问题
I'm running an asp.net web application with c#. The following is used: - Windows 2003 server - IIS6.0 - .net Framework 2.0.50727
I'm trying to implement Forms Authentication and have entered the following code in the Web.Config file:
<authentication mode="Forms">
<forms loginUrl="01_Login.aspx"
name=".ASPXFORMSAUTH"
defaultUrl="02_PendingDoc.aspx"
timeout="120"
path="/"
protection="All"
enableCrossAppRedirects="true">
</forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
The login is working as expected, the users can't access any pages other than the 01_Login.aspx until they logged in with a valid username and password. When the user provides the correct login details the following code is done:
FormsAuthentication.RedirectFromLoginPage(logLogin.UserName, false);
However, when the user clicks on a button the following code is run:
//Load xml file into XMLDocument object
XmlDocument xmlDoc = new XmlDocument();
try
{
xmlDoc.Load("SearchConfig.xml");
}
catch (XmlException e)
{
Console.WriteLine(e.Message);
}
The xmlDoc.Load function above will fail and create an XmlException with the following message "{"Expected DTD markup was not found. Line 5, position 3."}". I have also tried to comment out the following part of the Web.Config file:
<deny users="?"/>
And then the xmlDoc.Load function works, but of course, then the users can access all of my applications pages.
Anyone, that have any idea what I've done wrong?
回答1:
<?xml version="1.0"?>
<BankSearch><SearchColumns>
<Column>
<Name>Bank_Name</Name>
<Control>TextBox</Control>
<Description>Bank Name</Description>
</Column>
</SearchColumns>
<SearchStoredProc Name="usp_BankSearch">
<Parameter1 control="txtBank_Name">@Bank_Name</Parameter1>
</SearchStoredProc>
<DisplayColumns>
<Column HeaderText="Bank Name" HyperLinkColumn="True" NavigateUrl="~/Bank/Bank.aspx" NavigateUrlFields="Bank_Id" QueryStrings="BID">Bank_Name</Column>
<Column HeaderText="Bank Address">Bank_Address</Column>
<Column HeaderText="Bank Email Id">BANK_EMAIL_ID</Column>
<Column HeaderText="Bank Phone">Bank_Phone</Column>
<Column HeaderText="Bank Fax">BANK_FAX_NO</Column>
<Column HeaderText="City">City</Column>
<Column HeaderText="Postal Code">POSTAL_CODE</Column>
<Column HeaderText="State">STATE_NAME</Column>
<Column HeaderText="Country">Country_Name</Column>
</DisplayColumns>
回答2:
if you are using forms authentication, even if you are already logged in, xmlDocument is going to the loging page first. This page is not an XML file. Hence the exception. I saw a suggestion that this could work:
void Main()
{
XmlUrlResolver resolver = new XmlUrlResolver();
resolver.Credentials = CredentialCache.DefaultCredentials;
var x = new XmlDocument();
x.XmlResolver = resolver;
x.Load("https://yourUrl");
}
It sounds like a good advice but i could not get it work. I will try to get the xml using a web request instead. Because when I use a web browser, the xml is returned without needing to log on again through forms authentication.
Finally found the solution. As I explained this is due to using forms authentication. I was thinking once HTTPS is established all communication from the application will have authorization automatically. However, calls to back-end applications require authentication. That is why instead of getting back the xml I was getting an html page which is the login page. I managed to bypass the forms authentication by adding the authentication cookie as below:
var httpCookie = FormsAuthentication.GetAuthCookie(context.User.Identity.Name, false);
var cookie = new Cookie(httpCookie.Name, httpCookie.Value, httpCookie.Path, HttpContext.Current.Request.Url.Host);
var rq = (HttpWebRequest) WebRequest.Create(url);
rq.CookieContainer = new CookieContainer();
rq.CookieContainer.Add(cookie);
var rs = (HttpWebResponse) rq.GetResponse();
var strm = rs.GetResponseStream();
var rdr = new StreamReader(strm);
var str = rdr.ReadToEnd();
var userDetails = new XmlDocument();
userDetails.LoadXml(str);
来源:https://stackoverflow.com/questions/2107145/form-authentication-and-xmldocument-load