Q 1. To my understanding FormsAuthenticationModule
is subscribed to AuthenticateRequest
event, and thus only after this event is fired, is FormsAuthenticationModule
called. But the following quotes got me a bit confused:
The
AuthenticateRequest
event signals that the configured authentication mechanism has authenticated the current request.
AuthenticateRequest
event is raised, request (aka user) is already authenticated? Subscribing to the
AuthenticateRequest
event ensures that the request will be authenticated before processing the attached module or event handler.
AuthenticatedRequest
, then our event handler will be called prior to FormsAuthenticationModule
? Thus Application_AuthenticateRequest()
will be called before FormsAuthenticationModule
is called?Q 2. Book I’m learning from suggests that within Application_AuthenticateRequest()
we are able to verify whether user is a member of specific role, and if not, we can add the user automatically:
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated && Roles.Enabled)
{
//here we can subscribe user to a role via Roles.AddUserToRole()
}
}
Judging from the above code, Application_AuthenticateRequest()
is called after FormsAuthenticationModule
has been invoked, but somewhere else same book implies that Application_AuthenticateRequest()
is called prior to FormsAuthenticationModule
:
Application_AuthenticateRequest
is called just before authentication is performed. This is a jumping-off point for creating your own authentication logic.
What am I missing?
Thanx
It seems that the FormsAuthenticationModule gets handled first. This module is normally earlier than any custom module in the ASP.NET pipeline, so when AuthenticateRequest is fired, FormsAuthenticationModule will get called first, do its job and then your module's event handler will be called.
If you really want to dig deep into this, I suggest trying to debug the ASP.NET code yourself. Here is a post how to set up your VS:
http://weblogs.asp.net/scottgu/archive/2008/01/16/net-framework-library-source-code-now-available.aspx
EDIT: I was able to confirm this behavior by setting up a web project with custom module and event handlers in Global.asax. Take a look at the source code of HttpApplication.InitInternal, the order of initialization is as follows:
After the initialization, when the AuthenticateRequest fires, the event handlers are called in the order they where initialized, so:
Unless I missed something, there is no mechanism for stopping the event handlers to fire, so no matter what the result of FormsAuthenticationModule.AuthenticateRequest, the next handlers will still be called. I hope that helps.
If you want access to the User object, I'd suggest you use
protected void Application_Start()
{
PostAuthenticateRequest += Application_PostAuthenticateRequest;
}
protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
if(User.Identity.IsAuthenticated)
{
//Do stuff here
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With