Authentication handled before rewrite

Topics: User Forum
Jul 4, 2007 at 11:35 AM
I'm using two isapi filters. One for ldap authentication and the rewrite filter.
But IIS does authentication first.
With one of my conditions:
RewriteCond %{AUTH_TYPE} ^(?!Basic)
I'll try to catch non authenticated requests and redirect them to another virtual directory.

But because the authentication is handled first, this will never happen.

The priorities of both filters are high, but I placed rewrite above ldapauth.

What can I do to fix this. In apache this works very well.
Jul 4, 2007 at 3:12 PM
Edited Jul 4, 2007 at 3:17 PM
Ok, I have found the problem.

for rewrites before the authentication the filter should listen for the SF_NOTIFY_PREPROC_HEADERS message and not for the SF_NOTIFY_AUTH_COMPLETE.
I noticed that this is behavior that has recently changed. In an older version there is a listener on SF_NOTIFY_PREPROC_HEADERS message.
After I changed the SF_NOTIFY_AUTH_COMPLETE handlers to SF_NOTIFY_PREPROC_HEADERS it's working.

Can the listeners for the SF_NOTIFY_PREPROC_HEADERS message be reimplemented? Or is there another solution for this?
Coordinator
Jul 13, 2007 at 5:49 PM
Edited Jul 23, 2007 at 12:32 PM
Hmmm, yes. I understand what you are saying.

The change to listen on SF_NOTIFY_AUTH_COMPLETE , rather than PREPROC_HEADERS, was made in IIRF because Server variables are available only in AUTH_COMPLETE.

I need to better understand your requirement.
can you elaborate please? I don't understand what your ldap authn filter does. i don't understand the interaction between that filter and the IIRF.

I think your post says that you modified the IIRF code and it works for you. is this a bad solution for you?
If you don't need Server variables, this may be sufficient for you.
Jul 23, 2007 at 9:02 AM

Cheeso wrote:
I need to better understand your requirement.
can you elaborate please? I don't understand what your ldap authn filter does. i don't understand the interaction between that filter and the IIRF.


the ldap authentication filter authenticates against a ldap server via basic authentication. But I want to apply the rules before the user is authenticated.
That doesn't work with NOTIFYAUTHCOMPLETE.


I think your post says that you modified the IIRF code and it works for you. is this a bad solution for you?
If you don't need Server variables, this may be sufficient for you.


It isn't a bad solution for me, but I'm not aware of any problems that might occur when I use a customized dll. I think it's better to use a dll as delivered. And not to use a customized dll in a production environment.

Maybe something can be done to support both.
(make before/after authentication configurable?)
rewrite after authentication and before authentication. Which makes it possible to use this isapi filter out of the box.
I'm not experienced enough in c++ and iis to implement this, and I can imagine this is a nice feature.
Coordinator
Jul 23, 2007 at 12:43 PM
Edited Jul 23, 2007 at 12:49 PM
Ok, that sounds like a reasonable request. I'll copy it to a work item. I have to think about it some more, before I figure out how to implement it.

What is the authenticating filter you are using? Something custom, or something off the shelf? if it is off-the-shelf, which product? can I read the doc for it?

the before/after authentication setting - Should it be selectable for each rule?

What is AUTH_TYPE before your authentication filter does its thing? What is it, afterwards?

Is AUTH_TYPE the only indicator of whether authentication has occurred? Is it possible for an authentication filter, in general, to set other server variables? I think it probably is.

Should IIRF automatically select before/after authentication, based on whether there is a reference to AUTH_TYPE in the associated RewriteCond statements? I think maybe it should not.

What is the best way to specify that a rule or ruleset should apply before or after authentication?

Are there other phases where the admin might want to apply rewrite? For example, Before or after logging? Before or after something else? or is authentication the only special stage that needs this treatment?

Coordinator
Jul 23, 2007 at 12:47 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.