asp.net - Determine if current page requires authorization?

Question

So, I have web apps with web.configs like so:

<authorization>
  <deny users="?"/>
</authorization>
...
<location path="SomeUnsecuredPage.aspx">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

In other words, most pages require authentication and authorization, but some don't.

Then I have an IHttpModule that will be used by all the different applications. All I want to do is check if the current request is "secured" at all. If the page doesn't require authorization I don't want my IHttpModule to do anything at all. I am using FormsAuthentication and I assume that FormsAuthentication already has all of this information cached somewhere, doesn't it? Also, since this check will be running constantly so it has to be very quick.

I am currently subscribing to the HttpApplication.AuthorizeRequest, but surprisingly this event fires even for resources that allow anonymous access.

Any ideas? Thanks for reading!

Answer 1

Instead of creating a bootleg principal/identity you can just use a generic identity.

public bool IsAnonymousAccessAllowed()
{
   return UrlAuthorizationModule.CheckUrlAccessForPrincipal(Request.Path, new GenericPrincipal(new GenericIdentity(""), new string[0]), Request.RequestType);
}