Ask a Question related to ASP.NET Security, Design and Development.
-
Hari Menon #1
Forms Authentication: login page in a separate web app
Hi,
I would like to create a WebApp, say MySecurityProvider,
that just contains a login page that knows how to
authenticate a user. And I want other web apps, e.g.
MyTestWebApp, that require authentication to point their
loginUrl to the login page in my web app.
Is that possible? I tried setting the loginUrl in
MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
What happens is that the redirect to the login page
succeeds and the login goes through as well and the
cookie gets issued (I set the path to "/" in both the
RedirectFromLoginPage() as well as in the <forms> tag).
But the protected resource in MyTestWebApp still cannot
be accessed. When I access an unprotected resource in
MyTestWebApp and check the cookies that are set, I do see
that the auth cookie IS there. But somehow I do not seem
to be able to access the protected resource on
MyTestWebApp - it always redirects me to the login page.
Am I doing something wrong or is this not supposed to
work?
Hari Menon Guest
-
Strange problem with Forms authentication: After successfull login, login page is still displayed
Hi there I have a quite strange problem with my ASP.NET-Application. The application has being deployed one year ago and worked fine till last... -
forms authentication returns 401 instead of going to login page
Hi, I have an app in the 1.1 framework that uses forms authentication . In the normal case, if the user requests a page and is not logged in,... -
Forms Authentication won't redirect to login page
I'm trying to set basic form authentication on a webapp. I allaccess restricted to authenticated users. After changing theWeb.config file in the... -
Forms Authentication without Login Page
Is there any way to log someone in using Forms authentication *without* using RedirectFromLoginPage()? My reason for asking is that I'm trying to... -
Authentication forms and SSL on the login page
Hi all, I'm tryiing to set up security for a ASP.NET web application in order to force all the users to go to a login page with an SSL connection.... -
Jim Cheshire [MSFT] #2 RE: Forms Authentication: login page in a separate web app
Hari,
Forms authentication is designed to be used on a per-application basis.
The login page must be located in the Web application you are
authenticating for.
Jim Cheshire [MSFT]
Developer Support
ASP.NET
[email]jamesche@online.microsoft.com[/email]
This post is provided as-is with no warranties and confers no rights.
--------------------microsoft.public.dotnet.framework.aspnet.security: 7189>Content-Class: urn:content-classes:message
>From: "Hari Menon" <anonymous@discussions.microsoft.com>
>Sender: "Hari Menon" <anonymous@discussions.microsoft.com>
>Subject: Forms Authentication: login page in a separate web app
>Date: Wed, 15 Oct 2003 12:03:55 -0700
>Lines: 23
>Message-ID: <042201c3934f$14869690$a401280a@phx.gbl>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
>Thread-Index: AcOTTxSEI1Dfpp+IT5WKtWF9Eq+N4Q==
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Path: cpmsftngxa06.phx.gbl
>Xref: cpmsftngxa06.phx.gbl>NNTP-Posting-Host: TK2MSFTNGXA12 10.40.1.164
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Hi,
>
>I would like to create a WebApp, say MySecurityProvider,
>that just contains a login page that knows how to
>authenticate a user. And I want other web apps, e.g.
>MyTestWebApp, that require authentication to point their
>loginUrl to the login page in my web app.
>
>Is that possible? I tried setting the loginUrl in
>MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
>What happens is that the redirect to the login page
>succeeds and the login goes through as well and the
>cookie gets issued (I set the path to "/" in both the
>RedirectFromLoginPage() as well as in the <forms> tag).
>But the protected resource in MyTestWebApp still cannot
>be accessed. When I access an unprotected resource in
>MyTestWebApp and check the cookies that are set, I do see
>that the auth cookie IS there. But somehow I do not seem
>to be able to access the protected resource on
>MyTestWebApp - it always redirects me to the login page.
>
>Am I doing something wrong or is this not supposed to
>work?
>Jim Cheshire [MSFT] Guest
-
Brad #3 Re: Forms Authentication: login page in a separate web app
Hari - This is quite possible and in fact we're using it; our portal app
manages all logins for all apps. You should read up on how to do this in
Building Secure Microsoft ASP.NET Applications
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetlpMSDN.asp[/url]
"Hari Menon" <anonymous@discussions.microsoft.com> wrote in message
news:042201c3934f$14869690$a401280a@phx.gbl...> Hi,
>
> I would like to create a WebApp, say MySecurityProvider,
> that just contains a login page that knows how to
> authenticate a user. And I want other web apps, e.g.
> MyTestWebApp, that require authentication to point their
> loginUrl to the login page in my web app.
>
> Is that possible? I tried setting the loginUrl in
> MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
> What happens is that the redirect to the login page
> succeeds and the login goes through as well and the
> cookie gets issued (I set the path to "/" in both the
> RedirectFromLoginPage() as well as in the <forms> tag).
> But the protected resource in MyTestWebApp still cannot
> be accessed. When I access an unprotected resource in
> MyTestWebApp and check the cookies that are set, I do see
> that the auth cookie IS there. But somehow I do not seem
> to be able to access the protected resource on
> MyTestWebApp - it always redirects me to the login page.
>
> Am I doing something wrong or is this not supposed to
> work?
Brad Guest
-
Jim Cheshire [MSFT] #4 Re: Forms Authentication: login page in a separate web app
Brad,
I'm not aware of any part of that book that indicates that you can point
multiple applications to one login page. Maybe I'm not completely aware of
what Hari is asking about.
Hari, if you want to have one login page for multiple applications, you
can't do that. However, if you want to allow a user to login using a login
page and then have that login valid for other applications, that IS
possible.
The two do not accomplish the same thing. In the latter, it is assumed
that a user will always log in to your application from one specific
application. The scenario you originally described did not seem to relate
to that requirement.
Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
[email]jamesche@online.microsoft.com[/email]
This post is provided as-is with no warranties and confers no rights.
--------------------cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!TK2MSFTNGP11.>From: "Brad" <nospam@co.lane.or.us>
>References: <042201c3934f$14869690$a401280a@phx.gbl>
>Subject: Re: Forms Authentication: login page in a separate web app
>Date: Mon, 24 Nov 2003 11:04:38 -0800
>Lines: 34
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.3790.0
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Message-ID: <OVwdR3rsDHA.3492@TK2MSFTNGP11.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: risxlr5.ris.lane.or.us 199.79.46.126
>Path:
phx.gblmicrosoft.public.dotnet.framework.aspnet.security: 7659>Xref: cpmsftngxa07.phx.gbltml/secnetlpMSDN.asp>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Hari - This is quite possible and in fact we're using it; our portal app
>manages all logins for all apps. You should read up on how to do this in
>Building Secure Microsoft ASP.NET Applications
>[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h[/url]>
>
>
>"Hari Menon" <anonymous@discussions.microsoft.com> wrote in message
>news:042201c3934f$14869690$a401280a@phx.gbl...>>> Hi,
>>
>> I would like to create a WebApp, say MySecurityProvider,
>> that just contains a login page that knows how to
>> authenticate a user. And I want other web apps, e.g.
>> MyTestWebApp, that require authentication to point their
>> loginUrl to the login page in my web app.
>>
>> Is that possible? I tried setting the loginUrl in
>> MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
>> What happens is that the redirect to the login page
>> succeeds and the login goes through as well and the
>> cookie gets issued (I set the path to "/" in both the
>> RedirectFromLoginPage() as well as in the <forms> tag).
>> But the protected resource in MyTestWebApp still cannot
>> be accessed. When I access an unprotected resource in
>> MyTestWebApp and check the cookies that are set, I do see
>> that the auth cookie IS there. But somehow I do not seem
>> to be able to access the protected resource on
>> MyTestWebApp - it always redirects me to the login page.
>>
>> Am I doing something wrong or is this not supposed to
>> work?
>
>Jim Cheshire [MSFT] Guest
-
Brad #5 Re: Forms Authentication: login page in a separate web app
Jim & Hari,
Here's the section from the book (and t's definitely worth having a hard
copy of this as I do)
[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp[/url]
=================================================
Hosting Multiple Applications Using Forms Authentication
If you are hosting multiple Web applications that use Forms authentication
on the same Web server, it is possible for a user who is authenticated in
one application to make a request to another application without being
redirected to that application's logon page. The URL authorization rules
within the second application may deny access to the user, without providing
the opportunity to supply logon credentials using the logon form.
This only happens if the name and path attributes on the <forms> element are
the same across multiple applications and each application uses a common
<machineKey> element in Web.config.
=================================================
Is our case we have one web application that is our intranet portal. The
portal app has the login page and handles creating the forms
authenctication. All other web apps point to this one login page. When the
login is completed login page redirects back to the calling page...and now
the user is back in the web app which required the authenication. All
that's left for a web app to do is populate the app sepcific roles in the
authenication ticket and retreive the roles....which we do in common base
class for the global.asax. The portal app even manages the roles for all
of the other apps and serves them up to the other apps via a web service.
In the end all our web apps can implement the basic of common security with
very few lines of code.
Brad
"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
news:707$YVtsDHA.3444@cpmsftngxa07.phx.gbl...of> Brad,
>
> I'm not aware of any part of that book that indicates that you can point
> multiple applications to one login page. Maybe I'm not completely awarelogin> what Hari is asking about.
>
> Hari, if you want to have one login page for multiple applications, you
> can't do that. However, if you want to allow a user to login using acpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!TK2MSFTNGP11.> page and then have that login valid for other applications, that IS
> possible.
>
> The two do not accomplish the same thing. In the latter, it is assumed
> that a user will always log in to your application from one specific
> application. The scenario you originally described did not seem to relate
> to that requirement.
>
> Jim Cheshire, MCSE, MCSD [MSFT]
> Developer Support
> ASP.NET
> [email]jamesche@online.microsoft.com[/email]
>
> This post is provided as-is with no warranties and confers no rights.
>
> -------------------->> >From: "Brad" <nospam@co.lane.or.us>
> >References: <042201c3934f$14869690$a401280a@phx.gbl>
> >Subject: Re: Forms Authentication: login page in a separate web app
> >Date: Mon, 24 Nov 2003 11:04:38 -0800
> >Lines: 34
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.3790.0
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Message-ID: <OVwdR3rsDHA.3492@TK2MSFTNGP11.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
> >NNTP-Posting-Host: risxlr5.ris.lane.or.us 199.79.46.126
> >Path:in> phx.gbl> microsoft.public.dotnet.framework.aspnet.security: 7659> >Xref: cpmsftngxa07.phx.gbl> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
> >
> >Hari - This is quite possible and in fact we're using it; our portal app
> >manages all logins for all apps. You should read up on how to do this>> >Building Secure Microsoft ASP.NET Applications
>[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h[/url]
> tml/secnetlpMSDN.asp>> >
> >
> >
> >"Hari Menon" <anonymous@discussions.microsoft.com> wrote in message
> >news:042201c3934f$14869690$a401280a@phx.gbl...> >> >> Hi,
> >>
> >> I would like to create a WebApp, say MySecurityProvider,
> >> that just contains a login page that knows how to
> >> authenticate a user. And I want other web apps, e.g.
> >> MyTestWebApp, that require authentication to point their
> >> loginUrl to the login page in my web app.
> >>
> >> Is that possible? I tried setting the loginUrl in
> >> MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
> >> What happens is that the redirect to the login page
> >> succeeds and the login goes through as well and the
> >> cookie gets issued (I set the path to "/" in both the
> >> RedirectFromLoginPage() as well as in the <forms> tag).
> >> But the protected resource in MyTestWebApp still cannot
> >> be accessed. When I access an unprotected resource in
> >> MyTestWebApp and check the cookies that are set, I do see
> >> that the auth cookie IS there. But somehow I do not seem
> >> to be able to access the protected resource on
> >> MyTestWebApp - it always redirects me to the login page.
> >>
> >> Am I doing something wrong or is this not supposed to
> >> work?
> >
> >
Brad Guest
-
Jim Cheshire [MSFT] #6 Re: Forms Authentication: login page in a separate web app
Brad,
This is referring to the same thing that I said in my last post. It is
possible to share a FormsAuthenticationTicket between applications.
However, what Hari asked is how to have all applications point back to a
single login page. That is a different scenario.
Suppose you have three applications; AppA, AppB, and AppC. You use the
method of making sure that <machineKey> settings are identical for each
application and you have removed the isolatedApps attribute in the
machine.config if running 1.1. It is still going to use the loginURL for
the application you are accessing on first browse. It will still now allow
you to have, for example, AppA and AppB redirect to AppC's login page.
As per my post yesterday to Hari, if the goal here is to share
authentication between Forms Authentication applications, that is easy to
implement. If the goal is to share one single login page for all
applications, that is not possible.
Jim Cheshire, MCSE, MCSD [MSFT]
Developer Support
ASP.NET
[email]jamesche@online.microsoft.com[/email]
This post is provided as-is with no warranties and confers no rights.
--------------------<OVwdR3rsDHA.3492@TK2MSFTNGP11.phx.gbl>>From: "Brad" <nospam@co.lane.or.us>
>References: <042201c3934f$14869690$a401280a@phx.gbl>
<707$YVtsDHA.3444@cpmsftngxa07.phx.gbl>cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!TK2MSFTNGP10.>Subject: Re: Forms Authentication: login page in a separate web app
>Date: Mon, 24 Nov 2003 19:55:54 -0800
>Lines: 125
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
>Message-ID: <eAahNgwsDHA.2136@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>NNTP-Posting-Host: dialup-ras16-220.eug.or.uspops.net 64.28.52.220
>Path:
phx.gblmicrosoft.public.dotnet.framework.aspnet.security: 7669>Xref: cpmsftngxa07.phx.gbltml/SecNetch08.asp>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Jim & Hari,
>Here's the section from the book (and t's definitely worth having a hard
>copy of this as I do)
>
>[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h[/url]providing>=============================================== ==
>Hosting Multiple Applications Using Forms Authentication
>
>If you are hosting multiple Web applications that use Forms authentication
>on the same Web server, it is possible for a user who is authenticated in
>one application to make a request to another application without being
>redirected to that application's logon page. The URL authorization rules
>within the second application may deny access to the user, withoutare>the opportunity to supply logon credentials using the logon form.
>This only happens if the name and path attributes on the <forms> elementthe>the same across multiple applications and each application uses a common
><machineKey> element in Web.config.
>=============================================== ==
>
>Is our case we have one web application that is our intranet portal. The
>portal app has the login page and handles creating the forms
>authenctication. All other web apps point to this one login page. Whenwith>login is completed login page redirects back to the calling page...and now
>the user is back in the web app which required the authenication. All
>that's left for a web app to do is populate the app sepcific roles in the
>authenication ticket and retreive the roles....which we do in common base
>class for the global.asax. The portal app even manages the roles for all
>of the other apps and serves them up to the other apps via a web service.
>
>In the end all our web apps can implement the basic of common securityrelate>very few lines of code.
>
>Brad
>
>
>
>"Jim Cheshire [MSFT]" <jamesche@online.microsoft.com> wrote in message
>news:707$YVtsDHA.3444@cpmsftngxa07.phx.gbl...>of>> Brad,
>>
>> I'm not aware of any part of that book that indicates that you can point
>> multiple applications to one login page. Maybe I'm not completely aware>login>> what Hari is asking about.
>>
>> Hari, if you want to have one login page for multiple applications, you
>> can't do that. However, if you want to allow a user to login using a>> page and then have that login valid for other applications, that IS
>> possible.
>>
>> The two do not accomplish the same thing. In the latter, it is assumed
>> that a user will always log in to your application from one specific
>> application. The scenario you originally described did not seem to>cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFT NGP08.phx.gbl!TK2MSFTNGP11>> to that requirement.
>>
>> Jim Cheshire, MCSE, MCSD [MSFT]
>> Developer Support
>> ASP.NET
>> [email]jamesche@online.microsoft.com[/email]
>>
>> This post is provided as-is with no warranties and confers no rights.
>>
>> -------------------->>>> >From: "Brad" <nospam@co.lane.or.us>
>> >References: <042201c3934f$14869690$a401280a@phx.gbl>
>> >Subject: Re: Forms Authentication: login page in a separate web app
>> >Date: Mon, 24 Nov 2003 11:04:38 -0800
>> >Lines: 34
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.3790.0
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Message-ID: <OVwdR3rsDHA.3492@TK2MSFTNGP11.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>> >NNTP-Posting-Host: risxlr5.ris.lane.or.us 199.79.46.126
>> >Path:Jim Cheshire [MSFT] Guest
-
Brad #7 Re: Forms Authentication: login page in a separate web app
Hari - What you're doing will work but you may be missing one of a couple of
things
1) The protected resource must be a aspx or something processed by the
aspnet_isapi.dll
2) If your protected resource is protected by roles then you must load the
roles into the context.user (iprincipal ) during the
Application_AuthenicateRequest event of the global.asax code of the
application which contains the protected resource.
Brad
"Hari Menon" <anonymous@discussions.microsoft.com> wrote in message
news:042201c3934f$14869690$a401280a@phx.gbl...> Hi,
>
> I would like to create a WebApp, say MySecurityProvider,
> that just contains a login page that knows how to
> authenticate a user. And I want other web apps, e.g.
> MyTestWebApp, that require authentication to point their
> loginUrl to the login page in my web app.
>
> Is that possible? I tried setting the loginUrl in
> MyTestWebApp to ponit to /MySecurityProvider/login.aspx.
> What happens is that the redirect to the login page
> succeeds and the login goes through as well and the
> cookie gets issued (I set the path to "/" in both the
> RedirectFromLoginPage() as well as in the <forms> tag).
> But the protected resource in MyTestWebApp still cannot
> be accessed. When I access an unprotected resource in
> MyTestWebApp and check the cookies that are set, I do see
> that the auth cookie IS there. But somehow I do not seem
> to be able to access the protected resource on
> MyTestWebApp - it always redirects me to the login page.
>
> Am I doing something wrong or is this not supposed to
> work?
Brad Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
