httpd-cli-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [cli-users] mod_aspdotnet does not pass authentication info on to ASP.NET
Date Fri, 04 Mar 2005 02:52:29 GMT
OK - somewhere we are missing a linkage.  Should be a trivial
fix, but I have far fewer hours to spend on .NET than likely you
do, Walter.  Hopefully someone else on this list has the humor
to overlook your ostentatiousness.

I assure you, however, that no one will invest any effort 
in solving the legitimate issues you raise, when your thorough
reproduction case wasn't attached.

Did you forget to click attach?


There are EBCADs everywhere.  That includes aspdotnet.  If you
want us to work with you, we are glad to investigate what's 
going on.  If you don't have the time, don't bother with the 
report, we don't either.

mod_aspdotnet is free software.  Unlike MS - when it breaks,
you get to keep both pieces and fix them yourself if you like,
or work with the community to resolve the issues.

2.0 isn't even five months old, lighten up :)  There are even
snapshot builds of the most recent code at if you care to ensure this
problem exists in the next coming release.


At 08:21 PM 3/3/2005, Walter Nicholls wrote:
>OK, I've wasted way too much time on this but I've eliminated two red herrings, IIS and
the GetServerVariables() method
>Here's a repro:
>Attached zip file contains:
>   aspnetbug.conf, bugusers
>   printvars.aspx, printvars.c, printvars.exe
>To install
>0. Take one working Apache 2/ mod_aspdotnet install
>1. Copy printvars.* into c:\temp\aspnetbug\  ( or directory of your choice )
>2. If you don't trust me, compile printvars.c with the compiler of your choice
>3. Copy aspnetbug.conf and bugusers to c:\Program Files\Apache Group\Apache2\conf\  (or
>4. Add the following line to c:\Program Files\Apache Group\Apache2\conf\httpd.conf:
>   include conf/aspnetbug.conf
>To test
>1. Navigate  browser to http://localhost/aspnetbug/printvars.exe
> requires a login. Log in as username = test, password=  test
> Web page shows:
>SERVER_SOFTWARE=Apache/2.0.53 (Win32)
>2. Navigate browser to http://localhost/aspnetbug/printvars.aspx (and login as before
if required)
>Variable    ServerVariables[x]   GetServerVariables(x)
>AUTH_TYPE    (blank)    Basic
>AUTH_USER    (blank)    (blank)   
>REMOTE_USER    (blank)    test
>SERVER_SOFTWARE    Apache/2.0.53 (Win32)    Apache/2.0.53 (Win32)
>For the Request.ServerVariables to match what came back from GetServerVariables(), of
>OK, clearly ASP.NET is not using the server variables passed to it to determine the authenticated
user.  Quite what it thinks it is using I don't know, but GetUserToken() seems like a very
likely place.
>Perhaps this thread should be titled "mod_aspdotnet does not implement GetUserToken()"
>How to fix this is another problem. How does the value (IntPtr) returned by GetUserToken()
turn into the ASP.NET User object (assuming it does!). Digging the MSDN documentation it appear
that someone somewhere should be executing code like:
>IPrincipal aspnet_user_object = new GenericPrincipal(
>   new GenericIdentity( GetServerVariables( "REMOTE_USER"), GetServerVariables("AUTH_TYPE")
>   null );
>// that now becomes the ASP.NET User object.
>Is it as simple as casting that aspnet_user_object to an IntPtr and returning that?  I
surely don't think so.
>I really have run out of time on this. I hope this sheds some light, I can't see how mod_aspdotnet
can be used for anything other that toy apps without it though.  Every application I've ever
written has wanted to know who the user is, even if just for logging.
>Couple more things while they come to mind
>* mod_ntlm would present its own problems in that instead of returning a GenericPrincipal
it should presumably be returning a WindowsPrincipal instead. I suspect this might involve
more than just "new WindowsPrincipal( r->user )"
>* Would also be nice to add a list of roles so that ASP.NET code can use User.IsInRole().
  Don't know where that list should be obtained, though. I don't know the request_rec structure
at all so there might be something useful in there, might not.
>To unsubscribe, e-mail:
>For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message