ASP.NET OWIN WebForms require authorization all pages

You are right that there are no resources about using the classic ASP.Net authorization with the OWIN security middleware.

I'm using ASP.Net Web Pages, so my experiment is similar to yours (we both try to protect static files being aspx or cshtml).

My experiment was so horrific. I was about to bang my head at a wall.

At last I discovered how to make it run. And here is what I did:

  1. Web.config: Protect everything except the special pages which must be available to anonymous users.
<configuration>
    <system.web>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>

    <location path="shell.cshtml">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>

    <location path="notFound.cshtml">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>

    <location path="security/login.cshtml">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>
</configuration>
  1. OWIN startup class:
    public static class Startup
    {
        public static void Configuration(IAppBuilder app)
        {
            var cookieExpiration = TimeSpan.FromMinutes(20);

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                CookieName = "efa",
                ExpireTimeSpan = cookieExpiration,
                SlidingExpiration = true,
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                Provider = new CookieAuthenticationProvider
                {
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<UserManager, User, long>(
                        validateInterval: cookieExpiration,
                        regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager),
                        getUserIdCallback: identity => Identity.Identity.ExtractIdFromClaims(identity))
                }
            });

            app.UseWebApi(new HttpConfig());
        }
    }

It was crucial to set AuthenticationMode = AuthenticationMode.Active. I spent a whole work day to discover this. If you set it to Passive, the authentication middleware won't populate the Identity and Principal objects of the HTTP context and the authorization module will forbid all requests.

This will make the classic UrlAuthorization module work for you based on the identity populated by the OWIN middleware. It must be noted that the Nuget package Microsoft.Owin.Host.SystemWeb must be installed, otherwise OWIN won't be integrated with the ASP.Net pipeline.

You may also use these modern OWIN authorization modules http://leastprivilege.com/2014/06/24/resourceaction-based-authorization-for-owin-and-mvc-and-web-api/ They're highly customizable and can protect MVC controller, Web API controllers, and static files.


Adding the following filter to the default App_Start/FilterConfig.cs file (in the RegisterGlobalFilters method) did the trick:

filters.Add(new AuthorizeAttribute());

Tags:

Asp.Net

Authorization

Web Config

Identity

Owin

Recent Posts