[Mono-aspnet-list] FormsAuthentication loginUrl not mapping properly on mono vs IIS7

gatz44 pgatz11 at gmail.com
Thu Nov 29 17:39:48 UTC 2012


Hello,
My ASP.NET application uses the CAS protocol to authenticate users by
accessing a CAS provider, and I am having difficultly deploying this app
with Mono.

It is working successfully on a couple Windows 2008R2 / IIS7 deployments,
but it does not function on a Ubuntu 12.04/Apache 2.2/Mono stack. My best
guess is that the FormsAuthentication loginUrl does not map the same on Mono
as it does in the Windows/IIS7 environment.

Working Web.config (on Windows/IIS7):

<system.web>
        <authentication mode="Forms">
            <forms loginUrl="http://[CAS provider FQDN]/cas/login"
timeout="30" defaultUrl="~/Default.aspx" cookieless="UseCookies"
slidingExpiration="true" path="/" />
        </authentication>
[--snip--]
</system.web>


Behavior on Windows/IIS7:
1) User attempts to access restricted page ("restricted.aspx")
2) Web server redirects to loginUrl defined in Web.config
Response header:
Location	http://[CAS provider FQDN]/cas/login?service=[referring restricted
page]
3) User is able to login ... here is the sequence of responses:
GET restricted.aspx 302 Found
GET http://[CAS provider FQDN]/cas/login?service=[referring restricted page]
302 Found
GET restricted.aspx?ticket=EXAMPLE49kniGFfXNCw02yZPs 302 Found
GET restricted.aspx 200 OK

(The DotNetCasClient module handles the ticket to create a .ASPXAUTH cookie)


Behavior on Mono/Apache 2.2:
1) User attempts to access restricted page ("restricted.aspx")
2) Web server redirects to loginUrl defined in Web.config
HOWEVER, the loginUrl is mapped to the application virtual path and not to
the full address:
Response header:
Location	/[app virtual folder]/http://[CAS provider
FQDN]/cas/login?ReturnUrl=[referring restricted page]
3) Sequence of responses in this scenario: 
GET restricted.aspx 302 Found
GET http://[CAS provider FQDN]/cas/login?service=[referring restricted page]
400 Bad Request

HTTP 500 '/app_name/http:/[CAS provider FQDN]/cas/login' is not a valid
virtual path.

Mono appears to handle the loginUrl differently than IIS7. Whereas IIS7 will
simply direct the user client to the remote location, Mono maps the loginUrl
to the application virtual path resulting in a garbage URL.

------

As a workaround, I have tried adding an Redirect statement in the Apache
virtual host configuration, but this results in a different problem where
the CAS client fails to authenticate resulting in an infinite loop of
redirects ... which I was not able to troubleshoot. I did however replicate
the infinite redirect loop on IIS7 by adding a HTTP redirect there so I
think the CAS client or provider just does not tolerate HTTP redirects ...
which leaves me wishing Mono could simply handle the loginUrl path
appropriately in the first place.

Any assistance would be very appreciated.

Patrick

p.s. here are some resources for DotNetCasClient:
https://wiki.jasig.org/display/CASC/.Net+Cas+Client
https://github.com/Jasig/dotnet-cas-client/

p.p.s. the CAS provider is actually on the same web server right now (a WSGI
app) with the ASP mono application in a separate virtual folder. this may
not always be the case, and i do not think it is causing the problem as the
response headers clearly show a difference in the Location attributes. on
the working IIS7 server, both the CAS provider and ASP app are installed
together and work flawlessly with the same web.config using the server's own
FQDN to locate the /cas/login URL.



--
View this message in context: http://mono.1490590.n4.nabble.com/FormsAuthentication-loginUrl-not-mapping-properly-on-mono-vs-IIS7-tp4657578.html
Sent from the Mono - ASP.NET mailing list archive at Nabble.com.


More information about the Mono-aspnet-list mailing list