|
Note! This Manual is for the "Windows authentication" version, which is designed to work with existing Windows server or Active Directory accounts and Windows authentication. If you want to create accounts by yourself and store their credentials in your own HTTP Commander XML database, you need to download the "Forms authentication" version! This Manual is for the Windows authentication version only! |
 Web file manager Free Installation assistance Manual Home page |
How to configure common authentication across multiple applications
For example, you have IIS application that performs main functions in your organization. Let's call it the primary application. The application maintains a database of users and other related data. We want to add file manipulation function to the primary application with help of HTTP Commander. The new application should use existing set of users, and share authentication with the primary application. Common authentication means that as soon as the user is authenticated to the primary application it is authenticated to HTTP Commander as well. Technically speaking, both applications share common authentication ticket. HTTP Commander logon facility is inaccessible since the web file manager is neither familiar with authentication process implemented in the primary application, nor it has access to user list. Hence logon function is delegated to the primary application.
Note This article applies only to Forms authentication type.
Note HTTP Commander admin panel still allows to add users, shows list of configured users, but this list does not play any role in authentication process. Keep the list of HTTP Commander users empty to avoid confusion. Many HTTP Commander settings require user name or list of names as value. GUI dialogs often provide a drop down list of available users to facilitate user selection, in the common authentication case this list will be empty or be filled with HTTP Commander users that are not relevant here. You should keep this in mind when specifying user names. Other items like user groups, folders function as usual.
For technical details about configuring shared authentication, see Forms Authentication Across Applications, How To: Configure MachineKey in ASP.NET 2.0.
<configuration>
<system.web>
<machineKey decryptionKey="..." validationKey="..." />
</system.web>
</configuration>
<configuration>
<system.web>
<machineKey decryptionKey="..." validationKey="..." validation="SHA1" decryption="AES" />
</system.web>
</configuration>
Note You may chose other validation and decryption values, the point is they must be identical across all applications.
<configuration>
<system.web>
<machineKey decryptionKey="..." validationKey="..." validation="SHA1" decryption="AES" />
</system.web>
</configuration>
To generate random keys for decryptionKey and validationKey attributes use
the attached aspx page.
In the source code of the page you should set the len variable to the value
appropriate to the hashing / encryption algorithm: SHA1 - 128 chars,
AES - 64 chars, 3DES - 48 chars. See
How To: Configure MachineKey in ASP.NET 2.0
for more details about generating random keys.
The name, protection, path attributes of the authentication section must be identical across all applications. Attributes having default value may be omitted.
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
</system.web>
</configuration>
In the web.config file of the HTTP Commander application, set loginUrl attribute of the forms element to logon URL of the first application. For example, the authentication section may look like this.
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="/PrimaryApplication/Logon.aspx" defaultUrl="Default.aspx" timeout="43200" />
</authentication>
</system.web>
</configuration>
Remove or comment out the Default.aspx location section in web.config that makes Default.aspx page available to anonymous users:
<location path="Default.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>
By default in the Forms version of HTTP Commander after logout the user is redirected to the Default.aspx page. Since authentication cookies are cleared and Default.aspx is not accessible to the anonymous user, the user will be redirected to logon page of the primary application.
You probably want to replace the Default.aspx page with some other page in the first application. That may be a logout page if the primary application has one or the login page that you specified already in web.config. Change the default value of the urlReferrer variable:
string urlReferrer = "Default.aspx"; // <-- change this
if (this.Request.UrlReferrer != null)
urlReferrer = this.Request.UrlReferrer.AbsoluteUri;
You probably want to preserve the following two lines that redefine the urlReferrer if this.Request.UrlReferrer is present.