Url Rewriting with Forms Authentication

L

Lee

Hi all ;)


Preamble
--------
I'm using URL rewriting to enforce a frames policy (yeah, I know frames
are 'bad' :) - i.e. if a request comes in for a page which should be
nested within a frameset, the url is rewritten to something of the form
'http://www.blah.com/framesdoc.aspx?lowerFrame=/page.aspx', the
'framesdoc' page then dynamically generates the src attribute for the
frame appropriately to load the content specified in the 'lowerFrame'
query var.

As mentioned in Scott Mitchell's article (1), if using Forms
Authentication, the rewriting should take place in response to the
AuthorizeRequest event, to prevent the FormsAuthenticationModule using
the rewritten url as a return url from the login page.

At first read, the article seemed to imply that FormsAuthentication will
still function to restrict access to pages specified within the rewritten
url.

Of course, after a little more thought, it seems clear that there's no
way this could work, the FormsAuthenticationModule has already missed its
opportunity by the time the url is rewritten.

Question
--------
So, what I'm seeking is some work-around which will allow me to use url
rewriting on a site which makes selective use of FormsAuthentication
(e.g. a '/Secure' folder is restricted to authenticated users.)

I first thought of rewriting the url in response to BeginRequest rather
than AuthorizeRequest so that a redirect-to-login-page will occur if
needed and then somehow communicating the original, pre-rewritten url to
the login page, so that the url can once again be rewritten to overwrite
the 'ReturnUrl=...' portion. The question then becomes 'how do I
communicate the pre-rewritten url to the login page?' as there's no
session state at that point (is there?) and I understand it's
unacceptable to update objects in the Application cache from multiple
threads.

My next idea was that I might be able to use the location element within
web.config to specify that certain paths matching pre-rewritten URLs are
restricted, no luck there though.

Any ideas on how to solve this?

Any other comments would be appreciated as I've hit a point in the
application where I really need url rewriting *and* forms authentication
but am unable to progress.



Kind regards,
Lee.


--
References:

1) Scott Mitchell's article 'URL Rewriting in ASP.NET' :

http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/dnaspp/html/urlrewriting.asp
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Members online

Forum statistics

Threads
473,968
Messages
2,570,150
Members
46,696
Latest member
BarbraOLog

Latest Threads

Top