2

I have a folder hierarchy in my ASP.NET solution, like this:

enter image description here

Everything in Reseller folder should be authenticated, and is considered a secure resource. But anything in Services folder is just public, and there is no need to authenticate any request coming for the web service ProductServices.asmx.

Now, I want to hook into the AuthenticateRequest of the request process pipeline and there, before user is authenticated, I want to see if the request is for a public, or a secure path. I know that I can use UrlAuthorizationModule.CheckUrlAccessForPrincipal and I actually have asked that in another question. But UrlAuthorizationModule.CheckUrlAccessForPrincipal is a method which can be used, just after the request is authenticated. However, before any authentication, I want to know if the requested path is secure or not. In other words, is there any authentication element defined for the requested path anywhere in it's folder hierarchy in any web.config file, or not.

A pseudo-code of what I want could be something like:

UrlAuthorizationModule.IsRequestedPathSecure(Request.Url.AbsolutePath)

How can I do that?

Improve this question

3 Answers 3

Reset to default
2

You could use the CheckUrlAccessForPrincipal method (as you mentioned) but using a GenericPrincipal representing an anonymous user like so:

protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
    IIdentity identity = new GenericIdentity(string.Empty, string.Empty);
    IPrincipal principal = new GenericPrincipal(identity, new string[] { });

    bool hasAccess = UrlAuthorizationModule.CheckUrlAccessForPrincipal(Request.Path, principal, "GET");

    if(!hasAccess)
    {
        //Anonymous access not permitted to the current URL.
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Well, I tried your code, but the secure is true. I also added <allow users="?"/> or <allow users="*"/> to the Services folder web.config, but no success. The path is /Services/ProductServices.asmx/GetWizardContainer. I'm calling this method from jQuery.
Sorry, my answer was not very clear. The code above will return true if the anonymous user has access and false if not. I will update my answer to reflect this.
0

Not sure if this helps, but you can forbid/grant access to your hidden resources by using location element of web.config see HOW TO: Control Authorization Permissions in an ASP.NET Application for description. It gives you possibility of granting access on folder or aspx/asmx basis. IIS will return 403 HTTP error code for forbidden locations and not process requests to those if users don't have permissions

Improve this answer

1 Comment

yeah, I know that. Thanks for your answer. What I want to do, is to know if the requested path belongs to one of the secured resources, and I want to do this in code.
0

Add a web.config file to Reseller and Write following Code into it

<?xml version="1.0"?>
    <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
      <system.web>
        <authorization>
          <allow roles="ResellerUser,ResellerAdmin" />
          <deny users="*"/>
        </authorization>
  </system.web>
</configuration>

and also add a web.config file to Service folder and write follwoing code into it

<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
  <appSettings>
  </appSettings>
      <system.web>
        <pages theme="">
        </pages>
 <authorization>
  <allow roles="ResellerUser, ResellerAdmin" />
  <deny users="*" />
</authorization>

Note to Page theme="" it is necessary.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.