Web file manager Free Installation assistance Manual Home page

How to configure common authentication across multiple applications

For example, you have IIS application that performs main functions in your organization. Let's call it the primary application. The application maintains a database of users and other related data. We want to add file manipulation function to the primary application with help of HTTP Commander. The new application should use existing set of users, and share authentication with the primary application. Common authentication means that as soon as the user is authenticated to the primary application it is authenticated to HTTP Commander as well. Technically speaking, both applications share common authentication ticket. HTTP Commander logon facility is inaccessible since the web file manager is neither familiar with authentication process implemented in the primary application, nor it has access to user list. Hence logon function is delegated to the primary application.

Note. This article applies only to Forms authentication type.

Note. HTTP Commander admin panel still allows to add users, shows list of configured users, but this list does not play any role in authentication process. Keep the list of HTTP Commander users empty to avoid confusion. Many HTTP Commander settings require user name or list of names as value. GUI dialogs often provide a drop down list of available users to facilitate user selection, in the common authentication case this list will be empty or be filled with HTTP Commander users that are not relevant here. You should keep this in mind when specifying user names. Other items like user groups, folders function as usual.

For technical details about configuring shared authentication, see Forms Authentication Across Applications.

Step 1. Add identical machineKey sections to web.config files of both applications

Step 2. Configure authentication section

The name, protection, path attributes of the authentication section must be identical across all applications. Attributes having default value may be omitted.

<configuration>
  <system.web>
    <authentication mode="Forms" >
      <!-- The name, protection, and path attributes must match 
           exactly in each Web.config file. -->
      <forms loginUrl="login.aspx"
        name=".ASPXFORMSAUTH" 
        protection="All"  
        path="/" 
        domain="contoso.com" 
        timeout="30" />
    </authentication>
  </system.web>
</configuration>

Step 3. Set login url

In the web.config file of the HTTP Commander application, set loginUrl attribute of the forms element to logon URL of the first application. For example, the authentication section may look like this.

<configuration>
    <system.web>
        <authentication mode="Forms">
            <forms loginUrl="/PrimaryApplication/Logon.aspx" defaultUrl="Default.aspx" timeout="43200" />
        </authentication>
    </system.web>
</configuration>

Step 4. Disable anonymous access to Default.aspx page

Remove or comment out the Default.aspx location section in web.config that makes Default.aspx page available to anonymous users:

<location path="Default.aspx">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>

Step 5. Logout.aspx page

By default in the Forms version of HTTP Commander after logout the user is redirected to the Default.aspx page. Since authentication cookies are cleared and Default.aspx is not accessible to the anonymous user, the user will be redirected to logon page of the primary application.

You probably want to replace the Default.aspx page with some other page in the first application. That may be a logout page if the primary application has one or the login page that you specified already in web.config. Change the default value of the urlReferrer variable:

string urlReferrer = "Default.aspx"; // <-- change this
if (this.Request.UrlReferrer != null)
    urlReferrer = this.Request.UrlReferrer.AbsoluteUri;

You probably want to preserve the following two lines that redefine the urlReferrer if this.Request.UrlReferrer is present.