2 // System.Web.Security.FormsAuthentication
5 // Gonzalo Paniagua Javier (gonzalo@ximian.com)
7 // (C) 2002,2003 Ximian, Inc (http://www.ximian.com)
8 // Copyright (c) 2005-2010 Novell, Inc (http://www.novell.com)
12 // Permission is hereby granted, free of charge, to any person obtaining
13 // a copy of this software and associated documentation files (the
14 // "Software"), to deal in the Software without restriction, including
15 // without limitation the rights to use, copy, modify, merge, publish,
16 // distribute, sublicense, and/or sell copies of the Software, and to
17 // permit persons to whom the Software is furnished to do so, subject to
18 // the following conditions:
20 // The above copyright notice and this permission notice shall be
21 // included in all copies or substantial portions of the Software.
23 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
24 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
25 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
26 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
27 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
28 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
29 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
32 using System.Collections;
34 using System.Security.Cryptography;
35 using System.Security.Permissions;
38 using System.Web.Configuration;
39 using System.Web.Compilation;
40 using System.Web.Util;
41 using System.Globalization;
42 using System.Collections.Specialized;
44 namespace System.Web.Security
46 // CAS - no InheritanceDemand here as the class is sealed
47 [AspNetHostingPermission (SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
48 public sealed class FormsAuthentication
50 static string authConfigPath = "system.web/authentication";
51 static string machineKeyConfigPath = "system.web/machineKey";
52 static object locker = new object ();
53 static bool initialized;
54 static string cookieName;
55 static string cookiePath;
57 static FormsProtectionEnum protection;
58 static bool requireSSL;
59 static bool slidingExpiration;
60 static string cookie_domain;
61 static HttpCookieMode cookie_mode;
62 static bool cookies_supported;
63 static string default_url;
64 static bool enable_crossapp_redirects;
65 static string login_url;
66 // same names and order used in xsp
67 static string [] indexFiles = { "index.aspx",
72 public static TimeSpan Timeout {
76 public static bool IsEnabled {
77 get { return initialized; }
80 public static void EnableFormsAuthentication (NameValueCollection configurationData)
82 BuildManager.AssertPreStartMethodsRunning ();
83 if (configurationData == null || configurationData.Count == 0)
86 string value = configurationData ["loginUrl"];
87 if (!String.IsNullOrEmpty (value))
90 value = configurationData ["defaultUrl"];
91 if (!String.IsNullOrEmpty (value))
94 public FormsAuthentication ()
98 public static bool Authenticate (string name, string password)
100 if (name == null || password == null)
104 HttpContext context = HttpContext.Current;
106 throw new HttpException ("Context is null!");
108 name = name.ToLower (Helpers.InvariantCulture);
110 AuthenticationSection section = (AuthenticationSection) WebConfigurationManager.GetSection (authConfigPath);
111 FormsAuthenticationCredentials config = section.Forms.Credentials;
112 FormsAuthenticationUser user = config.Users[name];
113 string stored = null;
116 stored = user.Password;
121 bool caseInsensitive = true;
122 switch (config.PasswordFormat) {
123 case FormsAuthPasswordFormat.Clear:
124 caseInsensitive = false;
127 case FormsAuthPasswordFormat.MD5:
128 password = HashPasswordForStoringInConfigFile (password, FormsAuthPasswordFormat.MD5);
130 case FormsAuthPasswordFormat.SHA1:
131 password = HashPasswordForStoringInConfigFile (password, FormsAuthPasswordFormat.SHA1);
135 return String.Compare (password, stored, caseInsensitive ? StringComparison.OrdinalIgnoreCase : StringComparison.Ordinal) == 0;
138 static FormsAuthenticationTicket Decrypt2 (byte [] bytes)
140 if (protection == FormsProtectionEnum.None)
141 return FormsAuthenticationTicket.FromByteArray (bytes);
143 MachineKeySection config = (MachineKeySection) WebConfigurationManager.GetWebApplicationSection (machineKeyConfigPath);
144 byte [] result = null;
145 if (protection == FormsProtectionEnum.All) {
146 result = MachineKeySectionUtils.VerifyDecrypt (config, bytes);
147 } else if (protection == FormsProtectionEnum.Encryption) {
148 result = MachineKeySectionUtils.Decrypt (config, bytes);
149 } else if (protection == FormsProtectionEnum.Validation) {
150 result = MachineKeySectionUtils.Verify (config, bytes);
153 return FormsAuthenticationTicket.FromByteArray (result);
156 public static FormsAuthenticationTicket Decrypt (string encryptedTicket)
158 if (String.IsNullOrEmpty (encryptedTicket))
159 throw new ArgumentException ("Invalid encrypted ticket", "encryptedTicket");
163 FormsAuthenticationTicket ticket;
164 byte [] bytes = Convert.FromBase64String (encryptedTicket);
167 ticket = Decrypt2 (bytes);
168 } catch (Exception) {
175 public static string Encrypt (FormsAuthenticationTicket ticket)
178 throw new ArgumentNullException ("ticket");
181 byte [] ticket_bytes = ticket.ToByteArray ();
182 if (protection == FormsProtectionEnum.None)
183 return Convert.ToBase64String (ticket_bytes);
185 byte [] result = null;
186 MachineKeySection config = (MachineKeySection) WebConfigurationManager.GetWebApplicationSection (machineKeyConfigPath);
188 if (protection == FormsProtectionEnum.All) {
189 result = MachineKeySectionUtils.EncryptSign (config, ticket_bytes);
190 } else if (protection == FormsProtectionEnum.Encryption) {
191 result = MachineKeySectionUtils.Encrypt (config, ticket_bytes);
192 } else if (protection == FormsProtectionEnum.Validation) {
193 result = MachineKeySectionUtils.Sign (config, ticket_bytes);
196 return Convert.ToBase64String (result);
199 public static HttpCookie GetAuthCookie (string userName, bool createPersistentCookie)
201 return GetAuthCookie (userName, createPersistentCookie, null);
204 public static HttpCookie GetAuthCookie (string userName, bool createPersistentCookie, string strCookiePath)
208 if (userName == null)
209 userName = String.Empty;
211 if (strCookiePath == null || strCookiePath.Length == 0)
212 strCookiePath = cookiePath;
214 DateTime now = DateTime.Now;
216 if (createPersistentCookie)
217 then = now.AddYears (50);
219 then = now.AddMinutes (timeout);
221 FormsAuthenticationTicket ticket = new FormsAuthenticationTicket (1,
225 createPersistentCookie,
229 if (!createPersistentCookie)
230 then = DateTime.MinValue;
232 HttpCookie cookie = new HttpCookie (cookieName, Encrypt (ticket), strCookiePath, then);
234 cookie.Secure = true;
235 if (!String.IsNullOrEmpty (cookie_domain))
236 cookie.Domain = cookie_domain;
241 internal static string ReturnUrl {
242 get { return HttpContext.Current.Request ["RETURNURL"]; }
245 public static string GetRedirectUrl (string userName, bool createPersistentCookie)
247 if (userName == null)
251 HttpRequest request = HttpContext.Current.Request;
252 string returnUrl = ReturnUrl;
253 if (returnUrl != null)
256 returnUrl = request.ApplicationPath;
257 string apppath = request.PhysicalApplicationPath;
260 foreach (string indexFile in indexFiles) {
261 string filePath = Path.Combine (apppath, indexFile);
262 if (File.Exists (filePath)) {
263 returnUrl = UrlUtils.Combine (returnUrl, indexFile);
270 returnUrl = UrlUtils.Combine (returnUrl, "index.aspx");
275 static string HashPasswordForStoringInConfigFile (string password, FormsAuthPasswordFormat passwordFormat)
277 if (password == null)
278 throw new ArgumentNullException ("password");
281 switch (passwordFormat) {
282 case FormsAuthPasswordFormat.MD5:
283 bytes = MD5.Create ().ComputeHash (Encoding.UTF8.GetBytes (password));
286 case FormsAuthPasswordFormat.SHA1:
287 bytes = SHA1.Create ().ComputeHash (Encoding.UTF8.GetBytes (password));
291 throw new ArgumentException ("The format must be either MD5 or SHA1", "passwordFormat");
294 return MachineKeySectionUtils.GetHexString (bytes);
297 public static string HashPasswordForStoringInConfigFile (string password, string passwordFormat)
299 if (password == null)
300 throw new ArgumentNullException ("password");
302 if (passwordFormat == null)
303 throw new ArgumentNullException ("passwordFormat");
305 if (String.Compare (passwordFormat, "MD5", StringComparison.OrdinalIgnoreCase) == 0) {
306 return HashPasswordForStoringInConfigFile (password, FormsAuthPasswordFormat.MD5);
307 } else if (String.Compare (passwordFormat, "SHA1", StringComparison.OrdinalIgnoreCase) == 0) {
308 return HashPasswordForStoringInConfigFile (password, FormsAuthPasswordFormat.SHA1);
310 throw new ArgumentException ("The format must be either MD5 or SHA1", "passwordFormat");
314 public static void Initialize ()
323 AuthenticationSection section = (AuthenticationSection)WebConfigurationManager.GetSection (authConfigPath);
324 FormsAuthenticationConfiguration config = section.Forms;
326 cookieName = config.Name;
327 Timeout = config.Timeout;
328 timeout = (int)config.Timeout.TotalMinutes;
329 cookiePath = config.Path;
330 protection = config.Protection;
331 requireSSL = config.RequireSSL;
332 slidingExpiration = config.SlidingExpiration;
333 cookie_domain = config.Domain;
334 cookie_mode = config.Cookieless;
335 cookies_supported = true; /* XXX ? */
336 if (!String.IsNullOrEmpty (default_url))
337 default_url = MapUrl (default_url);
339 default_url = MapUrl(config.DefaultUrl);
340 enable_crossapp_redirects = config.EnableCrossAppRedirects;
341 if (!String.IsNullOrEmpty (login_url))
342 login_url = MapUrl (login_url);
344 login_url = MapUrl(config.LoginUrl);
350 static string MapUrl (string url) {
351 if (UrlUtils.IsRelativeUrl (url))
352 return UrlUtils.Combine (HttpRuntime.AppDomainAppVirtualPath, url);
354 return UrlUtils.ResolveVirtualPathFromAppAbsolute (url);
357 public static void RedirectFromLoginPage (string userName, bool createPersistentCookie)
359 RedirectFromLoginPage (userName, createPersistentCookie, null);
362 public static void RedirectFromLoginPage (string userName, bool createPersistentCookie, string strCookiePath)
364 if (userName == null)
368 SetAuthCookie (userName, createPersistentCookie, strCookiePath);
369 Redirect (GetRedirectUrl (userName, createPersistentCookie), false);
372 public static FormsAuthenticationTicket RenewTicketIfOld (FormsAuthenticationTicket tOld)
377 DateTime now = DateTime.Now;
378 TimeSpan toIssue = now - tOld.IssueDate;
379 TimeSpan toExpiration = tOld.Expiration - now;
380 if (toExpiration > toIssue)
383 FormsAuthenticationTicket tNew = tOld.Clone ();
384 tNew.SetDates (now, now + (tOld.Expiration - tOld.IssueDate));
388 public static void SetAuthCookie (string userName, bool createPersistentCookie)
391 SetAuthCookie (userName, createPersistentCookie, cookiePath);
394 public static void SetAuthCookie (string userName, bool createPersistentCookie, string strCookiePath)
396 HttpContext context = HttpContext.Current;
398 throw new HttpException ("Context is null!");
400 HttpResponse response = context.Response;
401 if (response == null)
402 throw new HttpException ("Response is null!");
404 response.Cookies.Add (GetAuthCookie (userName, createPersistentCookie, strCookiePath));
407 public static void SignOut ()
411 HttpContext context = HttpContext.Current;
413 throw new HttpException ("Context is null!");
415 HttpResponse response = context.Response;
416 if (response == null)
417 throw new HttpException ("Response is null!");
419 HttpCookieCollection cc = response.Cookies;
420 cc.Remove (cookieName);
421 HttpCookie expiration_cookie = new HttpCookie (cookieName, String.Empty);
422 expiration_cookie.Expires = new DateTime (1999, 10, 12);
423 expiration_cookie.Path = cookiePath;
424 if (!String.IsNullOrEmpty (cookie_domain))
425 expiration_cookie.Domain = cookie_domain;
426 cc.Add (expiration_cookie);
427 Roles.DeleteCookie ();
430 public static string FormsCookieName
438 public static string FormsCookiePath
446 public static bool RequireSSL {
453 public static bool SlidingExpiration {
456 return slidingExpiration;
460 public static string CookieDomain {
461 get { Initialize (); return cookie_domain; }
464 public static HttpCookieMode CookieMode {
465 get { Initialize (); return cookie_mode; }
468 public static bool CookiesSupported {
469 get { Initialize (); return cookies_supported; }
472 public static string DefaultUrl {
473 get { Initialize (); return default_url; }
476 public static bool EnableCrossAppRedirects {
477 get { Initialize (); return enable_crossapp_redirects; }
480 public static string LoginUrl {
481 get { Initialize (); return login_url; }
484 public static void RedirectToLoginPage ()
489 [MonoTODO ("needs more tests")]
490 public static void RedirectToLoginPage (string extraQueryString)
492 // TODO: if ? is in LoginUrl (legal?), ? in query (legal?) ...
493 Redirect (LoginUrl + "?" + extraQueryString);
496 static void Redirect (string url)
498 HttpContext.Current.Response.Redirect (url);
501 static void Redirect (string url, bool end)
503 HttpContext.Current.Response.Redirect (url, end);
projects / mono.git / blob