Monday, January 17, 2011

Redirecting any unauthenticated requests to a login form located on another application

If you have configured forms authentication across multiple applications, you may want to force users to authenticate in a single signing form. To do so you may implement a simple HttpModule that will be handling the AuthenticateRequest and redirecting to the corresponding login form.

Custom configuration section

We shall create a configuration section in order to save the login form url. The configuration section in the web.config should look like the following:

   <loginForm url="http://authenticationServer/login.aspx"/> 

To do so, we will write two classes; one inheriting from ConfigurationSection and another inheriting from ConfigurationElement. The code for those two classes is self-explaining (I hope):

/// <summary> 
/// This is the class that represents the web.config section for the RedirectToLogin module 
/// The following is a valid configuration section: 
/// <RedirectToLoginConfiguration> 
/// <loginForm url="http://authenticationServer/login.aspx"/> 
/// </RedirectToLoginConfiguration> 
/// Notes: The name of the section is declared inside the web.config under the configSections element. 
/// In the above example, I have named my section RedirectToLoginConfiguration. 
/// </summary> 
class RedirectToLoginConfigurationSection: ConfigurationSection 
  [ConfigurationProperty("loginForm", IsRequired = true)] 
  public LoginFormElement LoginForm { get { return (LoginFormElement)base["loginForm"]; } } 
/// <summary> 
/// This class will keep any configuration info needed by the RedirectToLogin module regarding the 
/// login form. 
/// </summary> 
class LoginFormElement: ConfigurationElement 
  public string Url { get { return (string) base["url"]; } }

The IHttpModule

The module will implement the IHttpModule interface and will hook up on the HttpApplication’s AuthenticateRequest event.

Whenever the request is not authenticated (HttpContext.Current.Request.IsAuthenticated) we will be redirecting to the specified login form url adding the ReturnUrl querystring parameter in order to have the user redirected to the current path when he provides valid credentials.

You may download the commented source code for this module and its configuration classes from the following link:

Note that I have used the #if DEBUG declaration in order to provide logging when the dll is built in debug configuration. The logging mechanism is really simple and is not recommended (I could even characterize it as a very bad practice). If you want to implement robust logging, check out this ScottGu’s blogpost.

Setting up the applications

You must have at least an application with a login form that will be handling the authentication.

In the rest of the applications, in the web.config file you’ll have to setup the configuration section by adding the following line in the configuration\configSections section:

<section name="RedirectToLoginConfiguration" type="Abot.Security.RedirectToLoginConfigurationSection,Abot.Security, Version=, Culture=neutral, PublicKeyToken=69e32cb50fe06fd0"/>

And then by adding the configured section under the configuration node:

    <loginForm url="http://authenticationServer/login.aspx"/> 

Finally, you should enable the Http module by adding the following line in the system.web\ httpModules section:

<add name="RedirectToLoginScreen" type="Abot.Security.RedirectToLogin,Abot.Security, Version=, Culture=neutral, PublicKeyToken=69e32cb50fe06fd0"/>

No comments: