使用带有重写URL的表单身份验证/授权

Question

I'm doing a quick sandbox test with some Rewritten URLs (example taken from Scott Guthrie's blog) and Forms Authentication / Authorization.

I've a very simple setup.

~/View/(\d{1,6})      =>      ~/Public/View.aspx?ContentID=$1

AND

~/Buy/(\d{1,6})       =>      ~/Private/Purchase.aspx?ContentID=$1

I've confirmed the URL Rewriting is working by browsing to each of the following seperately

• http://localhost/urltest/Public/View.aspx?contentID=123456
• http://localhost/urltest/View/123456
• http://localhost/urltest/Private/Purchase.aspx?contentID=123456
• http://localhost/urltest/Buy/123456

Next I went and enabled my Forms Authentication/Authorization for those 2 directories in the Web.Config. Setup as follows

  <location path="Private">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>
  <location path="Public">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location> 

This works perfectly when I browse to the 2 original URLs (the .aspx's) but doesn't fire at all when I browse to the URL Rewritten versions.

I've attempted to add <location> sections for Buy seperately but this still fails to cause the authorization/authentication module to kick in.

Presumably this is because it isn't treating these URLs as ASPX Resources... I can get around it by making the rewriter rule look for

    <LookFor>~/Buy/(\d{1,6})\.aspx</LookFor>

ie force the rewritten version to have an ASPX at the end, but this just seems ugly. Is there anyway to get the Auth Handlers to fire for any url type regardless of the extension (or lack there of)

Answer 1

To use built-in auth, you will have to decide whether you want to authenticate based on the original 'raw' URLs or the rewritten ones. It appears as if the URL rewriter you're using is hooked up to an event after the authentication has already been performed, which is why only the 'Public' and 'Private' folder rules are being followed. If you want to authenticate based on the rewritten URLs, then you'll have to use a rewriter that hooks up to an earlier event (such as BeginRequest) as well as updating your web.config with the rewritten URLs.

Alternatively, you can plug-in your own authentication provider and do fancy things like checking both rewritten and original URLs, but that's probably overkill for just a sandbox test site.

Please see this article for more information:

http://msdn.microsoft.com/en-us/library/ms972974.aspx

I hope this helps.

Answer 2

In ASP.NET 4.0 (and I believe it is in 3.5 SP1), there is included a new routing feature. The benefits of using this routing feature is that it is now supported directly inside ASP.NET, and you can therefore specify that when a route is executed, it shall respect the authorization settings for the actual .ASPX file.

So I would reccomend you to investigate if you can implement this routing feature instead.

Answer 3

Its not clear what url rewriting library you use but from the looks of things I think its probably urlrewriter.net however I dont see any tag?

• http://urlrewriter.net/index.php/support

Answer 4

try enabling formsauthentication and authorisation on all requests. By default it is only enabled for asp.net requests like .aspx. Can be done in IIS (7) or directly in web.config in webserver/modules section

<system.webServer>
   <modules>
        <remove name="FormsAuthentication" />
        <add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition=""/>
        <remove name="UrlAuthorization" />
        <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" preCondition="" />
   </modules>
</system.webServer>