IanG on Tap

Ian Griffiths in Weblog Form (RSS 2.0)

Blog Navigation

April (2018)

(1 item)

August (2014)

(1 item)

July (2014)

(5 items)

April (2014)

(1 item)

March (2014)

(1 item)

January (2014)

(2 items)

November (2013)

(2 items)

July (2013)

(4 items)

April (2013)

(1 item)

February (2013)

(6 items)

September (2011)

(2 items)

November (2010)

(4 items)

September (2010)

(1 item)

August (2010)

(4 items)

July (2010)

(2 items)

September (2009)

(1 item)

June (2009)

(1 item)

April (2009)

(1 item)

November (2008)

(1 item)

October (2008)

(1 item)

September (2008)

(1 item)

July (2008)

(1 item)

June (2008)

(1 item)

May (2008)

(2 items)

April (2008)

(2 items)

March (2008)

(5 items)

January (2008)

(3 items)

December (2007)

(1 item)

November (2007)

(1 item)

October (2007)

(1 item)

September (2007)

(3 items)

August (2007)

(1 item)

July (2007)

(1 item)

June (2007)

(2 items)

May (2007)

(8 items)

April (2007)

(2 items)

March (2007)

(7 items)

February (2007)

(2 items)

January (2007)

(2 items)

November (2006)

(1 item)

October (2006)

(2 items)

September (2006)

(1 item)

June (2006)

(2 items)

May (2006)

(4 items)

April (2006)

(1 item)

March (2006)

(5 items)

January (2006)

(1 item)

December (2005)

(3 items)

November (2005)

(2 items)

October (2005)

(2 items)

September (2005)

(8 items)

August (2005)

(7 items)

June (2005)

(3 items)

May (2005)

(7 items)

April (2005)

(6 items)

March (2005)

(1 item)

February (2005)

(2 items)

January (2005)

(5 items)

December (2004)

(5 items)

November (2004)

(7 items)

October (2004)

(3 items)

September (2004)

(7 items)

August (2004)

(16 items)

July (2004)

(10 items)

June (2004)

(27 items)

May (2004)

(15 items)

April (2004)

(15 items)

March (2004)

(13 items)

February (2004)

(16 items)

January (2004)

(15 items)

Blog Home

RSS 2.0

Writing

Programming C# 5.0

Programming WPF

Other Sites

Interact Software

More URL Rewriting

Wednesday 14 January, 2004, 07:05 PM

It seems I spoke to soon when I said that putting your URL rewriting in the AuthorizeRequest event handler would allow ASP.NET's UrlAuthorization to work. This turns out to be only partly true because of a strange quirk in the way ASP.NET handles configuration files.

If you add an entry to your config file of this form:

<location path="/protected">
    <system.web>
        <authorization>
            <deny users="?" />
            <allow users="*" />
        </authorization>
    </system.web>
</location>

it will behave as expected: users must be authenticated in order to access URLs of the form /protected/*. However, if you add something like this:

<location path="/xx/alsoprotected">
    <system.web>
        <authorization>
            <deny users="?" />
            <allow users="*" />
        </authorization>
    </system.web>
</location>

you might reasonably expect, say, /xx/alsoprotected/foo.aspx to require authentication, but /xx/notprotected/bar.aspx not to require authentication (assuming that there aren't any other configuration entries around that protect /xx/notprotected).

And if you're using a normal physical layout for your web site, you'd be right. However, if you're using URL rewriting and you don't actually have a physical xx directory on disk, this won't work. If that directory isn't there, then ASP.NET doesn't recognise the <location path="/xx/alsoprotected"> as applying to the URL /xx/alsoprotected/foo.aspx. In fact as far as I can tell it will never pay any attention to the contents of that particular location element.

Note that it is sufficient just to create the xx directory in order to fix this. (It's not necessary to have the xx/alsoprotected directory.) In other words, as long as a physical directory exists for a particular path, location elements for any paths one level below this will be honoured, but not for paths more than one level below.

This feels like a bug to me. What business does a 'URL' authorization module have requiring me to have my physical directory structure bear a partial resemblance to my logical URL structure? (The fact that it only requires some of the physical directory structure to be presence seems to indicate a certain lack of conceptual integrity to the behaviour. This reinforces my feeling that this is a bug.)

Just One More Thing

On a related note, Keith Brown pointed out another potentially undesirable feature of rewriting the URLs in the AuthorizeRequest event. He points out that this will render the FileAuthorization module useless. For my particular application this is not a problem, as I have no use for the FileAuthorization module in my application. But if you were using a URL rewriting scheme simply to tidy up your URLs, but still mapping down to one physical file for each distinct URL, you might want to apply file authorization. That's should be much easier to fix than the problem described above: just move the rewrite to the AuthenticateRequest event.

Copyright © 2002-2013, Interact Software Ltd. Content by Ian Griffiths. Please direct all Web site inquiries to webmaster@interact-sw.co.uk