I have been trying to implement my own custom authentication (like forms,
windows, or passport), but I have run into a little problem I was hoping
someone might help me with.

My problem is this: I have a folder that allows access to all visitors,
and a subfolder that denies access to anonymous users. In web.config I
have the following:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>

<location path="admin">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>

Since authentication is set to None the AuthenticateRequest event in
HttpApplication is always fired. What I need is a way of detecting that
the current script/page is in a protected location. In the whitepaper
"Building Secure ASP.NET Applications" it says the following:
"Create a class that implements the System.Web.IHttpModule interface to
create
a custom HTTP module. This module should hook into the
HttpApplication.AuthenticateRequest event and provide a delegate to be
called
on each request to the application when authentication is required."

I can't seem to ble able to detect when authetication is required and when
it is not...
I'm not sure I'm able to make my point clear here since english is not my
native language. If I wanted to restrict access to the entire site I'm
able to get it working. Then I would just hook up to the
AuthenticateRequest event and perform my custom authentication. This is
simpler because I would always perform the same steps in my custom
authenticate method. I don't need general help to implementing the
IHttpModule interface in .NET ... I got that part covered ...

A possible solution would be to parse the web.config file and calculate
for myself if the user has access to a resource, but by implementing my
own logic for parsing the authorization blocks I'm open to introduce
severe security flaws in my application.

My HttpModule:

using System;
using System.IO;
using System.Collections;
using System.Net;
using System.Web;
using System.Web.Configuration;
using System.Security.Principal;

namespace MyNamespace {
public class MyModule : System.Web.IHttpModule {
public void Init(System.Web.HttpApplication context) {
context.AuthenticateRequest += new EventHandler(OnAuthenticate);
}

public void Dispose() {
// TODO: Add MyModule.Dispose implementation
}

private void OnAuthenticate( object sender, EventArgs e ) {
// SOME PSEUDO CODE HERE TO SHOW WHAT I WANT
// 1. DECIDE IF A USER IS AUTHENTICATED, IF HE IS I WANT TO CREATE MY
OWN PRINCIPAL,
// EVEN IF THIS IS A NON-RESTRICTED PAGE
// 2. IF THE USER HAS NOT ALREADY BEEN AUTHENTICATED, AND THIS IS A
NON-RESTRICTED PAGE I DO NOTHING
// 3. IF THIS IS A RESTRICTED PAGE AND THE USER HAS NOT BEEN
AUTHENTICATED I REDIRECT THE USER TO MY
// CUSTOM AUTHENTICATION MECHANISM ALONG WITH A REDIRECTURL
// 4. IF THE USER HAS BEEN AUTHENTICATED AND THIS IS A RESTRICTED PAGE
I CREATE MY OWN PRINCIPAL
}

} // end class
} // end namespace

.... so ... how does my script know if this is a restricted page or not
without parsing the web.config tree found in my virtual directory... I
don't want to build on any of the other authentication modules ...

I have tried using ildasm to disassemble
System.Web.Security.FormsAuthenticationModule and some of the outher
built-in modules, but I still can't figure out how this is done, and all
tutorials and examples I have found on the net assumes that the entire
site is protected and not just parts of it.

Any help is greatly appreciated
Thomas Mandelid