tags:

views:

26

answers:

2
+3  Q: 

Application_OnAuthenticateRequest executes for image requests

I'm using Application_OnAuthenticateRequest in Global.asax to assign a custom principal to HttpContext.Current.User and System.Threading.Thread.CurrentPrincipal.
In testing, I noticed that this code executes multiple times for a single page request. By looking at the HttpContext.Current.Request.Url I determined that this code is executing for each call to a JavaScript file, Image, and CSS file. All of these resources are stored in a single subfolder called "Content". So, I'm able to prevent multiple executions of my custom principal by checking to see if "Content" is part of HttpContext.Current.Request.Url like so:

protected void Application_OnAuthenticateRequest(Object sender, EventArgs e)
{
    if (HttpContext.Current.Request.Url.AbsoluteUri.Contains("/Content"))
        return;

    if (Context.User != null)
    {
        if (Context.User.Identity.IsAuthenticated)
        {
            var userRepository = ObjectFactory.GetInstance<IUserRepository>();

            var prospectorUser = userRepository.GetByUserName(Context.User.Identity.Name);

            if (prospectorUser == null)
            {
                throw new ApplicationException("Context.User.Identity.Name is not a recognised user.");
            }

            var principal = new ExtendedWindowsPrincipal(HttpContext.Current.User.Identity, prospectorUser);

            // Attach the new principal object to the current HttpContext object
            HttpContext.Current.User = principal;
            // Make sure the Principal's are in sync
            System.Threading.Thread.CurrentPrincipal = HttpContext.Current.User;
            return;
        }
    }
}

My fix seems kludgy. Is there a better way to trap requests for "Content" items and prevent my custom code for my principal from firing for every request?

A: 

The simple answer is the modify your web.config to make the 'Content' folder anonymously accessible:

<location path="Content">
    <system.web>
        <authorization>
            <allow users ="*" />
        </authorization>
    </system.web>
</location>
Scrappydog  2010-08-23 18:29:28
I thought this too initially, but my hunch is that AuthenticateRequest is still going to fire, and hence execute his kludge. Would love some confirmation on that though.
womp  2010-08-23 18:34:57
Should only take a minute to test...
Scrappydog  2010-08-23 18:40:11
I commented out my check for "Content" in Application_OnAuthenticateRequest then added the <location>..</location> to my web.config and it did not make a difference. My principal code would fire for all content related requests.
Tom Schreck  2010-08-23 19:11:59
A: 

The AuthenticateRequest event occurs pretty high up in the HTTP pipeline. If you want to bypass it in certain cases for your application, you'll probably need to write an HttpModule that is registered to handle a given path.

Take a look at Figure 9, 10 and 11 in the article below. You should be able to follow it to build a custom module to handle requests to the Content path, and bypass all the regular event processing.

Securely Implement Request Processing, Filtering, and Content Redirection with HTTP Pipelines in ASP.NET

womp  2010-08-23 18:32:19
My initial attempt at this approach ended up preventing the resources in the Content folder from being downloaded to client. So, no images, CSS, scripts, etc. I created a httpModule which intercepts requests. If the request contained "content" in uri, then I completed request and set the response code to 200, but none of the resources are being sent to client.
Tom Schreck  2010-08-23 19:37:38
You probably can't just complete the request - you'll still need to pass the request off to an IHttpHandler that will send the content, or manually send the file yourself.
womp  2010-08-23 20:37:15

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps