Secure Multiple Applications in one Domain

[Joe Reazor]

I have a fairly simple scenario. I have a root web that is set-up with a
web.config file that has forms authentication on and authorization to only
allow logged in users to get in. Under the root web I have another web
application that has its own web.config file. If I request a file in the
root web, I am correctly redirected to the login page, I login in (just a
simple code behind verification), and I call
FormsAuthentication.RedirectFromLoginPage which correctly sends me to my
originally requested page. So far so good. Now I want to access a file
under the second web application that is under that same root web.
Initially that web.config did not have authentication or authorization
set-up to protect the app, so I got right into the page I requested without
logging in. Then I figured I could remove the <authentication> and
<authorization> tags from this web.config and the one that was up one level
would take over. That did redirect me to the login page, but when I log in
correctly it does not redirect me to my originally requested page, it just
sends me back to the login page again. I even tried completely removing the
web.config in the lower application which yielded the same result. Is there
something I am missing here?


==============
Joe Reazor
Gorbel Inc.
email: joerea=AT=gorbel=DOT=com

 

[Steven Cheng[MSFT]]

Hi Joe,

From your description,you have a root web application which contains
another sub application located in the
root applicaiton 's root folder in IIS. The root application is using the
form authenticaiton and protected the files from
unauthenticated users. Now you want the sub application's file also be
protected from unauthenticated users and
use the same login page in the root web application. However, this works
well when you visiting the pages in root application. However, when you
visit the page in the sub application and be redirected to the login page
and after the user login and use
FormsAuthenticatoins.RedirectFromLoginPage to redirect to the former
requested page, you found you are still get redirected to the login page,
yes?

As for this problem, here are some of my suggestions:
1. Regarding on the repeatly be redirect to login page. I think the problem
is likely caused by the login page is not in the same site. When you visit
the sub app and be redirected to the parent web application's
login page and that make the former requested url became the "login" page
rather than the certain page in the sub web app. So that when you submit
and call the FormsAuthenticatoins.RedirectFromLoginPage
you will be repeatly redirect to the login page. I suggest you look at the
url in the browser's address bar when be redirected to the login page first
time
or use Response.Write("<br>" +
FormsAuthentication.GetRedirectUrl("username",false)); to output the url to
confirm this.

2. Since you want the sub app under the root application also use the
authentication and authorization setting in the root web app, we don't need
to create a sub applicatin, just make it a normal sub folder under the root
applicaiton. And that'll also avoid may other issues with multi application
with parent-sub folder structure. Also, we can specify heirarchy
configuration setting in the root app's web.config without provide a
web.config for each sub folder and here are some related references in msdn:

#Configuration Inheritance
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconconfigurationinher
itance.asp?frame=true

#Configuration <location> Settings
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconconfigurationlocat
ionsettings.asp?frame=true

#Locking Configuration Settings
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconlockingconfigurati
onsettings.asp?frame=true

Hope also helps. Thanks.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[Joe Reazor]

Steven,
Thanks for the response. Yes you understood my problem perfectly. For
your #1 solution: I had checked the ReturnUrl value and it does show the
originally requested page. I even checked my web log file and it shows in
this order: Original Page, Login Page, Post of Login Page, Original Page,
back to Login Page. So it definitely sends me back to my original page, it
just doesn't acknowledge that I am authenticated, probably the different
application issue that you mention. Your second suggestion does make sense
and I should have thought of that because I had another sub folder that
wasn't set-up as an application and that one worked ok.

I guess my next question then would be this: If my root web is the only
place that has a web.config file and I have many applications under that
which will no longer be "applications" in the sense that they won't have
their own web.config files or be configured in IIS as applications, then how
can I set specific settings for those applications. For instance, I want to
set-up different error handling for each one, or different authorization?
Is using the <location> element in my root web's web.config file the way to
go? Is there any limitation as to what you can configure under the
<location> element?


Thanks again for your help.


==============
Joe Reazor
Gorbel Inc.
email: joerea=AT=gorbel=DOT=com

 

[Steven Cheng[MSFT]]

Hi Jeo,

Thanks for the followup. As for the #1, the asp.net has provide the
solution for using formsAuthentication across
multi web application. That'll need use make some certain attributes in the
<forms> element in web.config identical of all those
web applications. Here is the reference in MSDN:

#Forms Authentication Across Applications
http://msdn.microsoft.com/library/en-us/cpguide/html/cpconformsauthenticatio
nacrossapplications.asp?frame=true

As for the #2, make all the folders in one application will be much easier
and convenient than using FormsAuthentication across
multi application. But since all the folders and their content(pages..) are
in one web app. And the certain elemtns in web.config
for the <location> setting are limited to some certain elements. Some
elements can only be set in root web.config. You can have a look
at the following web.config element schema to check

#ASP.NET Settings Schema
http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfASPNETConfigurati
onSectionSchema.asp?frame=true

You can view all the element's description and see whether one element can
be override at subdir level or only at application level.

Hope these help. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[Joe Reazor]

Steven,
Thanks for your help. Your answers and the article references you have
provided have been helpful and I should now be able to do what I needed to
do. Thanks again.


==============
Joe Reazor
Gorbel Inc.
email: joerea=AT=gorbel=DOT=com