UrlAuthorizationModule.cs source code in C# .NET

Source code for the .NET framework in C#

                        
Code:

                         / 4.0 / 4.0 / DEVDIV_TFS / Dev10 / Releases / RTMRel / ndp / fx / src / xsp / System / Web / Security / UrlAuthorizationModule.cs / 1305376 / UrlAuthorizationModule.cs
                        

                        
                            //------------------------------------------------------------------------------ 
// 
//     Copyright (c) Microsoft Corporation.  All rights reserved.
// 
//----------------------------------------------------------------------------- 

/* 
 * UrlAuthorizationModule class 
 *
 * Copyright (c) 1999 Microsoft Corporation 
 */

namespace System.Web.Security {
    using System.Runtime.Serialization; 
    using System.Web;
    using System.Web.Util; 
    using System.Collections; 
    using System.Web.Configuration;
    using System.IO; 
    using System.Security.Principal;
    using System.Security.Permissions;
    using System.Web.Management;
    using System.Web.Hosting; 
    using System.Collections.Generic;
 
 

    ///  
    ///    This module provides URL based
    ///    authorization services for allowing or denying access to specified resources
    /// 
    public sealed class UrlAuthorizationModule : IHttpModule { 

 
        ///  
        ///    
        ///       Initializes a new instance of the  
        ///       class.
        ///     
        /// 
        [SecurityPermission(SecurityAction.Demand, Unrestricted=true)] 
        public UrlAuthorizationModule() {
        } 
 

        ///  
        ///    [To be supplied.]
        /// 
        public void Init(HttpApplication app) {
            app.AuthorizeRequest += new EventHandler(this.OnEnter); 
        }
 
 
        /// 
        ///    [To be supplied.] 
        /// 
        public void Dispose() {
        }
 
        private static bool s_EnabledDetermined;
        private static bool s_Enabled; 
 
        [SecurityPermission(SecurityAction.Demand, Unrestricted=true)]
        public static bool CheckUrlAccessForPrincipal(String virtualPath, IPrincipal user, string verb) { 
            if (virtualPath == null)
                throw new ArgumentNullException("virtualPath");
            if (user == null)
                throw new ArgumentNullException("user"); 
            if (verb == null)
                throw new ArgumentNullException("verb"); 
            verb = verb.Trim(); 

            VirtualPath vPath = VirtualPath.Create(virtualPath); 

            if (!vPath.IsWithinAppRoot)
                throw new ArgumentException(SR.GetString(SR.Virtual_path_outside_application_not_supported), "virtualPath");
 
            if (!s_EnabledDetermined) {
                if( !HttpRuntime.UseIntegratedPipeline) { 
                    HttpModulesSection modulesSection = RuntimeConfig.GetConfig().HttpModules; 
                    int len = modulesSection.Modules.Count;
                    for (int iter = 0; iter < len; iter++) { 
                        HttpModuleAction module = modulesSection.Modules[iter];
                        if (Type.GetType(module.Type, false) == typeof(UrlAuthorizationModule)) {
                            s_Enabled = true;
                            break; 
                        }
                    } 
                } 
                else {
                    List modules = HttpApplication.IntegratedModuleList; 
                    foreach (ModuleConfigurationInfo mod in modules) {
                        if (Type.GetType(mod.Type, false) == typeof(UrlAuthorizationModule)) {
                            s_Enabled = true;
                            break; 
                        }
                    } 
                } 
                s_EnabledDetermined = true;
            } 
            if (!s_Enabled)
                return true;
            AuthorizationSection settings = RuntimeConfig.GetConfig(vPath).Authorization;
 
            // Check if the user is allowed, or the request is for the login page
            return settings.EveryoneAllowed || settings.IsUserAllowed(user, verb); 
        } 

        internal static void ReportUrlAuthorizationFailure(HttpContext context, object webEventSource) { 
            // Deny access
            context.Response.StatusCode = 401;
            WriteErrorMessage(context);
 
            if (context.User != null && context.User.Identity.IsAuthenticated) {
                // We don't raise failure audit event for anonymous user 
                WebBaseEvent.RaiseSystemEvent(webEventSource, WebEventCodes.AuditUrlAuthorizationFailure); 
            }
            context.ApplicationInstance.CompleteRequest(); 
        }

        ////////////////////////////////////////////////////////////
        //////////////////////////////////////////////////////////// 
        ////////////////////////////////////////////////////////////
        // Module Enter: Get the authorization configuration section 
        //    and see if this user is allowed or not 
        void OnEnter(Object source, EventArgs eventArgs) {
            HttpApplication    app; 
            HttpContext        context;

            app = (HttpApplication)source;
            context = app.Context; 
            if (context.SkipAuthorization)
            { 
                if (context.User == null || !context.User.Identity.IsAuthenticated) 
                    PerfCounters.IncrementCounter(AppPerfCounter.ANONYMOUS_REQUESTS);
                return; 
            }

            // Get the authorization config object
            AuthorizationSection settings = RuntimeConfig.GetConfig(context).Authorization; 

            // Check if the user is allowed, or the request is for the login page 
            if (!settings.EveryoneAllowed && !settings.IsUserAllowed(context.User, context.Request.RequestType)) 
            {
                ReportUrlAuthorizationFailure(context, this); 

            }
            else
            { 
                if (context.User == null || !context.User.Identity.IsAuthenticated)
                    PerfCounters.IncrementCounter(AppPerfCounter.ANONYMOUS_REQUESTS); 
 
                WebBaseEvent.RaiseSystemEvent(this, WebEventCodes.AuditUrlAuthorizationSuccess);
            } 
        }

        /////////////////////////////////////////////////////////////////////////////
        static void WriteErrorMessage(HttpContext context) { 
            context.Response.Write(UrlAuthFailedErrorFormatter.GetErrorText());
            // In Integrated pipeline, ask for handler headers to be generated.  This would be unnecessary 
            // if we just threw an access denied exception, and used the standard error mechanism 
            context.Response.GenerateResponseHeadersForHandler();
        } 

        static internal bool RequestRequiresAuthorization(HttpContext context) {
            if (context.SkipAuthorization)
                return false; 

            AuthorizationSection settings = RuntimeConfig.GetConfig(context).Authorization; 
 
            // Check if the anonymous user is allowed
            if (_AnonUser == null) 
                _AnonUser = new GenericPrincipal(new GenericIdentity(String.Empty, String.Empty), new String[0]);

            return !settings.IsUserAllowed(_AnonUser, context.Request.RequestType);
        } 

        internal static bool IsUserAllowedToPath(HttpContext context, VirtualPath virtualPath) 
        { 
            AuthorizationSection settings = RuntimeConfig.GetConfig(context, virtualPath).Authorization;
 
            return settings.EveryoneAllowed || settings.IsUserAllowed(context.User, context.Request.RequestType);
        }

        static GenericPrincipal _AnonUser; 
    }
} 
 

 


// File provided for Reference Use Only by Microsoft Corporation (c) 2007.
//------------------------------------------------------------------------------ 
// 
//     Copyright (c) Microsoft Corporation.  All rights reserved.
// 
//----------------------------------------------------------------------------- 

/* 
 * UrlAuthorizationModule class 
 *
 * Copyright (c) 1999 Microsoft Corporation 
 */

namespace System.Web.Security {
    using System.Runtime.Serialization; 
    using System.Web;
    using System.Web.Util; 
    using System.Collections; 
    using System.Web.Configuration;
    using System.IO; 
    using System.Security.Principal;
    using System.Security.Permissions;
    using System.Web.Management;
    using System.Web.Hosting; 
    using System.Collections.Generic;
 
 

    ///  
    ///    This module provides URL based
    ///    authorization services for allowing or denying access to specified resources
    /// 
    public sealed class UrlAuthorizationModule : IHttpModule { 

 
        ///  
        ///    
        ///       Initializes a new instance of the  
        ///       class.
        ///     
        /// 
        [SecurityPermission(SecurityAction.Demand, Unrestricted=true)] 
        public UrlAuthorizationModule() {
        } 
 

        ///  
        ///    [To be supplied.]
        /// 
        public void Init(HttpApplication app) {
            app.AuthorizeRequest += new EventHandler(this.OnEnter); 
        }
 
 
        /// 
        ///    [To be supplied.] 
        /// 
        public void Dispose() {
        }
 
        private static bool s_EnabledDetermined;
        private static bool s_Enabled; 
 
        [SecurityPermission(SecurityAction.Demand, Unrestricted=true)]
        public static bool CheckUrlAccessForPrincipal(String virtualPath, IPrincipal user, string verb) { 
            if (virtualPath == null)
                throw new ArgumentNullException("virtualPath");
            if (user == null)
                throw new ArgumentNullException("user"); 
            if (verb == null)
                throw new ArgumentNullException("verb"); 
            verb = verb.Trim(); 

            VirtualPath vPath = VirtualPath.Create(virtualPath); 

            if (!vPath.IsWithinAppRoot)
                throw new ArgumentException(SR.GetString(SR.Virtual_path_outside_application_not_supported), "virtualPath");
 
            if (!s_EnabledDetermined) {
                if( !HttpRuntime.UseIntegratedPipeline) { 
                    HttpModulesSection modulesSection = RuntimeConfig.GetConfig().HttpModules; 
                    int len = modulesSection.Modules.Count;
                    for (int iter = 0; iter < len; iter++) { 
                        HttpModuleAction module = modulesSection.Modules[iter];
                        if (Type.GetType(module.Type, false) == typeof(UrlAuthorizationModule)) {
                            s_Enabled = true;
                            break; 
                        }
                    } 
                } 
                else {
                    List modules = HttpApplication.IntegratedModuleList; 
                    foreach (ModuleConfigurationInfo mod in modules) {
                        if (Type.GetType(mod.Type, false) == typeof(UrlAuthorizationModule)) {
                            s_Enabled = true;
                            break; 
                        }
                    } 
                } 
                s_EnabledDetermined = true;
            } 
            if (!s_Enabled)
                return true;
            AuthorizationSection settings = RuntimeConfig.GetConfig(vPath).Authorization;
 
            // Check if the user is allowed, or the request is for the login page
            return settings.EveryoneAllowed || settings.IsUserAllowed(user, verb); 
        } 

        internal static void ReportUrlAuthorizationFailure(HttpContext context, object webEventSource) { 
            // Deny access
            context.Response.StatusCode = 401;
            WriteErrorMessage(context);
 
            if (context.User != null && context.User.Identity.IsAuthenticated) {
                // We don't raise failure audit event for anonymous user 
                WebBaseEvent.RaiseSystemEvent(webEventSource, WebEventCodes.AuditUrlAuthorizationFailure); 
            }
            context.ApplicationInstance.CompleteRequest(); 
        }

        ////////////////////////////////////////////////////////////
        //////////////////////////////////////////////////////////// 
        ////////////////////////////////////////////////////////////
        // Module Enter: Get the authorization configuration section 
        //    and see if this user is allowed or not 
        void OnEnter(Object source, EventArgs eventArgs) {
            HttpApplication    app; 
            HttpContext        context;

            app = (HttpApplication)source;
            context = app.Context; 
            if (context.SkipAuthorization)
            { 
                if (context.User == null || !context.User.Identity.IsAuthenticated) 
                    PerfCounters.IncrementCounter(AppPerfCounter.ANONYMOUS_REQUESTS);
                return; 
            }

            // Get the authorization config object
            AuthorizationSection settings = RuntimeConfig.GetConfig(context).Authorization; 

            // Check if the user is allowed, or the request is for the login page 
            if (!settings.EveryoneAllowed && !settings.IsUserAllowed(context.User, context.Request.RequestType)) 
            {
                ReportUrlAuthorizationFailure(context, this); 

            }
            else
            { 
                if (context.User == null || !context.User.Identity.IsAuthenticated)
                    PerfCounters.IncrementCounter(AppPerfCounter.ANONYMOUS_REQUESTS); 
 
                WebBaseEvent.RaiseSystemEvent(this, WebEventCodes.AuditUrlAuthorizationSuccess);
            } 
        }

        /////////////////////////////////////////////////////////////////////////////
        static void WriteErrorMessage(HttpContext context) { 
            context.Response.Write(UrlAuthFailedErrorFormatter.GetErrorText());
            // In Integrated pipeline, ask for handler headers to be generated.  This would be unnecessary 
            // if we just threw an access denied exception, and used the standard error mechanism 
            context.Response.GenerateResponseHeadersForHandler();
        } 

        static internal bool RequestRequiresAuthorization(HttpContext context) {
            if (context.SkipAuthorization)
                return false; 

            AuthorizationSection settings = RuntimeConfig.GetConfig(context).Authorization; 
 
            // Check if the anonymous user is allowed
            if (_AnonUser == null) 
                _AnonUser = new GenericPrincipal(new GenericIdentity(String.Empty, String.Empty), new String[0]);

            return !settings.IsUserAllowed(_AnonUser, context.Request.RequestType);
        } 

        internal static bool IsUserAllowedToPath(HttpContext context, VirtualPath virtualPath) 
        { 
            AuthorizationSection settings = RuntimeConfig.GetConfig(context, virtualPath).Authorization;
 
            return settings.EveryoneAllowed || settings.IsUserAllowed(context.User, context.Request.RequestType);
        }

        static GenericPrincipal _AnonUser; 
    }
} 
 

 


// File provided for Reference Use Only by Microsoft Corporation (c) 2007.

Link Menu

Network programming in C#, Network Programming in VB.NET, Network Programming in .NET
This book is available now!
Buy at Amazon US or
Buy at Amazon UK