Server.Transfer() and authorization

[Mike Placentra II]

Hi. When using Server.Transfer() to switch the request to a specific
web form (as opposed to a class implementing IHttpHandler, if it makes
any difference), do I have to do something special to have
Request.IsAuthorized set properly?

When searching for a solution I read that Server.Transfer() does not
invoke the AuthorizeRequest event or something. Is there maybe a way
to make that happen since the request is being transferred to a web
form?

My reasons for not using Response.Redirect() are not just cosmetic,
but otherwise I would have switched to that already.

Thanks,
-Mike Placentra II

 

[Michael Nemtsev [MVP]]

Hello Mike,

yep, you are right, Server.Transfer doesnt support authorization and u need
to use Response.Redirect
or check authorization manually before making transfer

---
WBR,
Michael Nemtsev [.NET/C# MVP] :: blog: http://spaces.live.com/laflour

"The greatest danger for most of us is not that our aim is too high and we
miss it, but that it is too low and we reach it" (c) Michelangelo


MP> Hi. When using Server.Transfer() to switch the request to a specific
MP> web form (as opposed to a class implementing IHttpHandler, if it
MP> makes any difference), do I have to do something special to have
MP> Request.IsAuthorized set properly?
MP>
MP> When searching for a solution I read that Server.Transfer() does not
MP> invoke the AuthorizeRequest event or something. Is there maybe a way
MP> to make that happen since the request is being transferred to a web
MP> form?
MP>
MP> My reasons for not using Response.Redirect() are not just cosmetic,
MP> but otherwise I would have switched to that already.
MP>
MP> Thanks,
MP> -Mike Placentra II

 

[Guest]

Hi. When using Server.Transfer() to switch the request to a specific
web form (as opposed to a class implementing IHttpHandler, if it makes
any difference), do I have to do something special to have
Request.IsAuthorized set properly?

When searching for a solution I read that Server.Transfer() does not
invoke the AuthorizeRequest event or something. Is there maybe a way
to make that happen since the request is being transferred to a web
form?

My reasons for not using Response.Redirect() are not just cosmetic,
but otherwise I would have switched to that already.

Thanks,
-Mike Placentra II

Quote: http://msdn2.microsoft.com/en-us/library/8z9e2zxx(vs.80).aspx

ASP.NET does not verify that the current user is authorized to view
the resource that is delivered by the Transfer method. Although the
ASP.NET authorization and authentication logic runs before the
original resource handler is called, ASP.NET directly calls the
handler indicated by the Transfer method and does not rerun
authentication and authorization logic for the new resource. If the
security policy for your application requires clients to have proper
authorization to access the resource, the application should force
reauthorization or provide a custom access-control mechanism.

You can force reauthorization by using the Redirect method instead of
the Transfer method. The Redirect method performs a client-side
redirect in which the browser requests the new resource. Because this
redirect is a new request entering the system, it is subjected to all
the authentication and authorization logic of both the IIS and ASP.NET
security policy.

You can verify that the user has permission to view the resource by
incorporating a custom authorization method that uses the IsInRole
method before the application calls the Transfer method.

 

[Mike Placentra II]

Thanks, everyone, for your help.

After a few more hours I pieced together a solution though, so I'll
post it here for anyone who might come across this post in a web
search. This is what I was hoping I would be able to do something
like:

It is possible to just authenticate the request yourself. Note that
this doesn't include authorization (does not check if the user is
authorized to view the page according to web.config), it just
determines if the user is already logged in so your controls will work
properly on Server.Transfer()ed pages. In my case I just inherited the
pages from this class since they only get transferred to and are not
accessed directly, but others may want to just drop in authenticate()
and call it if needed.

========================================
Imports System.Security.Principal
Imports System.Web.Security

Public Class TransferPage : Inherits System.Web.UI.Page
Public Sub New()
MyBase.New()
AddHandler Me.PreInit, AddressOf authenticate
End Sub

Private Sub authenticate(ByVal sender As Object, ByVal e As EventArgs)
'see if there is an auth cookie
Dim authCookie As HttpCookie
authCookie =
Context.Request.Cookies(FormsAuthentication.FormsCookieName)
If authCookie Is Nothing Then Return

Dim loginInfo As FormsAuthenticationTicket = Nothing

Try : loginInfo = FormsAuthentication.Decrypt(authCookie.Value)
Catch ex As Exception : Return : End Try

If loginInfo Is Nothing Then Return

Dim id As FormsIdentity
id = New FormsIdentity(loginInfo)

Context.User = New GenericPrincipal(id, Roles.GetAllRoles)
End Sub
End Class
========================================

Also, if you are on IIS 7+, you can just use Server.TransferRequest()
instead which checks authorization for you.

-Michael Placentra II