tags:

views:

934

answers:

3
+2  Q: 

ASP.Net MVC - forms authentication using an external URL

Our organization has a central solution for forms authentication. I am trying to implement an ASP.Net MVC app that uses this external URL - and it worked till RC! was released...

Here's what's happening

In an ActionAttribute Extension

I check for s session var if not found check for a request data chuck if found, set the session var if not found - redirect to external URL if found continue.

The trouble is that till I updated to RC1, this worked. Since then, so many requests are being sent to the external URL that it detects a DoS attack and shuts me out!

I removed the redirection code and replaced it with the web.config changes for Forms Auth - and the same thing happened...

A: 

Why not use Microsoft Geneva instead of attempting to roll your own authentication provider?

Craig Stuntz  2009-02-06 19:41:16
becuse it is out of my hands - when i run my own company - I will have that option, unfortunately, as a good corporate citizen I need to use what already exists and is used by all other applications in the org...Do you have any real answers?
 2009-02-06 20:34:27
I don't think you've really considered what I said, if you don't consider it a "real answer." Geneva does what you want.
Craig Stuntz  2009-02-06 21:16:12
Downloaded Geneva white paper. Read it. Requires server side change = Out of my hands. Not a real solution in this case. Not trying to hurt you ego or anything, but I need a client side solution without changing the architecture completely... Thanks!
 2009-02-09 16:38:15
A: 

CODE:

public class MyAuthenticate : ActionFilterAttribute
    {        
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            if (filterContext.HttpContext.Session["user"] == null)
            {
                using (Authenticator dp = new Authenticator())
                {
                    MyUser mu;
                    string data = string.Empty;
                    try
                    {
                        data = filterContext.HttpContext.Request["Data"];
                    }
                    catch { };

                    if (!string.IsNullOrEmpty(data))
                    {
                        mu = dp.Redeem(data);
                        if (mu.authenticated)
                        {                            
                            filterContext.HttpContext.Session.Clear();
                            AuthenticatedUser user = new AuthenticatedUser(mu);
                            filterContext.HttpContext.Session.Add("user", user);
                            FormsAuthentication.SetAuthCookie(user.UserId, false);
                        }
                        else
                        {
                            filterContext.HttpContext.Response.Redirect("MY EXTERNAL URL GOES HERE!!");

                        }
                    }
                    else
                    {
                        filterContext.HttpContext.Response.Redirect("MY EXTERNAL URL GOES HERE!!");
                    }
                }
            }
            base.OnActionExecuting(filterContext);
        } 
    }
}
 2009-02-09 16:44:29
It dosen't matter if I use this code or Just set the Forms auth in the web config with an external URL - the same behavior is observed- keep getting several hits to the external url (more than 30/sec).
 2009-02-09 16:46:25
A: 

I resolved this issue by creating a static dictionary of requesting IPs, and dropping duplicate requests from the same IP. Not a very nice solution - so if anyone figures out a better solution - let me know.

 2009-02-09 19:21:29
As it turns out, the issue was with the fact that validation, depending on the content of the token, got rid of it - without any exception being throw.... :(
 2009-02-11 19:57:46

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data