2

Added an AuthorizeImage eventhandler to image access restriction. Noticed the following when i was trying to check the users name and authenticationstatus:

Below will not result in exception, but seem to break it. Default icon for image not found is displayed no matter authenticated or not. Tested this.User = same result. HttpContext.Current.User = same result

Config.Current.Pipeline.AuthorizeImage += delegate(IHttpModule sender, HttpContext context, IUrlAuthorizationEventArgs e)
{
    if (context.User.Identity.IsAuthenticated) { context.Response.Redirect("http://db2.stb00.s-msn.com/i/AF/263B63C5E656379CEE93E7A8692EC7.gif"); }    
};

The below work just fine(this.User and HttpCOntext.Current.User as well)

Config.Current.Pipeline.AuthorizeImage += delegate(IHttpModule sender, HttpContext context, IUrlAuthorizationEventArgs e)
{
    context.Response.Redirect("http://db2.stb00.s-msn.com/i/AF/263B63C5E656379CEE93E7A8692EC7.gif"); 
};

This always redirects

Config.Current.Pipeline.AuthorizeImage += delegate(IHttpModule sender, HttpContext context, IUrlAuthorizationEventArgs e)
{
    if (context.User == null)
        context.Response.Redirect("http://db2.stb00.s-msn.com/i/AF/263B63C5E656379CEE93E7A8692EC7.gif");
};

I started testing in Application_Start but actually tried Application_PostAuthenticateRequest as well. Though the result where the same. Im authenticating via custom code but using standard formsatuhentication to set the cookie. [Authorize] works fine in the application. Any suggestion to what could have gone wrong here?

Base
  • 1,061
  • 1
  • 11
  • 27
  • Please, if you're getting the 'not found' icon for an image, open the URL directly and get the actual error message. – Lilith River Jul 30 '12 at 22:46
  • Sorry should have added that. I only get nullreference exception, "Object reference not set to an instance of an object." marking the row containing "if (context.User.Identity.IsAuthenticated) { context.Response.Redirect("http://db2.stb00.s-msn.com/i/AF/263B63C5E656379CEE93E7A8692EC7.gif"); } ". So context.User isnt instantiated it seems. The question is why. Since authentication works in other aspects (and @User.Identity.Name in the view gives me the username) im suspecting something related to the eventhandler? – Base Jul 30 '12 at 22:57
  • ASP.NET doesn't populate context.User for anonymous users. If you're not anonymous, then your code isn't loading User prior to PostAuthorize, which is a bug. – Lilith River Jul 30 '12 at 23:04
  • " then your code isn't loading User prior to PostAuthorize" Bit of a bummer since im using standard forms authentication. The only line of formsauth i have is actually "FormsAuthentication.SetAuthCookie(UserName, RememberMe);" at this stage. – Base Jul 30 '12 at 23:13
  • I searched around a bit and saw a discussion regarding changed in IIS7 and integrated appools in regards to global.asax problem. Anyway it gave me the idea to switch webserver. Im sitting on VS 2012 RC so i switched from iis express to Visual Studio Dev Server and now it works fine. A bit strange. – Base Jul 30 '12 at 23:23
  • Tried switch back and forth to be sure the problem persist but keeps working fine in VS Dev Server and not att all in IIS Express – Base Jul 30 '12 at 23:26
  • I pinpointed the problem. In IIS Express (no matter integrated or classic mode) using .jpg.ashx?width=100 works. But .jpg?width=100 returns an empty user.identity. Could this be an imageresizer bug or perhaps iis express issue? STrange thing is that as i said before it works in VS dev server. Havent tried running it on the server yet. – Base Jul 31 '12 at 08:42

1 Answers1

4

Your server is configured to only run the FormsAuthenticationModule for certain request extensions, such as .aspx, .ashx, etc. There are two ways to solve this.

  1. Remove and re-add the FormsAuthenticationModule in <system.webServer> <modules> (For Integrated Mode), dropping the precondition="managedHandler" attribute:
  2. Enable RAMMFAR (runAllManagedModulesForAllRequests)

This post contains more details about implementing #1 and #2:

How do I protect static files with ASP.NET form authentication on IIS 7.5?

Community
  • 1
  • 1
Lilith River
  • 16,204
  • 2
  • 44
  • 76
  • Solution 1 is the way to go, if possible. See [SCOTT HANSELMAN's blog post](http://www.hanselman.com/blog/BackToBasicsDynamicImageGenerationASPNETControllersRoutingIHttpHandlersAndRunAllManagedModulesForAllRequests.aspx) for more info on RAMMFAR, and why to avoid it. – Dave T. Aug 23 '13 at 13:44