Reputation: 35822
How to check a requested path (URL) has authentication rules in ASP.NET?
I have a folder hierarchy in my ASP.NET solution, like this:
Everything in Reseller folder should be authenticated, and is considered a secure resource. But anything in Services folder is just public, and there is no need to authenticate any request coming for the web service ProductServices.asmx.
Now, I want to hook into the AuthenticateRequest of the request process pipeline and there, before user is authenticated, I want to see if the request is for a public, or a secure path. I know that I can use UrlAuthorizationModule.CheckUrlAccessForPrincipal and I actually have asked that in another question. But UrlAuthorizationModule.CheckUrlAccessForPrincipal is a method which can be used, just after the request is authenticated. However, before any authentication, I want to know if the requested path is secure or not. In other words, is there any authentication element defined for the requested path anywhere in it's folder hierarchy in any web.config file, or not.
A pseudo-code of what I want could be something like:
UrlAuthorizationModule.IsRequestedPathSecure(Request.Url.AbsolutePath)
How can I do that?
Upvotes: 2
Views: 2971
Answers (3)
Reputation: 12894
You could use the CheckUrlAccessForPrincipal method (as you mentioned) but using a GenericPrincipal representing an anonymous user like so:
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
IIdentity identity = new GenericIdentity(string.Empty, string.Empty);
IPrincipal principal = new GenericPrincipal(identity, new string[] { });
bool hasAccess = UrlAuthorizationModule.CheckUrlAccessForPrincipal(Request.Path, principal, "GET");
if(!hasAccess)
{
//Anonymous access not permitted to the current URL.
}
}
Upvotes: 2
Reputation: 12610
Add a web.config file to Reseller and Write following Code into it
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<allow roles="ResellerUser,ResellerAdmin" />
<deny users="*"/>
</authorization>
</system.web>
</configuration>
and also add a web.config file to Service folder and write follwoing code into it
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings>
</appSettings>
<system.web>
<pages theme="">
</pages>
<authorization>
<allow roles="ResellerUser, ResellerAdmin" />
<deny users="*" />
</authorization>
Note to Page theme="" it is necessary.
Upvotes: 0
Reputation: 56
Not sure if this helps, but you can forbid/grant access to your hidden resources by using location element of web.config see HOW TO: Control Authorization Permissions in an ASP.NET Application for description. It gives you possibility of granting access on folder or aspx/asmx basis. IIS will return 403 HTTP error code for forbidden locations and not process requests to those if users don't have permissions
Upvotes: 0
Related Questions
- How can I manually check the url authorization in MVC5?
- ASP.Net MVC how to determine if a user can access a URL?
- How to identify, what type of authentication from URL?
- IIS URL Authorization check in ASP.Net
- How to check ASP.NET authorization config from the code dynamically
- C# WebRequest Check if page requires HTTP Authentication
- Programmatically determine if path is restricted
- How to know if the current path is a secure path or not, in ASP.NET
- ASP.Net MVC: Check if URL is Authorized
- Check authenticated http requests in HttpModule