the last post.
I am using the following code in Global.asax: Private Sub Global_AuthenticateRequest(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.AuthenticateRequest Dim instance As HttpContext If Request.Path = "/TestProject/FileUpload.aspx" Then instance.SkipAuthorization = False End If End Sub I know what you said seems very staright forward. But it hasn't worked in my case yet. I know I am missing something somewhere. I have tried this in Application_AuthenticateRequest as well. Let me know Appreciate your help, AJ Show quoteHide quote "Joe Kaplan" wrote: > Not the query string, but the Request.Url or Request.Path property. I don't > really have a sample for you, but basically your code would do this: > > In the appropriate event (probably the Authenticate event so this runs after > authentication but before authorization) check the Url of the Request to see > if it matches one of the resources you want to exclude. If so, set > SkipAuthorization to false. Be very careful with how you do the matching of > the path against your list of exclusions. There isn't really much to it. > Just play around with it. :) > > There are also probably some fancier ways you can do this. You might apply > some kind of marker to the actual page via a base class, marker interface or > custom attribute on your pages and determine that from the IHttpHandler that > is set up in the HttpContext for the request. I haven't tried that, but I > don't see why it wouldn't work. Part of it depends on how you want to > maintain the list of excluded resources. If you want to do this from the > code in the page, I'd take this approach. If you want to maintain a list of > their URLs, then the previous approach is better. However, that kind of > thing might be easier to deal with through the standard location tags in > web.config. > > I'm curious if Dominick (or anyone else) sees this thread and has a strong > opinion about this. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@microsoft.com... > > Thanks Joe. > > > > Do you have an example of this property being used in Global.asax? I am > > not > > sure about how to check to see if -- this is the right page to be left > > out > > for authentication. > > > > Should I use a QueryString for this check? > > > > > > Thanks again > > AJ > > > > "Joe Kaplan" wrote: > > > >> Use the HttpContext.SkipAuthorization property to turn authorization on > >> or > >> off programmatically on a page by page basis. You probably want to put > >> this > >> code in global.asax or an IHttpModule. > >> > >> Joe K. > >> > >> -- > >> Joe Kaplan-MS MVP Directory Services Programming > >> Co-author of "The .NET Developer's Guide to Directory Services > >> Programming" > >> http://www.directoryprogramming.net > >> -- > >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... > >> > Hi > >> > > >> > I am trying to bypass Forms Authentication on certain pages > >> > programmatically. Any thoughts will be appreciated. > >> > > >> > Thanks, > >> > AJ > >> > >> > >> > > > you have to set SkipAuthorization to true
HttpContext.Current.SkipAuthorization = true; ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) Show quoteHide quote > Hey Joe, thanks for the last post. > > I am using the following code in Global.asax: > Private Sub Global_AuthenticateRequest(ByVal sender As Object, > ByVal e > As System.EventArgs) Handles MyBase.AuthenticateRequest > Dim instance As HttpContext > If Request.Path = "/TestProject/FileUpload.aspx" Then > instance.SkipAuthorization = False > End If > End Sub > I know what you said seems very staright forward. But it hasn't worked > in my case yet. I know I am missing something somewhere. I have tried > this in Application_AuthenticateRequest as well. Let me know > > Appreciate your help, > AJ > "Joe Kaplan" wrote: >> Not the query string, but the Request.Url or Request.Path property. >> I don't really have a sample for you, but basically your code would >> do this: >> >> In the appropriate event (probably the Authenticate event so this >> runs after authentication but before authorization) check the Url of >> the Request to see if it matches one of the resources you want to >> exclude. If so, set SkipAuthorization to false. Be very careful >> with how you do the matching of the path against your list of >> exclusions. There isn't really much to it. Just play around with it. >> :) >> >> There are also probably some fancier ways you can do this. You might >> apply some kind of marker to the actual page via a base class, marker >> interface or custom attribute on your pages and determine that from >> the IHttpHandler that is set up in the HttpContext for the request. >> I haven't tried that, but I don't see why it wouldn't work. Part of >> it depends on how you want to maintain the list of excluded >> resources. If you want to do this from the code in the page, I'd >> take this approach. If you want to maintain a list of their URLs, >> then the previous approach is better. However, that kind of thing >> might be easier to deal with through the standard location tags in >> web.config. >> >> I'm curious if Dominick (or anyone else) sees this thread and has a >> strong opinion about this. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message >> news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@microsoft.com... >>> Thanks Joe. >>> >>> Do you have an example of this property being used in Global.asax? I >>> am >>> not >>> sure about how to check to see if -- this is the right page to be >>> left >>> out >>> for authentication. >>> Should I use a QueryString for this check? >>> >>> Thanks again >>> AJ >>> "Joe Kaplan" wrote: >>> >>>> Use the HttpContext.SkipAuthorization property to turn >>>> authorization on >>>> or >>>> off programmatically on a page by page basis. You probably want to >>>> put >>>> this >>>> code in global.asax or an IHttpModule. >>>> Joe K. >>>> >>>> -- >>>> Joe Kaplan-MS MVP Directory Services Programming >>>> Co-author of "The .NET Developer's Guide to Directory Services >>>> Programming" >>>> http://www.directoryprogramming.net >>>> -- >>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message >>>> news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... >>>>> Hi >>>>> >>>>> I am trying to bypass Forms Authentication on certain pages >>>>> programmatically. Any thoughts will be appreciated. >>>>> >>>>> Thanks, >>>>> AJ Hey Dominick,
That is not working either. Thanks, AJ Show quoteHide quote "Dominick Baier" wrote: > you have to set SkipAuthorization to true > > HttpContext.Current.SkipAuthorization = true; > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > > > Hey Joe, thanks for the last post. > > > > I am using the following code in Global.asax: > > Private Sub Global_AuthenticateRequest(ByVal sender As Object, > > ByVal e > > As System.EventArgs) Handles MyBase.AuthenticateRequest > > Dim instance As HttpContext > > If Request.Path = "/TestProject/FileUpload.aspx" Then > > instance.SkipAuthorization = False > > End If > > End Sub > > I know what you said seems very staright forward. But it hasn't worked > > in my case yet. I know I am missing something somewhere. I have tried > > this in Application_AuthenticateRequest as well. Let me know > > > > Appreciate your help, > > AJ > > "Joe Kaplan" wrote: > >> Not the query string, but the Request.Url or Request.Path property. > >> I don't really have a sample for you, but basically your code would > >> do this: > >> > >> In the appropriate event (probably the Authenticate event so this > >> runs after authentication but before authorization) check the Url of > >> the Request to see if it matches one of the resources you want to > >> exclude. If so, set SkipAuthorization to false. Be very careful > >> with how you do the matching of the path against your list of > >> exclusions. There isn't really much to it. Just play around with it. > >> :) > >> > >> There are also probably some fancier ways you can do this. You might > >> apply some kind of marker to the actual page via a base class, marker > >> interface or custom attribute on your pages and determine that from > >> the IHttpHandler that is set up in the HttpContext for the request. > >> I haven't tried that, but I don't see why it wouldn't work. Part of > >> it depends on how you want to maintain the list of excluded > >> resources. If you want to do this from the code in the page, I'd > >> take this approach. If you want to maintain a list of their URLs, > >> then the previous approach is better. However, that kind of thing > >> might be easier to deal with through the standard location tags in > >> web.config. > >> > >> I'm curious if Dominick (or anyone else) sees this thread and has a > >> strong opinion about this. > >> > >> Joe K. > >> > >> -- > >> Joe Kaplan-MS MVP Directory Services Programming > >> Co-author of "The .NET Developer's Guide to Directory Services > >> Programming" > >> http://www.directoryprogramming.net > >> -- > >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@microsoft.com... > >>> Thanks Joe. > >>> > >>> Do you have an example of this property being used in Global.asax? I > >>> am > >>> not > >>> sure about how to check to see if -- this is the right page to be > >>> left > >>> out > >>> for authentication. > >>> Should I use a QueryString for this check? > >>> > >>> Thanks again > >>> AJ > >>> "Joe Kaplan" wrote: > >>> > >>>> Use the HttpContext.SkipAuthorization property to turn > >>>> authorization on > >>>> or > >>>> off programmatically on a page by page basis. You probably want to > >>>> put > >>>> this > >>>> code in global.asax or an IHttpModule. > >>>> Joe K. > >>>> > >>>> -- > >>>> Joe Kaplan-MS MVP Directory Services Programming > >>>> Co-author of "The .NET Developer's Guide to Directory Services > >>>> Programming" > >>>> http://www.directoryprogramming.net > >>>> -- > >>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >>>> news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... > >>>>> Hi > >>>>> > >>>>> I am trying to bypass Forms Authentication on certain pages > >>>>> programmatically. Any thoughts will be appreciated. > >>>>> > >>>>> Thanks, > >>>>> AJ > > > Which part isn't working? Is your If condition not matching or is the
SkipAuthorization actually not working. Dominick is definitely right, it has to be set to true. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajme***@discussions.microsoft.com> wrote in message news:B2C9EC52-4B8D-4270-B0ED-87D29B548F29@microsoft.com... > Hey Dominick, > > That is not working either. > > Thanks, > AJ > > "Dominick Baier" wrote: > >> you have to set SkipAuthorization to true >> >> HttpContext.Current.SkipAuthorization = true; >> >> ----- >> Dominick Baier (http://www.leastprivilege.com) >> >> Developing More Secure Microsoft ASP.NET 2.0 Applications >> (http://www.microsoft.com/mspress/books/9989.asp) >> >> > Hey Joe, thanks for the last post. >> > >> > I am using the following code in Global.asax: >> > Private Sub Global_AuthenticateRequest(ByVal sender As Object, >> > ByVal e >> > As System.EventArgs) Handles MyBase.AuthenticateRequest >> > Dim instance As HttpContext >> > If Request.Path = "/TestProject/FileUpload.aspx" Then >> > instance.SkipAuthorization = False >> > End If >> > End Sub >> > I know what you said seems very staright forward. But it hasn't worked >> > in my case yet. I know I am missing something somewhere. I have tried >> > this in Application_AuthenticateRequest as well. Let me know >> > >> > Appreciate your help, >> > AJ >> > "Joe Kaplan" wrote: >> >> Not the query string, but the Request.Url or Request.Path property. >> >> I don't really have a sample for you, but basically your code would >> >> do this: >> >> >> >> In the appropriate event (probably the Authenticate event so this >> >> runs after authentication but before authorization) check the Url of >> >> the Request to see if it matches one of the resources you want to >> >> exclude. If so, set SkipAuthorization to false. Be very careful >> >> with how you do the matching of the path against your list of >> >> exclusions. There isn't really much to it. Just play around with it. >> >> :) >> >> >> >> There are also probably some fancier ways you can do this. You might >> >> apply some kind of marker to the actual page via a base class, marker >> >> interface or custom attribute on your pages and determine that from >> >> the IHttpHandler that is set up in the HttpContext for the request. >> >> I haven't tried that, but I don't see why it wouldn't work. Part of >> >> it depends on how you want to maintain the list of excluded >> >> resources. If you want to do this from the code in the page, I'd >> >> take this approach. If you want to maintain a list of their URLs, >> >> then the previous approach is better. However, that kind of thing >> >> might be easier to deal with through the standard location tags in >> >> web.config. >> >> >> >> I'm curious if Dominick (or anyone else) sees this thread and has a >> >> strong opinion about this. >> >> >> >> Joe K. >> >> >> >> -- >> >> Joe Kaplan-MS MVP Directory Services Programming >> >> Co-author of "The .NET Developer's Guide to Directory Services >> >> Programming" >> >> http://www.directoryprogramming.net >> >> -- >> >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message >> >> news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@microsoft.com... >> >>> Thanks Joe. >> >>> >> >>> Do you have an example of this property being used in Global.asax? I >> >>> am >> >>> not >> >>> sure about how to check to see if -- this is the right page to be >> >>> left >> >>> out >> >>> for authentication. >> >>> Should I use a QueryString for this check? >> >>> >> >>> Thanks again >> >>> AJ >> >>> "Joe Kaplan" wrote: >> >>> >> >>>> Use the HttpContext.SkipAuthorization property to turn >> >>>> authorization on >> >>>> or >> >>>> off programmatically on a page by page basis. You probably want to >> >>>> put >> >>>> this >> >>>> code in global.asax or an IHttpModule. >> >>>> Joe K. >> >>>> >> >>>> -- >> >>>> Joe Kaplan-MS MVP Directory Services Programming >> >>>> Co-author of "The .NET Developer's Guide to Directory Services >> >>>> Programming" >> >>>> http://www.directoryprogramming.net >> >>>> -- >> >>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message >> >>>> news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... >> >>>>> Hi >> >>>>> >> >>>>> I am trying to bypass Forms Authentication on certain pages >> >>>>> programmatically. Any thoughts will be appreciated. >> >>>>> >> >>>>> Thanks, >> >>>>> AJ >> >> >> Hey Joe,
I am not sure which part isn't working. here's the code I am using in Global_AuthenticateRequest event in global.asax. If Request.Path = "/TestProject/fileupload.aspx" Then HttpContext.Current.SkipAuthorization = True End If and the URL I am trying to get to without a cookie is http://localhost/TestProject/fileupload.aspx but I am getting redirected to the login page each time. am I missing a setting somewhere? Thanks, Aj Show quoteHide quote "Joe Kaplan" wrote: > Which part isn't working? Is your If condition not matching or is the > SkipAuthorization actually not working. Dominick is definitely right, it > has to be set to true. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > news:B2C9EC52-4B8D-4270-B0ED-87D29B548F29@microsoft.com... > > Hey Dominick, > > > > That is not working either. > > > > Thanks, > > AJ > > > > "Dominick Baier" wrote: > > > >> you have to set SkipAuthorization to true > >> > >> HttpContext.Current.SkipAuthorization = true; > >> > >> ----- > >> Dominick Baier (http://www.leastprivilege.com) > >> > >> Developing More Secure Microsoft ASP.NET 2.0 Applications > >> (http://www.microsoft.com/mspress/books/9989.asp) > >> > >> > Hey Joe, thanks for the last post. > >> > > >> > I am using the following code in Global.asax: > >> > Private Sub Global_AuthenticateRequest(ByVal sender As Object, > >> > ByVal e > >> > As System.EventArgs) Handles MyBase.AuthenticateRequest > >> > Dim instance As HttpContext > >> > If Request.Path = "/TestProject/FileUpload.aspx" Then > >> > instance.SkipAuthorization = False > >> > End If > >> > End Sub > >> > I know what you said seems very staright forward. But it hasn't worked > >> > in my case yet. I know I am missing something somewhere. I have tried > >> > this in Application_AuthenticateRequest as well. Let me know > >> > > >> > Appreciate your help, > >> > AJ > >> > "Joe Kaplan" wrote: > >> >> Not the query string, but the Request.Url or Request.Path property. > >> >> I don't really have a sample for you, but basically your code would > >> >> do this: > >> >> > >> >> In the appropriate event (probably the Authenticate event so this > >> >> runs after authentication but before authorization) check the Url of > >> >> the Request to see if it matches one of the resources you want to > >> >> exclude. If so, set SkipAuthorization to false. Be very careful > >> >> with how you do the matching of the path against your list of > >> >> exclusions. There isn't really much to it. Just play around with it. > >> >> :) > >> >> > >> >> There are also probably some fancier ways you can do this. You might > >> >> apply some kind of marker to the actual page via a base class, marker > >> >> interface or custom attribute on your pages and determine that from > >> >> the IHttpHandler that is set up in the HttpContext for the request. > >> >> I haven't tried that, but I don't see why it wouldn't work. Part of > >> >> it depends on how you want to maintain the list of excluded > >> >> resources. If you want to do this from the code in the page, I'd > >> >> take this approach. If you want to maintain a list of their URLs, > >> >> then the previous approach is better. However, that kind of thing > >> >> might be easier to deal with through the standard location tags in > >> >> web.config. > >> >> > >> >> I'm curious if Dominick (or anyone else) sees this thread and has a > >> >> strong opinion about this. > >> >> > >> >> Joe K. > >> >> > >> >> -- > >> >> Joe Kaplan-MS MVP Directory Services Programming > >> >> Co-author of "The .NET Developer's Guide to Directory Services > >> >> Programming" > >> >> http://www.directoryprogramming.net > >> >> -- > >> >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> >> news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@microsoft.com... > >> >>> Thanks Joe. > >> >>> > >> >>> Do you have an example of this property being used in Global.asax? I > >> >>> am > >> >>> not > >> >>> sure about how to check to see if -- this is the right page to be > >> >>> left > >> >>> out > >> >>> for authentication. > >> >>> Should I use a QueryString for this check? > >> >>> > >> >>> Thanks again > >> >>> AJ > >> >>> "Joe Kaplan" wrote: > >> >>> > >> >>>> Use the HttpContext.SkipAuthorization property to turn > >> >>>> authorization on > >> >>>> or > >> >>>> off programmatically on a page by page basis. You probably want to > >> >>>> put > >> >>>> this > >> >>>> code in global.asax or an IHttpModule. > >> >>>> Joe K. > >> >>>> > >> >>>> -- > >> >>>> Joe Kaplan-MS MVP Directory Services Programming > >> >>>> Co-author of "The .NET Developer's Guide to Directory Services > >> >>>> Programming" > >> >>>> http://www.directoryprogramming.net > >> >>>> -- > >> >>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> >>>> news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... > >> >>>>> Hi > >> >>>>> > >> >>>>> I am trying to bypass Forms Authentication on certain pages > >> >>>>> programmatically. Any thoughts will be appreciated. > >> >>>>> > >> >>>>> Thanks, > >> >>>>> AJ > >> > >> > >> > > > Hey Joe,
I tried setting this: HttpContext.Current.SkipAuthorization = True without any condition, basically for every page. but I am still getting redirected to the login page. can I set this property somewhere else? Thanks, AJ Show quoteHide quote "Joe Kaplan" wrote: > Which part isn't working? Is your If condition not matching or is the > SkipAuthorization actually not working. Dominick is definitely right, it > has to be set to true. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > news:B2C9EC52-4B8D-4270-B0ED-87D29B548F29@microsoft.com... > > Hey Dominick, > > > > That is not working either. > > > > Thanks, > > AJ > > > > "Dominick Baier" wrote: > > > >> you have to set SkipAuthorization to true > >> > >> HttpContext.Current.SkipAuthorization = true; > >> > >> ----- > >> Dominick Baier (http://www.leastprivilege.com) > >> > >> Developing More Secure Microsoft ASP.NET 2.0 Applications > >> (http://www.microsoft.com/mspress/books/9989.asp) > >> > >> > Hey Joe, thanks for the last post. > >> > > >> > I am using the following code in Global.asax: > >> > Private Sub Global_AuthenticateRequest(ByVal sender As Object, > >> > ByVal e > >> > As System.EventArgs) Handles MyBase.AuthenticateRequest > >> > Dim instance As HttpContext > >> > If Request.Path = "/TestProject/FileUpload.aspx" Then > >> > instance.SkipAuthorization = False > >> > End If > >> > End Sub > >> > I know what you said seems very staright forward. But it hasn't worked > >> > in my case yet. I know I am missing something somewhere. I have tried > >> > this in Application_AuthenticateRequest as well. Let me know > >> > > >> > Appreciate your help, > >> > AJ > >> > "Joe Kaplan" wrote: > >> >> Not the query string, but the Request.Url or Request.Path property. > >> >> I don't really have a sample for you, but basically your code would > >> >> do this: > >> >> > >> >> In the appropriate event (probably the Authenticate event so this > >> >> runs after authentication but before authorization) check the Url of > >> >> the Request to see if it matches one of the resources you want to > >> >> exclude. If so, set SkipAuthorization to false. Be very careful > >> >> with how you do the matching of the path against your list of > >> >> exclusions. There isn't really much to it. Just play around with it. > >> >> :) > >> >> > >> >> There are also probably some fancier ways you can do this. You might > >> >> apply some kind of marker to the actual page via a base class, marker > >> >> interface or custom attribute on your pages and determine that from > >> >> the IHttpHandler that is set up in the HttpContext for the request. > >> >> I haven't tried that, but I don't see why it wouldn't work. Part of > >> >> it depends on how you want to maintain the list of excluded > >> >> resources. If you want to do this from the code in the page, I'd > >> >> take this approach. If you want to maintain a list of their URLs, > >> >> then the previous approach is better. However, that kind of thing > >> >> might be easier to deal with through the standard location tags in > >> >> web.config. > >> >> > >> >> I'm curious if Dominick (or anyone else) sees this thread and has a > >> >> strong opinion about this. > >> >> > >> >> Joe K. > >> >> > >> >> -- > >> >> Joe Kaplan-MS MVP Directory Services Programming > >> >> Co-author of "The .NET Developer's Guide to Directory Services > >> >> Programming" > >> >> http://www.directoryprogramming.net > >> >> -- > >> >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> >> news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@microsoft.com... > >> >>> Thanks Joe. > >> >>> > >> >>> Do you have an example of this property being used in Global.asax? I > >> >>> am > >> >>> not > >> >>> sure about how to check to see if -- this is the right page to be > >> >>> left > >> >>> out > >> >>> for authentication. > >> >>> Should I use a QueryString for this check? > >> >>> > >> >>> Thanks again > >> >>> AJ > >> >>> "Joe Kaplan" wrote: > >> >>> > >> >>>> Use the HttpContext.SkipAuthorization property to turn > >> >>>> authorization on > >> >>>> or > >> >>>> off programmatically on a page by page basis. You probably want to > >> >>>> put > >> >>>> this > >> >>>> code in global.asax or an IHttpModule. > >> >>>> Joe K. > >> >>>> > >> >>>> -- > >> >>>> Joe Kaplan-MS MVP Directory Services Programming > >> >>>> Co-author of "The .NET Developer's Guide to Directory Services > >> >>>> Programming" > >> >>>> http://www.directoryprogramming.net > >> >>>> -- > >> >>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> >>>> news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... > >> >>>>> Hi > >> >>>>> > >> >>>>> I am trying to bypass Forms Authentication on certain pages > >> >>>>> programmatically. Any thoughts will be appreciated. > >> >>>>> > >> >>>>> Thanks, > >> >>>>> AJ > >> > >> > >> > > > Are you still setting that in the authenticate event in global.asax? That
should work. I've never seen that not work. :) How is the <authorization> section configured in your web.config? Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajme***@discussions.microsoft.com> wrote in message news:29AD7225-67F1-4649-B91E-635B75229783@microsoft.com... > Hey Joe, > > I tried setting this: > HttpContext.Current.SkipAuthorization = True > > without any condition, basically for every page. but I am still getting > redirected to the login page. can I set this property somewhere else? > Thanks, > AJ > > "Joe Kaplan" wrote: > >> Which part isn't working? Is your If condition not matching or is the >> SkipAuthorization actually not working. Dominick is definitely right, it >> has to be set to true. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message >> news:B2C9EC52-4B8D-4270-B0ED-87D29B548F29@microsoft.com... >> > Hey Dominick, >> > >> > That is not working either. >> > >> > Thanks, >> > AJ >> > >> > "Dominick Baier" wrote: >> > >> >> you have to set SkipAuthorization to true >> >> >> >> HttpContext.Current.SkipAuthorization = true; >> >> >> >> ----- >> >> Dominick Baier (http://www.leastprivilege.com) >> >> >> >> Developing More Secure Microsoft ASP.NET 2.0 Applications >> >> (http://www.microsoft.com/mspress/books/9989.asp) >> >> >> >> > Hey Joe, thanks for the last post. >> >> > >> >> > I am using the following code in Global.asax: >> >> > Private Sub Global_AuthenticateRequest(ByVal sender As Object, >> >> > ByVal e >> >> > As System.EventArgs) Handles MyBase.AuthenticateRequest >> >> > Dim instance As HttpContext >> >> > If Request.Path = "/TestProject/FileUpload.aspx" Then >> >> > instance.SkipAuthorization = False >> >> > End If >> >> > End Sub >> >> > I know what you said seems very staright forward. But it hasn't >> >> > worked >> >> > in my case yet. I know I am missing something somewhere. I have >> >> > tried >> >> > this in Application_AuthenticateRequest as well. Let me know >> >> > >> >> > Appreciate your help, >> >> > AJ >> >> > "Joe Kaplan" wrote: >> >> >> Not the query string, but the Request.Url or Request.Path property. >> >> >> I don't really have a sample for you, but basically your code would >> >> >> do this: >> >> >> >> >> >> In the appropriate event (probably the Authenticate event so this >> >> >> runs after authentication but before authorization) check the Url >> >> >> of >> >> >> the Request to see if it matches one of the resources you want to >> >> >> exclude. If so, set SkipAuthorization to false. Be very careful >> >> >> with how you do the matching of the path against your list of >> >> >> exclusions. There isn't really much to it. Just play around with >> >> >> it. >> >> >> :) >> >> >> >> >> >> There are also probably some fancier ways you can do this. You >> >> >> might >> >> >> apply some kind of marker to the actual page via a base class, >> >> >> marker >> >> >> interface or custom attribute on your pages and determine that from >> >> >> the IHttpHandler that is set up in the HttpContext for the request. >> >> >> I haven't tried that, but I don't see why it wouldn't work. Part >> >> >> of >> >> >> it depends on how you want to maintain the list of excluded >> >> >> resources. If you want to do this from the code in the page, I'd >> >> >> take this approach. If you want to maintain a list of their URLs, >> >> >> then the previous approach is better. However, that kind of thing >> >> >> might be easier to deal with through the standard location tags in >> >> >> web.config. >> >> >> >> >> >> I'm curious if Dominick (or anyone else) sees this thread and has a >> >> >> strong opinion about this. >> >> >> >> >> >> Joe K. >> >> >> >> >> >> -- >> >> >> Joe Kaplan-MS MVP Directory Services Programming >> >> >> Co-author of "The .NET Developer's Guide to Directory Services >> >> >> Programming" >> >> >> http://www.directoryprogramming.net >> >> >> -- >> >> >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message >> >> >> news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@microsoft.com... >> >> >>> Thanks Joe. >> >> >>> >> >> >>> Do you have an example of this property being used in Global.asax? >> >> >>> I >> >> >>> am >> >> >>> not >> >> >>> sure about how to check to see if -- this is the right page to be >> >> >>> left >> >> >>> out >> >> >>> for authentication. >> >> >>> Should I use a QueryString for this check? >> >> >>> >> >> >>> Thanks again >> >> >>> AJ >> >> >>> "Joe Kaplan" wrote: >> >> >>> >> >> >>>> Use the HttpContext.SkipAuthorization property to turn >> >> >>>> authorization on >> >> >>>> or >> >> >>>> off programmatically on a page by page basis. You probably want >> >> >>>> to >> >> >>>> put >> >> >>>> this >> >> >>>> code in global.asax or an IHttpModule. >> >> >>>> Joe K. >> >> >>>> >> >> >>>> -- >> >> >>>> Joe Kaplan-MS MVP Directory Services Programming >> >> >>>> Co-author of "The .NET Developer's Guide to Directory Services >> >> >>>> Programming" >> >> >>>> http://www.directoryprogramming.net >> >> >>>> -- >> >> >>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message >> >> >>>> news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... >> >> >>>>> Hi >> >> >>>>> >> >> >>>>> I am trying to bypass Forms Authentication on certain pages >> >> >>>>> programmatically. Any thoughts will be appreciated. >> >> >>>>> >> >> >>>>> Thanks, >> >> >>>>> AJ >> >> >> >> >> >> >> >> >> Yeah!
web.config looks like <authorization> <deny users="?" /> </authorization> <authentication mode="Forms"> <forms loginUrl="/TestProject/login.aspx" name="XYZ" /> </authentication> Login.aspx checks to see if there's a cookie. if not one has to login on that page. that information is looked up in the database and so on. I don't think that Global_AuthenticateRequest in global.asax is getting fired when I request a page in the browser. Do I have to do something to invoke this method? Thanks, AJ Show quoteHide quote "Joe Kaplan" wrote: > Are you still setting that in the authenticate event in global.asax? That > should work. I've never seen that not work. :) > > How is the <authorization> section configured in your web.config? > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > news:29AD7225-67F1-4649-B91E-635B75229783@microsoft.com... > > Hey Joe, > > > > I tried setting this: > > HttpContext.Current.SkipAuthorization = True > > > > without any condition, basically for every page. but I am still getting > > redirected to the login page. can I set this property somewhere else? > > Thanks, > > AJ > > > > "Joe Kaplan" wrote: > > > >> Which part isn't working? Is your If condition not matching or is the > >> SkipAuthorization actually not working. Dominick is definitely right, it > >> has to be set to true. > >> > >> Joe K. > >> > >> -- > >> Joe Kaplan-MS MVP Directory Services Programming > >> Co-author of "The .NET Developer's Guide to Directory Services > >> Programming" > >> http://www.directoryprogramming.net > >> -- > >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> news:B2C9EC52-4B8D-4270-B0ED-87D29B548F29@microsoft.com... > >> > Hey Dominick, > >> > > >> > That is not working either. > >> > > >> > Thanks, > >> > AJ > >> > > >> > "Dominick Baier" wrote: > >> > > >> >> you have to set SkipAuthorization to true > >> >> > >> >> HttpContext.Current.SkipAuthorization = true; > >> >> > >> >> ----- > >> >> Dominick Baier (http://www.leastprivilege.com) > >> >> > >> >> Developing More Secure Microsoft ASP.NET 2.0 Applications > >> >> (http://www.microsoft.com/mspress/books/9989.asp) > >> >> > >> >> > Hey Joe, thanks for the last post. > >> >> > > >> >> > I am using the following code in Global.asax: > >> >> > Private Sub Global_AuthenticateRequest(ByVal sender As Object, > >> >> > ByVal e > >> >> > As System.EventArgs) Handles MyBase.AuthenticateRequest > >> >> > Dim instance As HttpContext > >> >> > If Request.Path = "/TestProject/FileUpload.aspx" Then > >> >> > instance.SkipAuthorization = False > >> >> > End If > >> >> > End Sub > >> >> > I know what you said seems very staright forward. But it hasn't > >> >> > worked > >> >> > in my case yet. I know I am missing something somewhere. I have > >> >> > tried > >> >> > this in Application_AuthenticateRequest as well. Let me know > >> >> > > >> >> > Appreciate your help, > >> >> > AJ > >> >> > "Joe Kaplan" wrote: > >> >> >> Not the query string, but the Request.Url or Request.Path property. > >> >> >> I don't really have a sample for you, but basically your code would > >> >> >> do this: > >> >> >> > >> >> >> In the appropriate event (probably the Authenticate event so this > >> >> >> runs after authentication but before authorization) check the Url > >> >> >> of > >> >> >> the Request to see if it matches one of the resources you want to > >> >> >> exclude. If so, set SkipAuthorization to false. Be very careful > >> >> >> with how you do the matching of the path against your list of > >> >> >> exclusions. There isn't really much to it. Just play around with > >> >> >> it. > >> >> >> :) > >> >> >> > >> >> >> There are also probably some fancier ways you can do this. You > >> >> >> might > >> >> >> apply some kind of marker to the actual page via a base class, > >> >> >> marker > >> >> >> interface or custom attribute on your pages and determine that from > >> >> >> the IHttpHandler that is set up in the HttpContext for the request. > >> >> >> I haven't tried that, but I don't see why it wouldn't work. Part > >> >> >> of > >> >> >> it depends on how you want to maintain the list of excluded > >> >> >> resources. If you want to do this from the code in the page, I'd > >> >> >> take this approach. If you want to maintain a list of their URLs, > >> >> >> then the previous approach is better. However, that kind of thing > >> >> >> might be easier to deal with through the standard location tags in > >> >> >> web.config. > >> >> >> > >> >> >> I'm curious if Dominick (or anyone else) sees this thread and has a > >> >> >> strong opinion about this. > >> >> >> > >> >> >> Joe K. > >> >> >> > >> >> >> -- > >> >> >> Joe Kaplan-MS MVP Directory Services Programming > >> >> >> Co-author of "The .NET Developer's Guide to Directory Services > >> >> >> Programming" > >> >> >> http://www.directoryprogramming.net > >> >> >> -- > >> >> >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> >> >> news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@microsoft.com... > >> >> >>> Thanks Joe. > >> >> >>> > >> >> >>> Do you have an example of this property being used in Global.asax? > >> >> >>> I > >> >> >>> am > >> >> >>> not > >> >> >>> sure about how to check to see if -- this is the right page to be > >> >> >>> left > >> >> >>> out > >> >> >>> for authentication. > >> >> >>> Should I use a QueryString for this check? > >> >> >>> > >> >> >>> Thanks again > >> >> >>> AJ > >> >> >>> "Joe Kaplan" wrote: > >> >> >>> > >> >> >>>> Use the HttpContext.SkipAuthorization property to turn > >> >> >>>> authorization on > >> >> >>>> or > >> >> >>>> off programmatically on a page by page basis. You probably want > >> >> >>>> to > >> >> >>>> put > >> >> >>>> this > >> >> >>>> code in global.asax or an IHttpModule. > >> >> >>>> Joe K. > >> >> >>>> > >> >> >>>> -- > >> >> >>>> Joe Kaplan-MS MVP Directory Services Programming > >> >> >>>> Co-author of "The .NET Developer's Guide to Directory Services > >> >> >>>> Programming" > >> >> >>>> http://www.directoryprogramming.net > >> >> >>>> -- > >> >> >>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> >> >>>> news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... > >> >> >>>>> Hi > >> >> >>>>> > >> >> >>>>> I am trying to bypass Forms Authentication on certain pages > >> >> >>>>> programmatically. Any thoughts will be appreciated. > >> >> >>>>> > >> >> >>>>> Thanks, > >> >> >>>>> AJ > >> >> > >> >> > >> >> > >> > >> > >> > > > The authenticate request event fires for every request
have you tried setting a break point?? ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) Show quoteHide quote > Yeah! > web.config looks like > <authorization> > <deny users="?" /> > </authorization> > <authentication mode="Forms"> > <forms loginUrl="/TestProject/login.aspx" name="XYZ" /> > </authentication> > Login.aspx checks to see if there's a cookie. if not one has to login > on > that page. > that information is looked up in the database and so on. > I don't think that Global_AuthenticateRequest in global.asax is > getting > fired when I request a page in the browser. > Do I have to do something to invoke this method? > Thanks, > AJ > "Joe Kaplan" wrote: > >> Are you still setting that in the authenticate event in global.asax? >> That should work. I've never seen that not work. :) >> >> How is the <authorization> section configured in your web.config? >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message >> news:29AD7225-67F1-4649-B91E-635B75229783@microsoft.com... >>> Hey Joe, >>> >>> I tried setting this: >>> HttpContext.Current.SkipAuthorization = True >>> without any condition, basically for every page. but I am still >>> getting >>> redirected to the login page. can I set this property somewhere >>> else? >>> Thanks, >>> AJ >>> "Joe Kaplan" wrote: >>> >>>> Which part isn't working? Is your If condition not matching or is >>>> the SkipAuthorization actually not working. Dominick is definitely >>>> right, it has to be set to true. >>>> >>>> Joe K. >>>> >>>> -- >>>> Joe Kaplan-MS MVP Directory Services Programming >>>> Co-author of "The .NET Developer's Guide to Directory Services >>>> Programming" >>>> http://www.directoryprogramming.net >>>> -- >>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message >>>> news:B2C9EC52-4B8D-4270-B0ED-87D29B548F29@microsoft.com... >>>>> Hey Dominick, >>>>> >>>>> That is not working either. >>>>> >>>>> Thanks, >>>>> AJ >>>>> "Dominick Baier" wrote: >>>>> >>>>>> you have to set SkipAuthorization to true >>>>>> >>>>>> HttpContext.Current.SkipAuthorization = true; >>>>>> >>>>>> ----- >>>>>> Dominick Baier (http://www.leastprivilege.com) >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications >>>>>> (http://www.microsoft.com/mspress/books/9989.asp) >>>>>> >>>>>>> Hey Joe, thanks for the last post. >>>>>>> >>>>>>> I am using the following code in Global.asax: >>>>>>> Private Sub Global_AuthenticateRequest(ByVal sender As Object, >>>>>>> ByVal e >>>>>>> As System.EventArgs) Handles MyBase.AuthenticateRequest >>>>>>> Dim instance As HttpContext >>>>>>> If Request.Path = "/TestProject/FileUpload.aspx" Then >>>>>>> instance.SkipAuthorization = False >>>>>>> End If >>>>>>> End Sub >>>>>>> I know what you said seems very staright forward. But it hasn't >>>>>>> worked >>>>>>> in my case yet. I know I am missing something somewhere. I have >>>>>>> tried >>>>>>> this in Application_AuthenticateRequest as well. Let me know >>>>>>> Appreciate your help, >>>>>>> AJ >>>>>>> "Joe Kaplan" wrote: >>>>>>>> Not the query string, but the Request.Url or Request.Path >>>>>>>> property. I don't really have a sample for you, but basically >>>>>>>> your code would do this: >>>>>>>> >>>>>>>> In the appropriate event (probably the Authenticate event so >>>>>>>> this >>>>>>>> runs after authentication but before authorization) check the >>>>>>>> Url >>>>>>>> of >>>>>>>> the Request to see if it matches one of the resources you want >>>>>>>> to >>>>>>>> exclude. If so, set SkipAuthorization to false. Be very >>>>>>>> careful >>>>>>>> with how you do the matching of the path against your list of >>>>>>>> exclusions. There isn't really much to it. Just play around >>>>>>>> with >>>>>>>> it. >>>>>>>> :) >>>>>>>> There are also probably some fancier ways you can do this. You >>>>>>>> might >>>>>>>> apply some kind of marker to the actual page via a base class, >>>>>>>> marker >>>>>>>> interface or custom attribute on your pages and determine that >>>>>>>> from >>>>>>>> the IHttpHandler that is set up in the HttpContext for the >>>>>>>> request. >>>>>>>> I haven't tried that, but I don't see why it wouldn't work. >>>>>>>> Part >>>>>>>> of >>>>>>>> it depends on how you want to maintain the list of excluded >>>>>>>> resources. If you want to do this from the code in the page, >>>>>>>> I'd >>>>>>>> take this approach. If you want to maintain a list of their >>>>>>>> URLs, >>>>>>>> then the previous approach is better. However, that kind of >>>>>>>> thing >>>>>>>> might be easier to deal with through the standard location tags >>>>>>>> in >>>>>>>> web.config. >>>>>>>> I'm curious if Dominick (or anyone else) sees this thread and >>>>>>>> has a strong opinion about this. >>>>>>>> >>>>>>>> Joe K. >>>>>>>> >>>>>>>> -- >>>>>>>> Joe Kaplan-MS MVP Directory Services Programming >>>>>>>> Co-author of "The .NET Developer's Guide to Directory Services >>>>>>>> Programming" >>>>>>>> http://www.directoryprogramming.net >>>>>>>> -- >>>>>>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message >>>>>>>> news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@microsoft.com... >>>>>>>>> Thanks Joe. >>>>>>>>> >>>>>>>>> Do you have an example of this property being used in >>>>>>>>> Global.asax? >>>>>>>>> I >>>>>>>>> am >>>>>>>>> not >>>>>>>>> sure about how to check to see if -- this is the right page >>>>>>>>> to be >>>>>>>>> left >>>>>>>>> out >>>>>>>>> for authentication. >>>>>>>>> Should I use a QueryString for this check? >>>>>>>>> Thanks again >>>>>>>>> AJ >>>>>>>>> "Joe Kaplan" wrote: >>>>>>>>>> Use the HttpContext.SkipAuthorization property to turn >>>>>>>>>> authorization on >>>>>>>>>> or >>>>>>>>>> off programmatically on a page by page basis. You probably >>>>>>>>>> want >>>>>>>>>> to >>>>>>>>>> put >>>>>>>>>> this >>>>>>>>>> code in global.asax or an IHttpModule. >>>>>>>>>> Joe K. >>>>>>>>>> -- >>>>>>>>>> Joe Kaplan-MS MVP Directory Services Programming >>>>>>>>>> Co-author of "The .NET Developer's Guide to Directory >>>>>>>>>> Services >>>>>>>>>> Programming" >>>>>>>>>> http://www.directoryprogramming.net >>>>>>>>>> -- >>>>>>>>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in >>>>>>>>>> message >>>>>>>>>> news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... >>>>>>>>>>> Hi >>>>>>>>>>> >>>>>>>>>>> I am trying to bypass Forms Authentication on certain pages >>>>>>>>>>> programmatically. Any thoughts will be appreciated. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> AJ Hey Dominick,
i just stepped through the code and the problem was with the matching in the If statement. it was a case issue. my bad. It seems to be working fine now. I'll test it at work tomorrow. I appreciate your help. thanks, AJ Show quoteHide quote "Dominick Baier" wrote: > The authenticate request event fires for every request > > have you tried setting a break point?? > > > ----- > Dominick Baier (http://www.leastprivilege.com) > > Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) > > > Yeah! > > web.config looks like > > <authorization> > > <deny users="?" /> > > </authorization> > > <authentication mode="Forms"> > > <forms loginUrl="/TestProject/login.aspx" name="XYZ" /> > > </authentication> > > Login.aspx checks to see if there's a cookie. if not one has to login > > on > > that page. > > that information is looked up in the database and so on. > > I don't think that Global_AuthenticateRequest in global.asax is > > getting > > fired when I request a page in the browser. > > Do I have to do something to invoke this method? > > Thanks, > > AJ > > "Joe Kaplan" wrote: > > > >> Are you still setting that in the authenticate event in global.asax? > >> That should work. I've never seen that not work. :) > >> > >> How is the <authorization> section configured in your web.config? > >> > >> Joe K. > >> > >> -- > >> Joe Kaplan-MS MVP Directory Services Programming > >> Co-author of "The .NET Developer's Guide to Directory Services > >> Programming" > >> http://www.directoryprogramming.net > >> -- > >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> news:29AD7225-67F1-4649-B91E-635B75229783@microsoft.com... > >>> Hey Joe, > >>> > >>> I tried setting this: > >>> HttpContext.Current.SkipAuthorization = True > >>> without any condition, basically for every page. but I am still > >>> getting > >>> redirected to the login page. can I set this property somewhere > >>> else? > >>> Thanks, > >>> AJ > >>> "Joe Kaplan" wrote: > >>> > >>>> Which part isn't working? Is your If condition not matching or is > >>>> the SkipAuthorization actually not working. Dominick is definitely > >>>> right, it has to be set to true. > >>>> > >>>> Joe K. > >>>> > >>>> -- > >>>> Joe Kaplan-MS MVP Directory Services Programming > >>>> Co-author of "The .NET Developer's Guide to Directory Services > >>>> Programming" > >>>> http://www.directoryprogramming.net > >>>> -- > >>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >>>> news:B2C9EC52-4B8D-4270-B0ED-87D29B548F29@microsoft.com... > >>>>> Hey Dominick, > >>>>> > >>>>> That is not working either. > >>>>> > >>>>> Thanks, > >>>>> AJ > >>>>> "Dominick Baier" wrote: > >>>>> > >>>>>> you have to set SkipAuthorization to true > >>>>>> > >>>>>> HttpContext.Current.SkipAuthorization = true; > >>>>>> > >>>>>> ----- > >>>>>> Dominick Baier (http://www.leastprivilege.com) > >>>>>> Developing More Secure Microsoft ASP.NET 2.0 Applications > >>>>>> (http://www.microsoft.com/mspress/books/9989.asp) > >>>>>> > >>>>>>> Hey Joe, thanks for the last post. > >>>>>>> > >>>>>>> I am using the following code in Global.asax: > >>>>>>> Private Sub Global_AuthenticateRequest(ByVal sender As Object, > >>>>>>> ByVal e > >>>>>>> As System.EventArgs) Handles MyBase.AuthenticateRequest > >>>>>>> Dim instance As HttpContext > >>>>>>> If Request.Path = "/TestProject/FileUpload.aspx" Then > >>>>>>> instance.SkipAuthorization = False > >>>>>>> End If > >>>>>>> End Sub > >>>>>>> I know what you said seems very staright forward. But it hasn't > >>>>>>> worked > >>>>>>> in my case yet. I know I am missing something somewhere. I have > >>>>>>> tried > >>>>>>> this in Application_AuthenticateRequest as well. Let me know > >>>>>>> Appreciate your help, > >>>>>>> AJ > >>>>>>> "Joe Kaplan" wrote: > >>>>>>>> Not the query string, but the Request.Url or Request.Path > >>>>>>>> property. I don't really have a sample for you, but basically > >>>>>>>> your code would do this: > >>>>>>>> > >>>>>>>> In the appropriate event (probably the Authenticate event so > >>>>>>>> this > >>>>>>>> runs after authentication but before authorization) check the > >>>>>>>> Url > >>>>>>>> of > >>>>>>>> the Request to see if it matches one of the resources you want > >>>>>>>> to > >>>>>>>> exclude. If so, set SkipAuthorization to false. Be very > >>>>>>>> careful > >>>>>>>> with how you do the matching of the path against your list of > >>>>>>>> exclusions. There isn't really much to it. Just play around > >>>>>>>> with > >>>>>>>> it. > >>>>>>>> :) > >>>>>>>> There are also probably some fancier ways you can do this. You > >>>>>>>> might > >>>>>>>> apply some kind of marker to the actual page via a base class, > >>>>>>>> marker > >>>>>>>> interface or custom attribute on your pages and determine that > >>>>>>>> from > >>>>>>>> the IHttpHandler that is set up in the HttpContext for the > >>>>>>>> request. > >>>>>>>> I haven't tried that, but I don't see why it wouldn't work. > >>>>>>>> Part > >>>>>>>> of > >>>>>>>> it depends on how you want to maintain the list of excluded > >>>>>>>> resources. If you want to do this from the code in the page, > >>>>>>>> I'd > >>>>>>>> take this approach. If you want to maintain a list of their > >>>>>>>> URLs, > >>>>>>>> then the previous approach is better. However, that kind of > >>>>>>>> thing > >>>>>>>> might be easier to deal with through the standard location tags > >>>>>>>> in > >>>>>>>> web.config. > >>>>>>>> I'm curious if Dominick (or anyone else) sees this thread and > >>>>>>>> has a strong opinion about this. > >>>>>>>> > >>>>>>>> Joe K. > >>>>>>>> > >>>>>>>> -- > >>>>>>>> Joe Kaplan-MS MVP Directory Services Programming > >>>>>>>> Co-author of "The .NET Developer's Guide to Directory Services > >>>>>>>> Programming" > >>>>>>>> http://www.directoryprogramming.net > >>>>>>>> -- > >>>>>>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >>>>>>>> news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@microsoft.com... > >>>>>>>>> Thanks Joe. > >>>>>>>>> > >>>>>>>>> Do you have an example of this property being used in > >>>>>>>>> Global.asax? > >>>>>>>>> I > >>>>>>>>> am > >>>>>>>>> not > >>>>>>>>> sure about how to check to see if -- this is the right page > >>>>>>>>> to be > >>>>>>>>> left > >>>>>>>>> out > >>>>>>>>> for authentication. > >>>>>>>>> Should I use a QueryString for this check? > >>>>>>>>> Thanks again > >>>>>>>>> AJ > >>>>>>>>> "Joe Kaplan" wrote: > >>>>>>>>>> Use the HttpContext.SkipAuthorization property to turn > >>>>>>>>>> authorization on > >>>>>>>>>> or > >>>>>>>>>> off programmatically on a page by page basis. You probably > >>>>>>>>>> want > >>>>>>>>>> to > >>>>>>>>>> put > >>>>>>>>>> this > >>>>>>>>>> code in global.asax or an IHttpModule. > >>>>>>>>>> Joe K. > >>>>>>>>>> -- > >>>>>>>>>> Joe Kaplan-MS MVP Directory Services Programming > >>>>>>>>>> Co-author of "The .NET Developer's Guide to Directory > >>>>>>>>>> Services > >>>>>>>>>> Programming" > >>>>>>>>>> http://www.directoryprogramming.net > >>>>>>>>>> -- > >>>>>>>>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in > >>>>>>>>>> message > >>>>>>>>>> news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... > >>>>>>>>>>> Hi > >>>>>>>>>>> > >>>>>>>>>>> I am trying to bypass Forms Authentication on certain pages > >>>>>>>>>>> programmatically. Any thoughts will be appreciated. > >>>>>>>>>>> > >>>>>>>>>>> Thanks, > >>>>>>>>>>> AJ > > > Hey Joe,
Just wanted to thank you for your help. Appreciate it. Thanks, Arjun Show quoteHide quote "Joe Kaplan" wrote: > Are you still setting that in the authenticate event in global.asax? That > should work. I've never seen that not work. :) > > How is the <authorization> section configured in your web.config? > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > news:29AD7225-67F1-4649-B91E-635B75229783@microsoft.com... > > Hey Joe, > > > > I tried setting this: > > HttpContext.Current.SkipAuthorization = True > > > > without any condition, basically for every page. but I am still getting > > redirected to the login page. can I set this property somewhere else? > > Thanks, > > AJ > > > > "Joe Kaplan" wrote: > > > >> Which part isn't working? Is your If condition not matching or is the > >> SkipAuthorization actually not working. Dominick is definitely right, it > >> has to be set to true. > >> > >> Joe K. > >> > >> -- > >> Joe Kaplan-MS MVP Directory Services Programming > >> Co-author of "The .NET Developer's Guide to Directory Services > >> Programming" > >> http://www.directoryprogramming.net > >> -- > >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> news:B2C9EC52-4B8D-4270-B0ED-87D29B548F29@microsoft.com... > >> > Hey Dominick, > >> > > >> > That is not working either. > >> > > >> > Thanks, > >> > AJ > >> > > >> > "Dominick Baier" wrote: > >> > > >> >> you have to set SkipAuthorization to true > >> >> > >> >> HttpContext.Current.SkipAuthorization = true; > >> >> > >> >> ----- > >> >> Dominick Baier (http://www.leastprivilege.com) > >> >> > >> >> Developing More Secure Microsoft ASP.NET 2.0 Applications > >> >> (http://www.microsoft.com/mspress/books/9989.asp) > >> >> > >> >> > Hey Joe, thanks for the last post. > >> >> > > >> >> > I am using the following code in Global.asax: > >> >> > Private Sub Global_AuthenticateRequest(ByVal sender As Object, > >> >> > ByVal e > >> >> > As System.EventArgs) Handles MyBase.AuthenticateRequest > >> >> > Dim instance As HttpContext > >> >> > If Request.Path = "/TestProject/FileUpload.aspx" Then > >> >> > instance.SkipAuthorization = False > >> >> > End If > >> >> > End Sub > >> >> > I know what you said seems very staright forward. But it hasn't > >> >> > worked > >> >> > in my case yet. I know I am missing something somewhere. I have > >> >> > tried > >> >> > this in Application_AuthenticateRequest as well. Let me know > >> >> > > >> >> > Appreciate your help, > >> >> > AJ > >> >> > "Joe Kaplan" wrote: > >> >> >> Not the query string, but the Request.Url or Request.Path property. > >> >> >> I don't really have a sample for you, but basically your code would > >> >> >> do this: > >> >> >> > >> >> >> In the appropriate event (probably the Authenticate event so this > >> >> >> runs after authentication but before authorization) check the Url > >> >> >> of > >> >> >> the Request to see if it matches one of the resources you want to > >> >> >> exclude. If so, set SkipAuthorization to false. Be very careful > >> >> >> with how you do the matching of the path against your list of > >> >> >> exclusions. There isn't really much to it. Just play around with > >> >> >> it. > >> >> >> :) > >> >> >> > >> >> >> There are also probably some fancier ways you can do this. You > >> >> >> might > >> >> >> apply some kind of marker to the actual page via a base class, > >> >> >> marker > >> >> >> interface or custom attribute on your pages and determine that from > >> >> >> the IHttpHandler that is set up in the HttpContext for the request. > >> >> >> I haven't tried that, but I don't see why it wouldn't work. Part > >> >> >> of > >> >> >> it depends on how you want to maintain the list of excluded > >> >> >> resources. If you want to do this from the code in the page, I'd > >> >> >> take this approach. If you want to maintain a list of their URLs, > >> >> >> then the previous approach is better. However, that kind of thing > >> >> >> might be easier to deal with through the standard location tags in > >> >> >> web.config. > >> >> >> > >> >> >> I'm curious if Dominick (or anyone else) sees this thread and has a > >> >> >> strong opinion about this. > >> >> >> > >> >> >> Joe K. > >> >> >> > >> >> >> -- > >> >> >> Joe Kaplan-MS MVP Directory Services Programming > >> >> >> Co-author of "The .NET Developer's Guide to Directory Services > >> >> >> Programming" > >> >> >> http://www.directoryprogramming.net > >> >> >> -- > >> >> >> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> >> >> news:7E76E7BF-60DC-441D-9A43-841CBBE0087E@microsoft.com... > >> >> >>> Thanks Joe. > >> >> >>> > >> >> >>> Do you have an example of this property being used in Global.asax? > >> >> >>> I > >> >> >>> am > >> >> >>> not > >> >> >>> sure about how to check to see if -- this is the right page to be > >> >> >>> left > >> >> >>> out > >> >> >>> for authentication. > >> >> >>> Should I use a QueryString for this check? > >> >> >>> > >> >> >>> Thanks again > >> >> >>> AJ > >> >> >>> "Joe Kaplan" wrote: > >> >> >>> > >> >> >>>> Use the HttpContext.SkipAuthorization property to turn > >> >> >>>> authorization on > >> >> >>>> or > >> >> >>>> off programmatically on a page by page basis. You probably want > >> >> >>>> to > >> >> >>>> put > >> >> >>>> this > >> >> >>>> code in global.asax or an IHttpModule. > >> >> >>>> Joe K. > >> >> >>>> > >> >> >>>> -- > >> >> >>>> Joe Kaplan-MS MVP Directory Services Programming > >> >> >>>> Co-author of "The .NET Developer's Guide to Directory Services > >> >> >>>> Programming" > >> >> >>>> http://www.directoryprogramming.net > >> >> >>>> -- > >> >> >>>> "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > >> >> >>>> news:A9894367-B2BC-496D-9FD7-057381022AC6@microsoft.com... > >> >> >>>>> Hi > >> >> >>>>> > >> >> >>>>> I am trying to bypass Forms Authentication on certain pages > >> >> >>>>> programmatically. Any thoughts will be appreciated. > >> >> >>>>> > >> >> >>>>> Thanks, > >> >> >>>>> AJ > >> >> > >> >> > >> >> > >> > >> > >> > > > Sure thing. Did you get it working as expected now? Sounds like it...
Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajme***@discussions.microsoft.com> wrote in message news:38B2AAE5-B210-45E3-811C-510498514E39@microsoft.com... > Hey Joe, > > Just wanted to thank you for your help. Appreciate it. > > Thanks, > Arjun > > "Joe Kaplan" wrote: > Yes. It worked just fine.
Thanks, Arjun Show quoteHide quote "Joe Kaplan" wrote: > Sure thing. Did you get it working as expected now? Sounds like it... > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "ajmehra" <ajme***@discussions.microsoft.com> wrote in message > news:38B2AAE5-B210-45E3-811C-510498514E39@microsoft.com... > > Hey Joe, > > > > Just wanted to thank you for your help. Appreciate it. > > > > Thanks, > > Arjun > > > > "Joe Kaplan" wrote: > > > > > 
Other interesting topics
Client Certificate Selection
Books on .net security Client certificates do not show up installing the last Root Update Defender has to be turned on every time computer is turned on Could not establish secure channel for SSL/TLS. Retrieving the private key associated with a certificate Impersonation in .NET 2.0 Do any microsoft buildtime dependancies C#/C/c++/VB/etc. need to be updated for the 2007 policy on d Display of encrypted data windows defender |
|||||||||||||||||||||||
