All posts by ajohnson

ASP.NET HttpModule Security Example

I wrote a short bit about HttpHandlers and HttpModules a couple weeks ago and recently had decided to use an HttpModule to function as a security gateway for specific parts of the application I’m developing.

If you have any experience with ASP.NET, you’ll wonder why I didn’t just use the declarative Forms security. The one shortcoming that I could see of Forms security is that it requires that you only have one form for your application. For example, in your web.config, you’d have something like this:

<authentication mode="Forms">
  <forms name=".ASPXAUTH" loginUrl="/login.aspx" />
</authentication>
<authorization>
  <allow users="*"/>
</authorization>

and then users that access any directory you protected using the <location path=”administrators”> syntax would be redirected to the /login.aspx script. If you have two different types of users though, each requiring a different login page, you’re stuck. The web.config XML schema only allows you to have one <forms> element per application. I could have split up the applications in IIS, but then I’d have to replicate application settings and libraries to each application’s bin directory. So, long story short, I wrote a short bit of code that authenticates and authorizes users in the Application BeginRequest event. Pseudo code looks like this:

public class SecurityHttpModule : IHttpModule {
// implemented per the interface
public String ModuleName {
   get { return "SecurityHttpModule"; }
}   
// register for the HttpApplication BeginRequest event
public void Init(HttpApplication application) {
   application.BeginRequest += (new EventHandler(this.Application_BeginRequest));
}
// handle the begin request event
private void Application_BeginRequest(Object source, EventArgs e) {
   HttpApplication application = (HttpApplication)source;
   HttpContext context = application.Context;
   // get the user, populate the Thread.CurrentUser...
   HttpCookie cookie = context.Request.Cookies.Get(".ASPXAUTH");
   if (peanutButterCookie != null) {
      FormsAuthenticationTicket fat = FormsAuthentication.Decrypt(cookie.Value);
      // get the user & the roles that this user is in using your own logic
      string[] roles = User.Roles;
      GenericIdentity identity = new GenericIdentity(fat.Name);
      GenericPrincipal principal = new GenericPrincipal(identity, roles);
      context.User = principal;
   }
   // find out if the section we're viewing is meant to be secure
   // pessimistic: default to forcing a login
   Boolean forceLogin = true;
   // if the section has security and we're not on the login form for this section
   if (s.isSecure() && thisSection.LoginForm != scriptName) {
      // groups allowed in this section
      ArrayList groups = s.GroupsAllowed();
      // loop over all allowed groups, see if this user is in one of those groups
      for (int x=0; x
I left out some of the implementation as well as the import statements, so this obviously won't compile if you drop it into your favorite IDE. Couple things to note in this example:

a) the use of GenericPrincipal and GenericIdentity. GenericIdentity is a concrete implementation of the IIdentity interface, that allows you to specify information about the current user. GenericPrincipal is a concrete implementation of the IPrincipal interface, it contains a reference to the GenericIdentity as well as an array of roles that the current user is in, as well as a method to determine is a user is in a specific role. You can choose to use the concrete implementations (like I did in the example above) or you can choose to create your own implementations of those interfaces, adding your own custom properties and methods to your users identities & roles.

b) the HttpContext, which maintains a reference to the current User, which contains the IsInRole() method. Every ASP.NET page can access information about the currently logged in user and what roles this user has.

c) the use of the utility class FormsAuthenticationTicket, which provides the means of creating and reading the values of a forms authentication cookie.

Just for kicks, how does this compare to ColdFusion? In ColdFusion MX (previous versions of CF used SiteMinder, which gives me the shivers), the <cflogin> tag provides similar functionality to the GenericPrincipal and GenericIdentity classes. which you can then use with the IsUserInRole() and getAuthUser() functions. Out of the box it's probably easier to use, but it (in my humble opinion) sacrifices ease of use for extensibility. You can't add additional properties or methods to the logged in user (for instance a last name or a method that returned how long the user has been logged in). Correct me if I'm wrong!

Eclipse Keyboard Shortcuts

I hate my mouse, I love ALT-TAB in Windows, Homesite gives you CTRL-TAB to effectively switch between open files but I couldn’t figure out a way to the do the same thing in Eclipse. Turns out Eclipse functions more like IE in that each file you view becomes part of your viewing ‘history’. To switch between files, you can use ALT-LEFT ARROW or ALT-RIGHT ARROW just like you can in Internet Explorer to go BACK and FORWARD. Nifty.

Eclipse Local History

Say you just modified a file in Eclipse and you want to roll back to the version you had about 5 minutes ago. With a normal IDE, if you’ve had the file checked out from SourceSafe or CVS without checking it back in you won’t be able to see your changes. Eclipse however, maintains it’s own little history of your changes, which you can see in the screenshot to the left (click it to see the large version). To get this ‘local history’, right click on the file in question, choose “Compare With” and choose “Local History”. Very very cool.

You can read more about Local History here if you’re so inclined.

Migrating from ColdFusion to ASP.NET

Microsoft has put together an extensive article for developers migrating from CFMX to ASP.NET, including a pretty fair feature comparison chart. Probably the most obvious thing that the feature comparison table lacks is the mention of the close integration of Java with CFMX, in fact it says this:

It can also access Java class libraries with some extra work.

which is true and false… it requires extra work in the same way that it requires extra work to compile a C# file to an assembly, place the assembly in the /bin/ folder of the application and then import that assemblies namespace into an ASP.NET page.

Nonetheless, check it out if you have worked with CFMX before and are just getting started with ASP.NET.

JXTA update from James Todd

James Todd, who works on the JXTA engineering team at Sun, blogged about the JXTA roundtable held just recently in San Francisco. Some interesting projects are going on in the JXTA community:

P2PSockets: “The Peer-to-Peer Sockets Project reimplements Java’s standard Socket, ServerSocket, and InetAddress classes to work on a peer-to-peer network rather than on the standard TCP/IP network.” — This project is especially interesting in light of the things that Verisign is doing. P2PSockets could potentially be used to create an alternative peer-to-peer domain name system (which would probably have a host of it’s own problems.)

Paperairplane: “… a Mozilla plugin that empowers people to easily create collaborative communities without setting up servers or spending money. It does this by integrating a web server into the browser itself, including tools to create collaborative online communities that are stored on the machine. Web sites are stored locally on a user’s machine. A peer-to-peer network is created between all of the Paper Airplane nodes that are running in order to resolve domain names, reach normally unreachable peers due to firewalls or NAT devices, and to replicate content.

JNGI [pdf]: “The JNGI project is a framework for distributing applications among JXTA peer groups by implementing a classic Worker/Task pattern.

ASP.NET Request Validation – Preventing Script Attacks

Yesterday I was working with self posting form that contained html characters as of a content management implementation using ASP.NET and I came across an error message I’d not seen from any application server. It said:

“A potentially dangerous Request.Form value was detected from the client..”

In short, as of ASP.NET 1.1, Microsoft is by default not allowing clients to post client script code or HTML to a form. As a developer, you have to either explicitly allow it for a page by including this:

<%@ Page validateRequest=”false” %>

in your ASP.NET page or by turning it off sitewide in the web.config file:

<configuration>
  <system.web>
    <pages validateRequest=”false” />
  </system.web>
</configuration>

Automatic request validation, in my humble opinion, is pretty nice. Way to go Microsoft. You can read more about this feature on the official ASP.NET site.