So, I have web apps with web.configs like so:
<authorization>
<deny users="?"/>
</authorization>
...
<location path="SomeUnsecuredPage.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
In other words, most pages require authentication and authorization, but some don't.
Then I have an IHttpModule that will be used by all the different applications. All I want to do is check if the current request is "secured" at all. If the page doesn't require authorization I don't want my IHttpModule to do anything at all. I am using FormsAuthentication and I assume that FormsAuthentication already has all of this information cached somewhere, doesn't it? Also, since this check will be running constantly so it has to be very quick.
I am currently subscribing to the HttpApplication.AuthorizeRequest, but surprisingly this event fires even for resources that allow anonymous access.
Any ideas? Thanks for reading!
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…