Form Authentication and XmlDocument.Load

Question

I'm running an asp.net web application with c#. The following is used: - Windows 2003 server - IIS6.0 - .net Framework 2.0.50727

I'm trying to implement Forms Authentication and have entered the following code in the Web.Config file:

<authentication mode="Forms"> 
  <forms loginUrl="01_Login.aspx" 
         name=".ASPXFORMSAUTH" 
         defaultUrl="02_PendingDoc.aspx" 
         timeout="120" 
         path="/" 
         protection="All" 
         enableCrossAppRedirects="true"> 
  </forms> 
</authentication> 

<authorization> 
  <deny users="?"/> 
  <allow users="*"/> 
</authorization>

The login is working as expected, the users can't access any pages other than the 01_Login.aspx until they logged in with a valid username and password. When the user provides the correct login details the following code is done:

FormsAuthentication.RedirectFromLoginPage(logLogin.UserName, false);

However, when the user clicks on a button the following code is run:

//Load xml file into XMLDocument object 
XmlDocument xmlDoc = new XmlDocument(); 

try 
{ 
        xmlDoc.Load("SearchConfig.xml"); 
} 
catch (XmlException e) 
{ 
      Console.WriteLine(e.Message); 
}

The xmlDoc.Load function above will fail and create an XmlException with the following message "{"Expected DTD markup was not found. Line 5, position 3."}". I have also tried to comment out the following part of the Web.Config file:

<deny users="?"/>

And then the xmlDoc.Load function works, but of course, then the users can access all of my applications pages.

Anyone, that have any idea what I've done wrong?

You'll have to show us the XML you're trying to load, if you want us to help you with an error you get while loading the XML. Also, always display ex.ToString() instead of ex.Message. — John Saunders, Jan 21 '10 at 05:31
You might be using DTD references its older style xml validation now xsd/xmlschema is used. You need to put content of serchconfig.xml. — particle, Jan 21 '10 at 05:35

score 0 · Answer 1 · answered Jan 21 '10 at 06:13

<?xml version="1.0"?>
<BankSearch><SearchColumns>
    <Column>
        <Name>Bank_Name</Name>
        <Control>TextBox</Control>
        <Description>Bank Name</Description>
    </Column>
</SearchColumns>
<SearchStoredProc Name="usp_BankSearch">
    <Parameter1 control="txtBank_Name">@Bank_Name</Parameter1>
</SearchStoredProc>
<DisplayColumns>
    <Column HeaderText="Bank Name" HyperLinkColumn="True" NavigateUrl="~/Bank/Bank.aspx"  NavigateUrlFields="Bank_Id"   QueryStrings="BID">Bank_Name</Column>       
    <Column HeaderText="Bank Address">Bank_Address</Column>
    <Column HeaderText="Bank Email Id">BANK_EMAIL_ID</Column>
    <Column HeaderText="Bank Phone">Bank_Phone</Column>
    <Column HeaderText="Bank Fax">BANK_FAX_NO</Column>
    <Column HeaderText="City">City</Column>
    <Column HeaderText="Postal Code">POSTAL_CODE</Column>
    <Column HeaderText="State">STATE_NAME</Column>
    <Column HeaderText="Country">Country_Name</Column>              
</DisplayColumns>

Ignore · Answer 2 · 2020-01-21T11:29:25.197

if you are using forms authentication, even if you are already logged in, xmlDocument is going to the loging page first. This page is not an XML file. Hence the exception. I saw a suggestion that this could work:

void Main()
{
    XmlUrlResolver resolver = new XmlUrlResolver();
    resolver.Credentials = CredentialCache.DefaultCredentials;

    var x = new XmlDocument();
    x.XmlResolver = resolver;
    x.Load("https://yourUrl");
}

It sounds like a good advice but i could not get it work. I will try to get the xml using a web request instead. Because when I use a web browser, the xml is returned without needing to log on again through forms authentication.

Finally found the solution. As I explained this is due to using forms authentication. I was thinking once HTTPS is established all communication from the application will have authorization automatically. However, calls to back-end applications require authentication. That is why instead of getting back the xml I was getting an html page which is the login page. I managed to bypass the forms authentication by adding the authentication cookie as below:

var httpCookie = FormsAuthentication.GetAuthCookie(context.User.Identity.Name, false);
var cookie = new Cookie(httpCookie.Name, httpCookie.Value, httpCookie.Path, HttpContext.Current.Request.Url.Host);
var rq = (HttpWebRequest) WebRequest.Create(url);
rq.CookieContainer = new CookieContainer();
rq.CookieContainer.Add(cookie);
var rs = (HttpWebResponse) rq.GetResponse();                
var strm = rs.GetResponseStream();
var rdr = new StreamReader(strm);
var str = rdr.ReadToEnd();
var userDetails = new XmlDocument();                
userDetails.LoadXml(str);

This is an exact replica of my problem but the suggested solution has not worked for me. https://stackoverflow.com/questions/7789038/c-sharp-wont-load-a-certain-xml-but-works-in-browser — Ignore, Jan 15 '20 at 17:30

Form Authentication and XmlDocument.Load

2 Answers2

Linked