ASP.NET formsauthentication

[whosrdaddy]

I have a MVC website that uses FormsAuthentication.
To set the Thread.currentprincipal I use the PostAuthenticationRequest in Global.Asax:

protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
        {
           
            var currentPrincipal = HttpContext.Current.User;
            if (currentPrincipal != null && currentPrincipal.Identity != null && currentPrincipal.Identity.IsAuthenticated)
            {
                Log.Debug("PostAuthenticateRequest");
                var authenticationService = ServiceLocator.Current.GetInstance<IAuthenticationService>();
                var userContext = ServiceLocator.Current.GetInstance<IUserContext>();
                var user = authenticationService.GetAuthenticatedUser(currentPrincipal);
                userContext.SetUser(user);
            }
        }

the problem I have is that this event is fired for each request, also static files like javascript and css.
GetAuthenticatedUser uses NHibernate and poses a performance hit when I have a page with many static file requests.

How can I prevent this?

I "hacked" around this problem ATM by adding these lines to the event:

var path = Request.AppRelativeCurrentExecutionFilePath;
if (path.ToUpper().StartsWith("~/CONTENT/") || path.ToUpper().StartsWith("~/SCRIPTS/"))
                return;

but I don't like this at all.

/Daddy

-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!

 

[jmeckley]

Are you sure you want to mess with the Thread.CurrentPrinciple in asp.net?
IIRC, the http context != a new thread, therefore changing the current thread principle could lead to some nasty cross threading issues later on. and they won't become apparent until multiple users are accessing the system simultaneously.

the http context is your context boundary in asp.net, not a thread. if you need to know who it is use HttpContext.User.

2nd, what is your question? the title mentions forms authentication, then you mention data access with nhibernate. finally we have asp.net events firing for static content.

Jason Meckley
Programmer

faq855-7190
faq732-7259

 

[whosrdaddy]

Are you sure you want to mess with the Thread.CurrentPrinciple in asp.net?

mmm, will check that.

2nd, what is your question? the title mentions forms authentication, then you mention data access with nhibernate. finally we have asp.net events firing for static content.

well the question is, is PostAuthenticationRequest the correct place to bind the user to the current (http) context and how can I avoid that this event fires for static content?

/Daddy


-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!

 

[jmeckley]

I haven't used forms authentication, but I assumed that forms authentication took care of applying the user to the context for you. it's not something the developer would have to set directly.

you could try checking if the file exists before authenticating.

var relative = Request.AppRelativeCurrentExecutionFilePath;
var absolute Server.MapMath(relative);
if (File.Exists(absolute)) return;

//authenticate user.

however if you want to authenticate a that a user can perform a certain action then I would implement a filter for MVC instead of accessing the asp.net pipeline directly.

this would implicitly solve the static file issue as well.

Jason Meckley
Programmer

faq855-7190
faq732-7259

 

[whosrdaddy]

but I assumed that forms authentication took care of applying the user to the context for you

Im using a custom authentication scheme, not the standard from ASP.NET.

I was under the impression that if I add the following lines in web.config,
the PostAuthenticationRequest would not fire for requests to these folders.
But the event fires every time when the authentication cookie is included in the request, right?

	<location path="~/content">
		<system.web>
			<authentication mode="None" />
			<authorization>
				<allow users="*"/>
			</authorization>
		</system.web>
	</location>
	<location path="~/Scripts">
		<system.web>
			<authentication mode="None" />
			<authorization>
				<allow users="*"/>
			</authorization>
		</system.web>
	</location>

/Daddy

-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!

 

[whosrdaddy]

however if you want to authenticate a that a user can perform a certain action then I would implement a filter for MVC instead of accessing the asp.net pipeline directly.

In fact I use a filter.

public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            base.OnActionExecuting(filterContext);
            var user = userContext.GetUser();
            if (user != null && user.HasAccess((int)roleId, minimumAccessLevel))
                return;
            filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary
                    {
                        {"area", "membership"},
                        {"controller", "Home"},
                        {"action", "AccessDenied"}
                    });
        }

/Daddy

-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!

 

[whosrdaddy]

Jason,
if I understand you correctly, the action filter would be the correct place to bind the user to the http context?

/Daddy

-----------------------------------------------------
What You See Is What You Get
Never underestimate tha powah of tha google!

 

[jmeckley]

all you are changing is the implementation of how to validate the user, using NH instead of the default forms authentication.

with that I believe you can configure that in the web.config swapping out the default user store for your own. once that's done the standard forms authentication calls go into place and the principle is bound to the context like always.

then in the filter you can determine if the user can proceed with the action.

once that is done static files should be a none issue. if they are there should be a configuration setting to bypass static content.

that would be my approach to solve the problem.

Jason Meckley
Programmer

faq855-7190
faq732-7259