 | |
How to bypass Forms Authentication on selected pages programmatica
Dotnet Security microsoft.public.dotnet.security
 |
| | Thread Tools | Search this Thread | Display Modes |
#1
 
| |||
| |||
|
How to bypass Forms Authentication on selected pages programmatica -
02-13-2007
, 01:52 PM
#2
| |||
| |||
|
|
Hi I am trying to bypass Forms Authentication on certain pages programmatically. Any thoughts will be appreciated. Thanks, AJ |
#3
| |||
| |||
|
|
Use the HttpContext.SkipAuthorization property to turn authorization on or off programmatically on a page by page basis. You probably want to put this code in global.asax or an IHttpModule. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:A9894367-B2BC-496D-9FD7-057381022AC6 (AT) microsoft (DOT) com... Hi I am trying to bypass Forms Authentication on certain pages programmatically. Any thoughts will be appreciated. Thanks, AJ |
#4
| |||
| |||
|
|
Hey Joe, thanks for the last post. I am using the following code in Global.asax: Private Sub Global_AuthenticateRequest(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.AuthenticateRequest Dim instance As HttpContext If Request.Path = "/TestProject/FileUpload.aspx" Then instance.SkipAuthorization = False End If End Sub I know what you said seems very staright forward. But it hasn't worked in my case yet. I know I am missing something somewhere. I have tried this in Application_AuthenticateRequest as well. Let me know Appreciate your help, AJ "Joe Kaplan" wrote: Not the query string, but the Request.Url or Request.Path property. I don't really have a sample for you, but basically your code would do this: In the appropriate event (probably the Authenticate event so this runs after authentication but before authorization) check the Url of the Request to see if it matches one of the resources you want to exclude. If so, set SkipAuthorization to false. Be very careful with how you do the matching of the path against your list of exclusions. There isn't really much to it. Just play around with it.  There are also probably some fancier ways you can do this. You might apply some kind of marker to the actual page via a base class, marker interface or custom attribute on your pages and determine that from the IHttpHandler that is set up in the HttpContext for the request. I haven't tried that, but I don't see why it wouldn't work. Part of it depends on how you want to maintain the list of excluded resources. If you want to do this from the code in the page, I'd take this approach. If you want to maintain a list of their URLs, then the previous approach is better. However, that kind of thing might be easier to deal with through the standard location tags in web.config. I'm curious if Dominick (or anyone else) sees this thread and has a strong opinion about this. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:7E76E7BF-60DC-441D-9A43-841CBBE0087E (AT) microsoft (DOT) com... Thanks Joe. Do you have an example of this property being used in Global.asax? I am not sure about how to check to see if -- this is the right page to be left out for authentication. Should I use a QueryString for this check? Thanks again AJ "Joe Kaplan" wrote: Use the HttpContext.SkipAuthorization property to turn authorization on or off programmatically on a page by page basis. You probably want to put this code in global.asax or an IHttpModule. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:A9894367-B2BC-496D-9FD7-057381022AC6 (AT) microsoft (DOT) com... Hi I am trying to bypass Forms Authentication on certain pages programmatically. Any thoughts will be appreciated. Thanks, AJ |
#5
| |||
| |||
|
|
Thanks Joe. Do you have an example of this property being used in Global.asax? I am not sure about how to check to see if -- this is the right page to be left out for authentication. Should I use a QueryString for this check? Thanks again AJ "Joe Kaplan" wrote: Use the HttpContext.SkipAuthorization property to turn authorization on or off programmatically on a page by page basis. You probably want to put this code in global.asax or an IHttpModule. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:A9894367-B2BC-496D-9FD7-057381022AC6 (AT) microsoft (DOT) com... Hi I am trying to bypass Forms Authentication on certain pages programmatically. Any thoughts will be appreciated. Thanks, AJ |
#6
| |||
| |||
|
|
Not the query string, but the Request.Url or Request.Path property. I don't really have a sample for you, but basically your code would do this: In the appropriate event (probably the Authenticate event so this runs after authentication but before authorization) check the Url of the Request to see if it matches one of the resources you want to exclude. If so, set SkipAuthorization to false. Be very careful with how you do the matching of the path against your list of exclusions. There isn't really much to it. Just play around with it. There are also probably some fancier ways you can do this. You might apply some kind of marker to the actual page via a base class, marker interface or custom attribute on your pages and determine that from the IHttpHandler that is set up in the HttpContext for the request. I haven't tried that, but I don't see why it wouldn't work. Part of it depends on how you want to maintain the list of excluded resources. If you want to do this from the code in the page, I'd take this approach. If you want to maintain a list of their URLs, then the previous approach is better. However, that kind of thing might be easier to deal with through the standard location tags in web.config. I'm curious if Dominick (or anyone else) sees this thread and has a strong opinion about this. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:7E76E7BF-60DC-441D-9A43-841CBBE0087E (AT) microsoft (DOT) com... Thanks Joe. Do you have an example of this property being used in Global.asax? I am not sure about how to check to see if -- this is the right page to be left out for authentication. Should I use a QueryString for this check? Thanks again AJ "Joe Kaplan" wrote: Use the HttpContext.SkipAuthorization property to turn authorization on or off programmatically on a page by page basis. You probably want to put this code in global.asax or an IHttpModule. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:A9894367-B2BC-496D-9FD7-057381022AC6 (AT) microsoft (DOT) com... Hi I am trying to bypass Forms Authentication on certain pages programmatically. Any thoughts will be appreciated. Thanks, AJ |
#7
| |||
| |||
|
|
you have to set SkipAuthorization to true HttpContext.Current.SkipAuthorization = true; ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) Hey Joe, thanks for the last post. I am using the following code in Global.asax: Private Sub Global_AuthenticateRequest(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.AuthenticateRequest Dim instance As HttpContext If Request.Path = "/TestProject/FileUpload.aspx" Then instance.SkipAuthorization = False End If End Sub I know what you said seems very staright forward. But it hasn't worked in my case yet. I know I am missing something somewhere. I have tried this in Application_AuthenticateRequest as well. Let me know Appreciate your help, AJ "Joe Kaplan" wrote: Not the query string, but the Request.Url or Request.Path property. I don't really have a sample for you, but basically your code would do this: In the appropriate event (probably the Authenticate event so this runs after authentication but before authorization) check the Url of the Request to see if it matches one of the resources you want to exclude. If so, set SkipAuthorization to false. Be very careful with how you do the matching of the path against your list of exclusions. There isn't really much to it. Just play around with it. There are also probably some fancier ways you can do this. You might apply some kind of marker to the actual page via a base class, marker interface or custom attribute on your pages and determine that from the IHttpHandler that is set up in the HttpContext for the request. I haven't tried that, but I don't see why it wouldn't work. Part of it depends on how you want to maintain the list of excluded resources. If you want to do this from the code in the page, I'd take this approach. If you want to maintain a list of their URLs, then the previous approach is better. However, that kind of thing might be easier to deal with through the standard location tags in web.config. I'm curious if Dominick (or anyone else) sees this thread and has a strong opinion about this. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:7E76E7BF-60DC-441D-9A43-841CBBE0087E (AT) microsoft (DOT) com... Thanks Joe. Do you have an example of this property being used in Global.asax? I am not sure about how to check to see if -- this is the right page to be left out for authentication. Should I use a QueryString for this check? Thanks again AJ "Joe Kaplan" wrote: Use the HttpContext.SkipAuthorization property to turn authorization on or off programmatically on a page by page basis. You probably want to put this code in global.asax or an IHttpModule. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:A9894367-B2BC-496D-9FD7-057381022AC6 (AT) microsoft (DOT) com... Hi I am trying to bypass Forms Authentication on certain pages programmatically. Any thoughts will be appreciated. Thanks, AJ |
#8
| |||
| |||
|
|
Hey Dominick, That is not working either. Thanks, AJ "Dominick Baier" wrote: you have to set SkipAuthorization to true HttpContext.Current.SkipAuthorization = true; ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) Hey Joe, thanks for the last post. I am using the following code in Global.asax: Private Sub Global_AuthenticateRequest(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.AuthenticateRequest Dim instance As HttpContext If Request.Path = "/TestProject/FileUpload.aspx" Then instance.SkipAuthorization = False End If End Sub I know what you said seems very staright forward. But it hasn't worked in my case yet. I know I am missing something somewhere. I have tried this in Application_AuthenticateRequest as well. Let me know Appreciate your help, AJ "Joe Kaplan" wrote: Not the query string, but the Request.Url or Request.Path property. I don't really have a sample for you, but basically your code would do this: In the appropriate event (probably the Authenticate event so this runs after authentication but before authorization) check the Url of the Request to see if it matches one of the resources you want to exclude. If so, set SkipAuthorization to false. Be very careful with how you do the matching of the path against your list of exclusions. There isn't really much to it. Just play around with it. There are also probably some fancier ways you can do this. You might apply some kind of marker to the actual page via a base class, marker interface or custom attribute on your pages and determine that from the IHttpHandler that is set up in the HttpContext for the request. I haven't tried that, but I don't see why it wouldn't work. Part of it depends on how you want to maintain the list of excluded resources. If you want to do this from the code in the page, I'd take this approach. If you want to maintain a list of their URLs, then the previous approach is better. However, that kind of thing might be easier to deal with through the standard location tags in web.config. I'm curious if Dominick (or anyone else) sees this thread and has a strong opinion about this. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:7E76E7BF-60DC-441D-9A43-841CBBE0087E (AT) microsoft (DOT) com... Thanks Joe. Do you have an example of this property being used in Global.asax? I am not sure about how to check to see if -- this is the right page to be left out for authentication. Should I use a QueryString for this check? Thanks again AJ "Joe Kaplan" wrote: Use the HttpContext.SkipAuthorization property to turn authorization on or off programmatically on a page by page basis. You probably want to put this code in global.asax or an IHttpModule. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:A9894367-B2BC-496D-9FD7-057381022AC6 (AT) microsoft (DOT) com... Hi I am trying to bypass Forms Authentication on certain pages programmatically. Any thoughts will be appreciated. Thanks, AJ |
#9
| |||
| |||
|
|
Which part isn't working? Is your If condition not matching or is the SkipAuthorization actually not working. Dominick is definitely right, it has to be set to true. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:B2C9EC52-4B8D-4270-B0ED-87D29B548F29 (AT) microsoft (DOT) com... Hey Dominick, That is not working either. Thanks, AJ "Dominick Baier" wrote: you have to set SkipAuthorization to true HttpContext.Current.SkipAuthorization = true; ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) Hey Joe, thanks for the last post. I am using the following code in Global.asax: Private Sub Global_AuthenticateRequest(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.AuthenticateRequest Dim instance As HttpContext If Request.Path = "/TestProject/FileUpload.aspx" Then instance.SkipAuthorization = False End If End Sub I know what you said seems very staright forward. But it hasn't worked in my case yet. I know I am missing something somewhere. I have tried this in Application_AuthenticateRequest as well. Let me know Appreciate your help, AJ "Joe Kaplan" wrote: Not the query string, but the Request.Url or Request.Path property. I don't really have a sample for you, but basically your code would do this: In the appropriate event (probably the Authenticate event so this runs after authentication but before authorization) check the Url of the Request to see if it matches one of the resources you want to exclude. If so, set SkipAuthorization to false. Be very careful with how you do the matching of the path against your list of exclusions. There isn't really much to it. Just play around with it. There are also probably some fancier ways you can do this. You might apply some kind of marker to the actual page via a base class, marker interface or custom attribute on your pages and determine that from the IHttpHandler that is set up in the HttpContext for the request. I haven't tried that, but I don't see why it wouldn't work. Part of it depends on how you want to maintain the list of excluded resources. If you want to do this from the code in the page, I'd take this approach. If you want to maintain a list of their URLs, then the previous approach is better. However, that kind of thing might be easier to deal with through the standard location tags in web.config. I'm curious if Dominick (or anyone else) sees this thread and has a strong opinion about this. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:7E76E7BF-60DC-441D-9A43-841CBBE0087E (AT) microsoft (DOT) com... Thanks Joe. Do you have an example of this property being used in Global.asax? I am not sure about how to check to see if -- this is the right page to be left out for authentication. Should I use a QueryString for this check? Thanks again AJ "Joe Kaplan" wrote: Use the HttpContext.SkipAuthorization property to turn authorization on or off programmatically on a page by page basis. You probably want to put this code in global.asax or an IHttpModule. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:A9894367-B2BC-496D-9FD7-057381022AC6 (AT) microsoft (DOT) com... Hi I am trying to bypass Forms Authentication on certain pages programmatically. Any thoughts will be appreciated. Thanks, AJ |
#10
| |||
| |||
|
|
Which part isn't working? Is your If condition not matching or is the SkipAuthorization actually not working. Dominick is definitely right, it has to be set to true. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:B2C9EC52-4B8D-4270-B0ED-87D29B548F29 (AT) microsoft (DOT) com... Hey Dominick, That is not working either. Thanks, AJ "Dominick Baier" wrote: you have to set SkipAuthorization to true HttpContext.Current.SkipAuthorization = true; ----- Dominick Baier (http://www.leastprivilege.com) Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp) Hey Joe, thanks for the last post. I am using the following code in Global.asax: Private Sub Global_AuthenticateRequest(ByVal sender As Object, ByVal e As System.EventArgs) Handles MyBase.AuthenticateRequest Dim instance As HttpContext If Request.Path = "/TestProject/FileUpload.aspx" Then instance.SkipAuthorization = False End If End Sub I know what you said seems very staright forward. But it hasn't worked in my case yet. I know I am missing something somewhere. I have tried this in Application_AuthenticateRequest as well. Let me know Appreciate your help, AJ "Joe Kaplan" wrote: Not the query string, but the Request.Url or Request.Path property. I don't really have a sample for you, but basically your code would do this: In the appropriate event (probably the Authenticate event so this runs after authentication but before authorization) check the Url of the Request to see if it matches one of the resources you want to exclude. If so, set SkipAuthorization to false. Be very careful with how you do the matching of the path against your list of exclusions. There isn't really much to it. Just play around with it. There are also probably some fancier ways you can do this. You might apply some kind of marker to the actual page via a base class, marker interface or custom attribute on your pages and determine that from the IHttpHandler that is set up in the HttpContext for the request. I haven't tried that, but I don't see why it wouldn't work. Part of it depends on how you want to maintain the list of excluded resources. If you want to do this from the code in the page, I'd take this approach. If you want to maintain a list of their URLs, then the previous approach is better. However, that kind of thing might be easier to deal with through the standard location tags in web.config. I'm curious if Dominick (or anyone else) sees this thread and has a strong opinion about this. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:7E76E7BF-60DC-441D-9A43-841CBBE0087E (AT) microsoft (DOT) com... Thanks Joe. Do you have an example of this property being used in Global.asax? I am not sure about how to check to see if -- this is the right page to be left out for authentication. Should I use a QueryString for this check? Thanks again AJ "Joe Kaplan" wrote: Use the HttpContext.SkipAuthorization property to turn authorization on or off programmatically on a page by page basis. You probably want to put this code in global.asax or an IHttpModule. Joe K. -- Joe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "ajmehra" <ajmehra (AT) discussions (DOT) microsoft.com> wrote in message news:A9894367-B2BC-496D-9FD7-057381022AC6 (AT) microsoft (DOT) com... Hi I am trying to bypass Forms Authentication on certain pages programmatically. Any thoughts will be appreciated. Thanks, AJ |
|
« Previous Thread
|
Next Thread »
| Thread Tools | Search this Thread |
| Display Modes | |
Linear Mode
| |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.