Securing Static Resources with Windows Azure Active Directory Authentication
Visual Studio 2013 RC has a very useful feature of creating new ASP.NET application that are configured with Windows Azure Active Directory authentication. You can read more about it here
If you open web.config file of such project that is secured with Windows Azure Active Directory, you will see following section:
- <add name=“WSFederationAuthenticationModule“ type=“System.IdentityModel.Services.WSFederationAuthenticationModule, System.IdentityModel.Services, Version=184.108.40.206, Culture=neutral, PublicKeyToken=b77a5c561934e089“ preCondition=“managedHandler“ />
- <add name=“SessionAuthenticationModule“ type=“System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=220.127.116.11, Culture=neutral, PublicKeyToken=b77a5c561934e089“ preCondition=“managedHandler“ />
As you might know, WSFederationAuthenticationModule is the one that is responsible for authenticating incoming requests. However, this module runs only for those requests that go through ASP.NET pipeline. To enable it for all the incoming requests, including those for static files like images, you will have to enable RAMMFAR setting as below:
- <modules runAllManagedModulesForAllRequests=“true“>
This way you can secure your entire application with WSFederationAuthenticationModule.
Note that RAMMFAR generally has performance implications. It should be turned on only if static resources in a website need to be secured with Windows Azure Active Directory authentication.