Forms Authentication with ACL Authorization

And Showing the Progress of File Generation

Rob Howard

October 30, 2009

8 Min Read
ITPro Today logo in a gray background | ITPro Today

AskMicrosoft

 

FormsAuthentication with ACL Authorization

AndShowing the Progress of File Generation

 

By Rob Howard

 

My inboxhas been overflowing with some really great questions. Here are a couple goodones.

 

ACLAuthorization

Onour previous NT 4.0 platform, we used forms authentication with Site Server 3.0to map personalization and membership logins to NT groups, so we were able touse access control lists (ACL) authorization. On our new platform, we wouldlike to continue to use forms authentication with ACL authorization. We wouldlike to use the form page to authenticate and bind users to Active Directoryaccounts. We do not want to use URL authorization because we would like tosecure other resources besides aspx files (such as asp files and htm files). Isthere any way to perform a Windows authentication using forms, or are werestricted only to basic, digest, and integrated authentication? - Joe Alfano

 

ASP.NETsupports a very rich and extensible security architecture. Out of the box,there are three supported modes of authentication: Windows, Forms, andPassport. There is also a custom option, but that is beyond the scope of thisanswer. The scenario Joe describes is quite common: Resources exist on a serverand must have restricted access. There are a couple of ways to solve Joe'sproblem using ASP.NET, and I'll show you the one I believe is most applicable.

 

ASP.NET'sforms authentication is an authentication model that looks at an incomingrequest and attempts to determine if the caller has a cookie containing anauthentication ticket. If the ticket exists and can be verified, the request isauthenticated. However, if the ticket does not exist, the request is redirectedto a login page where the credentials can be captured, verified, and authenticated.Finally, the request is rerouted back to the original document requested. Hereare the steps:

 

What Happens

What It Means

1)        GET default.aspx HTTP/1.1

2)        302 Redirect

Location: login.aspx

3)        POST login.aspx HTTP/1.1

4)        [verify credentials]

5)        200 OK

Set-Cookie: .ASPXAUTH Auth Ticket

6)        GET default.aspx HTTP/1.1

Cookie: .ASPXAUTH Auth Ticket

1)        The user requests a resource on the server, default.aspx.

2)        The user is not authenticated, so the server redirects the user to login.aspx.

3)        The user enters a user name and password (or other credentials) into an HTML form and posts that form back to login.aspx.

4)        Code within login.aspx verifies the user name and password against a data store.

5)        If the user name and password are valid, an authentication ticket - in the form of an HTTP cookie - is written to the browser's headers.

6)        The request is directed back to the page the user originally requested, along with the authentication ticket. The request is authenticated.

 

In formsauthentication, the developer's responsible for writing the code necessary toverify and authenticate the credentials a user provides. It is also thedeveloper's responsibility to call an API on the FormsAuthentication class to inform ASP.NET that the credentialsare valid. In Joe's case, when the credentials are provided in login.aspx, hecan easily check Active Directory or any other Lightweight Directory AccessProtocol directory or data store and verify those credentials. Once thecredentials are verified, the user is said to be authenticated. In other words,the user is who he or she claims to be.

 

Afterauthenticating a resource, you want to control access or authorize theauthenticated user to various resources. This is really easy for ASP.NETresources. You simply use the existing authorization features of ASP.NET tocontrol access to resources based upon the URL ID of the resource. However, bydefault, this excludes any non-ASP.NET resources. By resource, I mean any filewith an extension for which ASP.NET is responsible, such as aspx, asmx, andashx.

 

Joe saidhe wishes to authorize access to resources for which ASP.NET is notresponsible, such as files with an extension of htm. This is easy toaccomplish, by following these steps:

 

Configure Internet InformationServices (IIS)

First,you need to tell IIS that any requests for files with the extension htm are tobe handled by ASP.NET. To do this, follow these steps:

1)       OpenIIS Manager (Start |All Programs | Administrative Tools | Internet Information Services).

2)       Selectthe Properties dialog for the Web site, to applyto the entire site. Or, select it on the specific Web application that containsnon-ASP.NET resources you wish to authorize.

3)       Selectthe Home Directory tab.

4)       Withinthe Home Directory tab, press the Configurationbutton.

5)       Thedialog Application Configuration that opens should contain three tabs. Selectthe tab named Mappings.

6)       Inthe extension column, find .aspx and double-click on it.

7)       Copythe text value of the Executable field to the clipboard.

8)       Returnto the Mappings tab and press the Addbutton.

9)       Pastethe value copied from the aspx executable setting in the new mapping'sExecutable field. Type.htm in the Extension field, un-check Check that the file exists, and press OK.

10)     Stop and restart IIS.

 

Configure ASP.NET

You needto tell ASP.NET what to do with the new files types you've instructed IIS tosend along to ASP.NET:

1)       Decidewhether you want to configure this globally or only for the local application.If you want this to be a global setting, you'll make changes to themachine.config file. If you want changes to be specific to an ASP.NETapplication, you'll make changes to the application's web.config file. Open theappropriate file in your editor.

2)       Findthe section within the file and addthe following line:

 

 type="System.Web.StaticFileHandler"/>   Notethat the addition of this line is optional because a path value of *exists already. This is simply more explicit.   Anyrequest for an htm file will be redirected to ASP.NET, and URL authorizationcan participate in the authentication and authorization for the given resource.You can do the same for just about any file extension.   Joe alsoasked if he could allow ASP.NET to handle authentication and authorization for aspfiles from within ASP.NET. Unfortunately, this is not possible because ASP.NETand ASP are completely orthogonal to one another. For ASP authentication andauthorization, you would need to follow the existing authentication andauthorization strategy or, better yet, migrate those files to ASP.NET!   Generate aFile I'mplanning a Web application that generates a file. This file is product data,which I want users to be able to download. I need help with two things: 1)       Howto start the download of that file automatically. 2)       Thisoperation can take hours. I need some way of showing the progress of theoperation, but I can't find a way to make fields on my page update based on atimer. I know this has to be possible because the sports pages do it within-game updates. -John Woodward   Thefirst part is easy to do. Once the file exists in a known location (and isknown to be complete), a page can redirect the user to the known file. Thefollowing code should accomplish this:   '  If the file exists, let's redirect the userto the fileResponse.Redirect("/UserFiles/ProductData/Product1.xls") Response.End()   It'simportant to call Response.Endwhenever a Response.Redirect isdone. Otherwise, the request will continue to be processed.   Thesecond part of the question is a bit more challenging. Any operation that cantake hours is a scary operation on the Web server if it's not implementedcorrectly. In other words, you don't want to block Web server operations due tofile generation. The Web server process uses a thread pool to handle requests.If 100 requests come in for file-generation operations that can take very longto execute, all the threads will be tied up doing the file-generation work, andnone will be able to handle new requests. The best solution would be to write aWindows Service - you can do this easily with VS .NET - that accepts requestsvia .NET and can schedule threads within its process to perform theselong-running operations. The service also should support an API that allowsapplications to check the status of a particular file-generation operation.   Theapplication could be structured as follows: 1)       Requestfor long-running file-generation operation. 2)       Basedon the identity of the request, the ASP.NET user code creates a uniquefile-name key and issues a request via .NET remoting to the File CreationWindows service. 3)       Then,ASP.NET performs a Response.Redirectto a CheckFileCreationStatus.aspx page, passing the file-name key as aparameter. 4)       WheneverCheckFileCreationStatus.aspx?FileName=MyFilename.xls is called, ASP.NET makes a .NETremoting call to the File Creation Windows service and receives back a statusof the file creation, such as the percentage completed. 5)       Theresponse returned from CheckFileCreationStatus.aspx?FileName=MyFilename.xls contains a meta tag that forcesthe client to auto-refresh the page every 20 seconds. You can snag the exactsyntax for this out of the docs. 6)       Afterfive such auto-refreshes, the Windows service returns complete, andCheckFileCreationStatus.aspx performs a Response.Redirectto the location of the generated file.   That'sit for now. To submit questions for the "Ask Microsoft" column, send e-mail to [email protected].In addition to answering questions, we'll send an ASP.NET T-shirt to the personwho submits the best question.   Rob Howardis a program manager on the ASP.NET team. He also writes the MicrosoftDeveloper Network's "Nothing but ASP.NET" column and is a co-author of Professional ASP.NET,from Wrox.      

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like