ASP application using ASP.NET Forms Authentication

[Leandro David]

Hi,

I´m working in an already developed and complex ASP Application, we
are now with some authentication problems and reading about it, I
discovered that Forms Authentication can solve our problems. Is it
possible to use forms authentication without chaging all de
application to a .NET plataform ?

Thanks,

Leandro David

 

[Guest]

Hi,

I´m working in an already developed and complex ASP Application, we
are now with some authentication problems and reading about it, I
discovered that Forms Authentication can solve our problems. Is it
possible to use forms authentication without chaging all de
application to a .NET plataform ?

Thanks,

Leandro David

No, and I see no sense to do that. ASP.NET Forms Authentication
enables ASP.NET applications to provide their own logon service and
credential verification. The advantage of using ASP.NET Forms
Authentication in ASP.NET is that, it
can be easily set up, it enables permission settings in the web.config
file, and provides a built-in methods for working with current users.
For example, if the user has been authenticated can be checked using
the User.Identity.IsAuthenticated property, a name of the user - using
User.Identity.Name, if the user is a member of the specified role -
using User.IsInRole, and so on. But you cannot use these features in
ASP 3.0

 

[Leandro David]

Let me explain the problem:

I have an application with lots and lots of .asp files. At the moment
we don´t have time and people enough to recode all the .asp pages
to .aspx pages.

Today we do user authentication using sessions at .asp files.

But the biggest problem in the moment is the authentication in other
types of files, like html, jpg, pdf and other files. These are users
files, and they are stored at specific folders in the server. I saw
somewhere that using forms autentication I can configure the
web.config file to deny unauthenticated people to read the files in
these folders, after configuring the mapping in IIS for extensions
like .htm, .jpg, .pdf... . This is the unique resource I plan to use

What I´m planning now is to keep the authentication as it is done
today (using sessions) at the .asp files ( it works ok) and, when the
user log in the application, redirect to a login.aspx page where the
forms authentication is done automaticaly. This way I can configure
web.config in the folders that have users files.

Is it possible or still makes no sense ?

Thanks for the help,

Leandro

 

[Guest]

Let me explain the problem:

I have an application with lots and lots of .asp files. At the moment
we don´t have time and people enough to recode all the .asp pages
to .aspx pages.

Today we do user authentication using sessions at .asp files.

But the biggest problem in the moment is the authentication in other
types of files, like html, jpg, pdf and other files. These are users
files, and they are stored at specific folders in the server. I saw
somewhere that using forms autentication I can configure the
web.config file to deny unauthenticated people to read the files in
these folders, after configuring the mapping in IIS for extensions
like .htm, .jpg, .pdf... . This is the unique resource I plan to use

What I´m planning now is to keep the authentication as it is done
today (using sessions) at the .asp files ( it works ok) and, when the
user log in the application, redirect to a login.aspx page where the
forms authentication is done automaticaly. This way I can configure
web.config in the folders that have users files.

Is it possible or still makes no sense ?

Thanks for the help,

Leandro

Hi, Leandro

I think I understand the problem now. You can map html, jpg, pdf to an
aspnet_isapi.dll ISAPI handler to proceed to the requested file with
ASP.NET Forms Authentication. But I think you could have another issue
here: for example, a jpg protected and included in the protected asp
would require double authentication - one for asp and one for jpg. If
you don't have such case, then your idea with ASP.NET Forms
Authentication should work.

I've found an article about integrating ASP.NET Security with Classic
ASP and Non-ASP.NET URLs

http://weblogs.asp.net/scottgu/arch...ty-with-classic-asp-and-non-asp-net-urls.aspx

Hope it helps you to find the right way

 

[Dominick Baier]

You can do that - but it requires IIS6/ASP.NET 2.0 -

just do a wild card mapping in your app settings for the aspnet_isapi.

Then all calls will go through ASP.NET first, and thus through FormsAuth.
But you have to find a way to "transport" the values you may care about (username,
roles) from ASP.NET to ASP.

You can achieve that by deriving from DefaultHttpHandler. I wrote about it
here:

http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET20.aspx

I actually have a complete walkthrough of that scenario in my book (see below

 

[Leandro David]

Hi, here I am again,

I´m trying to do the form authentication, but it´s not working.
What I did:

After doing an authentication in a login.asp file, it redirects the
user to login.aspx file just to do an automatic Form Authentication.
The redirect URL used in login.asp is "login.aspx?
ReturnUrl=admin_default.asp". I used the ReturnUrl because I want to
redirect to this page after doing the automatic Form Authentication

The login.aspx file contain this simple code :

<%@Page Language="VB" %>
<%@Import Namespace="System.Web.Security" %>
<script language="VB" runat="server">
Sub Page_Load(objSender As Object, objArgs As EventArgs)
FormsAuthentication.RedirectFromLoginPage("DotNetLogin", False)
End Sub
</script>

and this is my web.config :

<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/
v2.0">
<system.web>
<customErrors mode="Off" />
<authentication mode="Forms">
<forms loginUrl="http://localhost/principal/default.asp"
protection="All" timeout="15" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>

I also configured in IIS a mapping to the aspnet_isapi.dll
for .html, .htm and .pdf files.

Ok, after loging in at login.asp , the user is correctly redirected to
login.aspx and then to admin_default.asp , and so it can open all
the .asp files but, when I try to open an user html or pdf file it
just redirects to the login page like if it is not really
authenticated.

What am I forgetting ? Is the
FormsAuthentication.RedirectFromLoginPage() method enough for creating
the cookie authentication ? Do I need anything else ?


Thanks Again

Leandro David