A few thoughts about Forms Authentication in ASP.NET

December 03, 2005 @ 3:23 pm

Over the last couple of days I’ve been getting a couple of questions regarding Authentication in the West Wind West Wind Web Store application for the access to the Admin section of the store. In the store I have an admin directory set up that by default is secured with Windows authentication.

Whenever I can in my own applications I try to use Windows Auth because frankly it’s an easy way for admin functionality to be accessed. It’s easy to deal with assignment of rights and you get a lot of control over which resources you protected. That works fine if you have an internal app or an app with a few administrators. My philosophy here is simply this: If you need to set and manage a few users independently of your application then you might as well use Windows for this because it provides an easy and most flexible way to provide access to your application. I realize this is not always possible due to IT or ISP policies, but when it is easily the most painless solution I can think of...

Contrast this with Forms Authentication in ASP.NET which for many seems to be the answer to all security questions <g>. But I have a number of issues with Forms Authentication that have made me reluctant to use them:

Lack of granularity
You assign Forms Authentication on a per directory level and you can’t control access on a file level with it. It's an all or nothing approach.
Protects only ASP.NET resources
Forms Auth only works against ASP.NET managed resources – basically anything that is mapped back to the ASP.NET ISAPI extension via script map. So any static content you might have in a directory is not protected. If you have things like static XML files, config files of your own, logs etc that all may go unprotected unless you map those extensions to an ASP.NET handler (like the ForbiddenHandler).
Doesn’t work with Web Services or other low level HTTP clients
You can’t use Forms Authentication with Web Services because Forms Authentication basically is a custom HTML based security implementation. There’s no protocol that can be navigated for an HTTP handler so if you want a Web Service secured that’s a no go.

Forms Auth seems like a great solution for Intranet applications or applications that have fairly simple needs for locking down sections of an application, but for me at least I see these limitations as not worth the ‘built-in’ benefit that they provide.

What would be really useful for #3 is that Forms Auth could automatically implement Basic Authentication under the covers – not Windows based Basic Auth but custom Basic Auth that validates against your own data. If you turn off Basic Auth on the Web Server Basic Auth requests are forwarded directly to ASP.NET and the Basic Auth protocol is fairly trivial to implement and Browsers already know how to display these dialogs. The advantage is that you could remove the login dialog page and get the stock login dialog instead in the browser or allow navigation with any kind of HTTP client including non-visual ones like HttpWebRequest or a Web Service client.

I've done this before with a custom module, but it'd be really nice if Forms Auth would support that directly.

So what do I normally do? I find that in most of my applications, Forms Auth is just not a good fit. Either the apps are small enough that Windows Auth works fine in the situations where I would possibly use Forms auth (namely directory based access control – which is all that Forms auth can offer). Or if it’s application centric, I end up with a custom scheme of users that is usually tied to some business entity like a Customer object etc. Interestingly enough ASP.NET 2.0 introduces the new MemberShip Provider interface and while that makes perfect sense if you have an app that just needs security that’s independent of the actual business operation, for most real-life apps it strikes me that you’ll rarely have *just* a user file that needs to be managed. Usually it’s an entire profile or customer, or other entity that’s tied in with the login and there’s little need to separate out that information into a separate provider.

Anyway, the issue that a couple of people have been having has been that Windows Auth just was not an option for them as the ISP they were hosting with was not allowing access through Windows Auth (hmmm…). So as a quick fix I thought that Forms Auth as a quick and dirty replacement for the directory level admin lockdown is probably the easiest solution to this request.

It’s been a long while since I used Forms Authentication so I quickly sat down and hooked up a Forms Auth interface for the store, which is easy enough to do. It worked if I use custom authentication (ie. call my own login code).

But for some reason I couldn’t get Authentication to work against key value pairs in Web.config:

<system.web>
<authentication mode="Forms">

<forms loginUrl="login.aspx" timeout="20" >

<credentials>

<user name="rstrahl" password="secret" />

<user name="rick" password="secret" />

</credentials>

</forms>

</authentication>

</system.web>

and then applying the Forms Auth in the admin path:

<location path="admin">

<system.web>

<identity impersonate="false"/>

<authorization>

<deny users="?" />

<allow users="rstrahl,rick" />

</authorization>

</system.web>

</location>

The Login.aspx fires just fine when I try to access the Admin path. The login page comes up and I grab the username and password but:

protected void btnSubmit_Click(object sender, EventArgs e)

{

// *** Do custom validation

// if (this.LoginUser(this.txtUsername.Text, this.txtPassword.Text))

// *** Use Web.Config users

if (FormsAuthentication.Authenticate(this.txtUsername.Text, this.txtPassword.Text))

{

FormsAuthentication.RedirectFromLoginPage(this.txtUsername.Text, false);

}

this.ErrorDisplay.ShowError("Invalid user name or password.");

}

The FormsAuthentication.Authenticate() does not return true for a valid username password combo. This is ASP.NET 2.0 and I’m stumped. It almost looks like ASP.NET is not looking at the Credentials values at all. Am I missing some new flag that needs to be set or something?

Feedback for this Weblog Entry

re: A few thoughts about Forms Authentication in ASP.NET
by dominick December 03, 2005 @ 8:39 pm

Hi,

i tries to repro - but it works for me.

Your <authorization> element is also maybe not what you want -

you are saying: allow rick, rstrahl and deny anonymous - AND allow everyone... (as long as you only have rick and rstrahl as users this might be OK - if you add alice she will be allowed access too)

my web.config looks like this:

<authentication mode="Forms">
<forms>
<credentials passwordFormat="Clear">
<user name="dom" password="secret" />
<user name="alice" password="secret" />
</credentials>
</forms>

...

<location path="Admin">
<system.web>
<authorization>
<allow users="dom" />
<deny users="*" />
</authorization>
</system.web>
</location>

and login.aspx:

protected void _login_Authenticate(object sender, AuthenticateEventArgs e)
{
if (FormsAuthentication.Authenticate
(_login.UserName, _login.Password))
e.Authenticated = true;
else
e.Authenticated = false;
}

besides the authZ element - no substantial difference...
</configuration>

re: A few thoughts about Forms Authentication in ASP.NET
by Rick Strahl December 03, 2005 @ 11:08 pm

I actually tried a bunch of combinations, but none of them seem to work. I think the Authorization is actually OK because I am getting the auth form in the right place. It's validation (matching usernames) that seems to fail somehow. Just to be sure I used your order of the allow and deny lists flipped and that has the same result.

Oh, duh!!!! I added passwordFormat="Clear" and it started working. Apparently the default has changed here - it musta been one of the encrypted settings... Damn it's not documented either in Authenticate at least.

Thanks,

+++ Rick ---

re: A few thoughts about Forms Authentication in ASP.NET
by dominick December 04, 2005 @ 3:29 am

Yeah, the default format is SHA1 - as documented in reflector :)

[ConfigurationProperty("passwordFormat", DefaultValue=1)]

but still the you have to change the <authorization> section to work properly in the sense of "secure"...

cheers
dominick

re: A few thoughts about Forms Authentication in ASP.NET
by Robin Curry December 04, 2005 @ 8:00 pm

Hey Rick,
As far as #1 goes, I've used forms authentication with file granularity before using something like this:

<location path="SecuredPage.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>

Unfortunately you need a separate location section for each file - so if you have quite a few files it's often just easier to group files with similar security into directories and secure it that way, but file granularity is doable.

Enjoy your blog! Keep up the good work!

Thanks,
Robin

re: A few thoughts about Forms Authentication in ASP.NET
by Abdu December 05, 2005 @ 1:52 pm

Check out IISPassword from http://www.troxo.com. It's a free ISAPi filter and it uses Apache's like .htaccess and a command line interface if you want want to interface to it (not ideal solution but better than nothing).

If your customers use your software on shared hosting companies, Windows authentication is a serious limitation because many ISPs don't allow custom users in their systems (including myself)

Abdu

DotNetSlackers: A few thoughts about Forms Authentication in ASP.NET
by DotNetSlackers Latest ASP.NET News December 18, 2006 @ 3:27 am