Insert into instead of add to the HttpModules pipeline

[Guest]

Hi,

We are writing a Web SSO service for all of our websites through Forms
Authentication. We also want to provide our websites with the ability to
protect different parts of their website and redirect to different
registration pages. We are also required to centrally audit authorization
failures to a database only the Web SSO people can see.

We are using .NET 2.0 but need solutions that will use the same code run on
our clients either under 2.0 or 1.1.

We are hoping that sometime in the future ADFS 2+ or another vendor will
provide this functionality but in the meantime the show must go on.
Therefore, our solution is to balance business requirements with simplicity.

The current approach for authorization is to have an HttpModule listen for
Response status 401 on EndRequest. Then we can do some calls to get the
registration page and do the audit.

We are looking for an effecient way for our consuming web apps to hook up
our module.

In .NET 1.1 it looks pretty straight forward. We would have each consuming
web app modify their web.config as follows:
<httpModules>
<remove name="FormsAuthentication" />
<add name="WebSSOAuthorization"
type="WebSSOAuthorizationModule, MyApp11"/>
<add name="FormsAuthentication"
type="System.Web.Security.FormsAuthenticationModule" />
</httpModules>


In .NET 2.0, this does not appear to be the case. This is what we need to do
to get it to work in a consuming .NET 2.0 web app's web.config:
<httpModules>
<clear />
<add name="OutputCache" type="System.Web.Caching.OutputCacheModule" />
<add name="Session" type="System.Web.SessionState.SessionStateModule" />
<add name="WindowsAuthentication"
type="System.Web.Security.WindowsAuthenticationModule" />
<add name="WebSSOAuthorization" type="WebSSOAuthorizationModule"/>
<add name="FormsAuthentication"
type="System.Web.Security.FormsAuthenticationModule" />
<add name="PassportAuthentication"
type="System.Web.Security.PassportAuthenticationModule" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
<add name="UrlAuthorization"
type="System.Web.Security.UrlAuthorizationModule" />
<add name="FileAuthorization"
type="System.Web.Security.FileAuthorizationModule" />
<add name="AnonymousIdentification"
type="System.Web.Security.AnonymousIdentificationModule" />
<add name="Profile" type="System.Web.Profile.ProfileModule" />
<add name="ErrorHandlerModule"
type="System.Web.Mobile.ErrorHandlerModule, System.Web.Mobile,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<add name="ServiceModel"
type="System.ServiceModel.Activation.HttpModule, System.ServiceModel,
Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</httpModules>

Hardcopying this down into each client's web.config during development is
just not practical. No one has any ideo over time what will be installed on
the web servers and modify the server's httpModules list.

Ideally, the client could just add our handler and then our handler could
reorder itself in the modules list at runtime on its Init so it fires before
FormsAuthentication. Is this possible?

If not, then would a solution be to put our Module into the server's
web.config? I think that part of that solution would have to be us defining a
configSection so that only the apps that want that module to fire would have
to explicitly turn it on (just like .NET was designed with <authentication
mode="Forms">).

Thanks.

 

[Steven Cheng[MSFT]]

Hello Noremac,

From your description, I understand you've developed a custom httpmodule
for providing SSO service in your ASP.NET web applications, you used to use
some simple configuration settings in application web.config file to
register your custom module, however, you found that you need much more
cofiguration elements in ASP.NET 2.0 application's web.config. So you're
wondering whether there is any more elegant means to do this, correct?

Based on my research, ASP.NET 2.0 has added many new built-in httpmodules,
and the "RoleManager" module is a new module which also related to forms
authentication and authorization. You can try reordering all the following
modules(put after your custom module) in application's web.config file to
see whether it helps:

"FormsAuthentication"
"RoleManager"
"UrlAuthorization"


Also, in .NET 2.0, it provide a set of configuration API that can help us
manage the application(or machine level) configuration in code. For
example, here is a test page which use web configuration API to insert a
custom httpModule before the "FormsAuthentication" module:

================
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
Response.Write("<br/>current user: " + Environment.UserName);

}
protected void btnButton_Click(object sender, EventArgs e)
{
Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

HttpModulesSection section =
config.SectionGroups["system.web"].Sections["httpModules"] as
HttpModulesSection;

if (section != null)
{
Response.Write("<br/>section: " + section);

ConfigurationElement[] modules = new
ConfigurationElement[section.Modules.Count];
section.Modules.CopyTo(modules, 0);

List<ConfigurationElement> newmodules = new
List<ConfigurationElement>();

foreach (ConfigurationElement elm in modules)
{
Response.Write("<br/>" +
elm.ElementInformation.Properties["name"].Value);

if (elm.ElementInformation.Properties["name"].Value.Equals(
"FormsAuthentication"))
{
Response.Write("<br/>insert my module here");
HttpModuleAction mymodule = new
HttpModuleAction("mymodule", "simpleModule");

newmodules.Add(mymodule);

}

newmodules.Add(elm);
}


section.Modules.Clear();


foreach (ConfigurationElement elm in newmodules)
{
Response.Write("<br/>new module: " +
elm.ElementInformation.Properties["name"].Value);
section.Modules.Add((HttpModuleAction)elm);
}

config.Save(ConfigurationSaveMode.Modified);



}

}
}
========================

Here are some MSDN reference introducing the new web configuration API:

http://msdn2.microsoft.com/en-us/library/ms228060(vs.80).aspx

http://msdn2.microsoft.com/en-us/library/ms178687.aspx

Hope this helps some.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Those are both good suggestions. Just reordering those three modules seem to
work. Re-writing the config file at runtime seems mighty tempting but I tried
to put it into an "Init" HttpModule and I got errors saving the config file
even with ASPNET having read/write.

It looks like the solution with the most elegance (i.e. less client-app
change) is to insert this handler in the machine's web.config and let each
app turn it on through a definition in their own web.config. I plan on adding
a config section to my HttpModule.

For 1.1, I think we may as well be consistent and add it into the
machine.config. Although I will have to figure out naming, etc since the code
needs to be compiled in both 1.1 and 2.0.

As always, thanks again for your help.

Hello Noremac,

From your description, I understand you've developed a custom httpmodule
for providing SSO service in your ASP.NET web applications, you used to use
some simple configuration settings in application web.config file to
register your custom module, however, you found that you need much more
cofiguration elements in ASP.NET 2.0 application's web.config. So you're
wondering whether there is any more elegant means to do this, correct?

Based on my research, ASP.NET 2.0 has added many new built-in httpmodules,
and the "RoleManager" module is a new module which also related to forms
authentication and authorization. You can try reordering all the following
modules(put after your custom module) in application's web.config file to
see whether it helps:

"FormsAuthentication"
"RoleManager"
"UrlAuthorization"


Also, in .NET 2.0, it provide a set of configuration API that can help us
manage the application(or machine level) configuration in code. For
example, here is a test page which use web configuration API to insert a
custom httpModule before the "FormsAuthentication" module:

================
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
Response.Write("<br/>current user: " + Environment.UserName);

}
protected void btnButton_Click(object sender, EventArgs e)
{
Configuration config =
WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);

HttpModulesSection section =
config.SectionGroups["system.web"].Sections["httpModules"] as
HttpModulesSection;

if (section != null)
{
Response.Write("<br/>section: " + section);

ConfigurationElement[] modules = new
ConfigurationElement[section.Modules.Count];
section.Modules.CopyTo(modules, 0);

List<ConfigurationElement> newmodules = new
List<ConfigurationElement>();

foreach (ConfigurationElement elm in modules)
{
Response.Write("<br/>" +
elm.ElementInformation.Properties["name"].Value);

if (elm.ElementInformation.Properties["name"].Value.Equals(
"FormsAuthentication"))
{
Response.Write("<br/>insert my module here");
HttpModuleAction mymodule = new
HttpModuleAction("mymodule", "simpleModule");

newmodules.Add(mymodule);

}

newmodules.Add(elm);
}


section.Modules.Clear();


foreach (ConfigurationElement elm in newmodules)
{
Response.Write("<br/>new module: " +
elm.ElementInformation.Properties["name"].Value);
section.Modules.Add((HttpModuleAction)elm);
}

config.Save(ConfigurationSaveMode.Modified);



}

}
}
========================

Here are some MSDN reference introducing the new web configuration API:

http://msdn2.microsoft.com/en-us/library/ms228060(vs.80).aspx

http://msdn2.microsoft.com/en-us/library/ms178687.aspx

Hope this helps some.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven Cheng[MSFT]]

Thanks for your reply Noremac,

I think your further consideration is comprehensive. If you have any
further questions or anything we can help later, please feel free to post
here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.