Microsoft Internet Security and Acceleration Server 2004 SDK |
The ISA Server Web proxy includes a pointer to the WPX_HTTP_FILTER_AUTH_COMPLETE_INFO structure in the notification that it sends to Web filters after it has successfully completed authentication. If your filter should be notified for this event, it must register to receive SF_NOTIFY_AUTH_COMPLETE notifications. For more information about the types of event notifications that are sent to Web filters, see Event Notifications.
typedef struct WPX_HTTP_FILTER_AUTH_COMPLETE_INFO {
BOOL (WINAPI)* GetHeader;
BOOL (WINAPI)* SetHeader;
BOOL (WINAPI)* AddHeader;
BOOL (WINAPI)* GetUserToken;
DWORD HttpStatus;
BOOL fResetAuth;
DWORD dwReserved;
BOOL (WINAPI)* SetUserCachingKey; } WPX_HTTP_FILTER_AUTH_COMPLETE_INFO;
This structure allows you to view the method, URL, version, or headers, or to modify the headers sent from the client. It also allows you to set the caching key for this request. You can use this to provide a different caching key for each user.
The SF_NOTIFY_AUTH_COMPLETE occurs after the client's identity has been negotiated with the client, or when the client is anonymous. Because of the timing of this notification, the AUTH_USER server variable can be used to reliably obtain the identity of the user. Also, functionality is provided to retrieve a copy of the token that ISA Server will use to impersonate the client when processing the request.
All authentication scheme processes should result in either SF_NOTIFY_AUTH_COMPLETE, authentication, giving the filter a handle to a token of the user to be impersonated, or ACCESS_DENIED, when the user is not recognized by the system.
SF_NOTIFY_AUTH_COMPLETE notification may be used for:
Note If a filter needs to add authorization headers after a request is authenticated and before the request is sent to the upstream/Web server, it must do so by parsing the request in the SF_NOTIFY_FORWARD_RAW_DATA notification, rather than in the SF_NOTIFY_AUTH_COMPLETE notification.
This is because when the request is authenticated, ISA removes every authorization header before sending the request on to the upstream Web server. (In forward-proxy scenarios, it removes proxy authorization headers. In reverse-proxy scenarios, it removes authorization headers.) Therefore, even if the filter adds an authorization header in SF_NOTIFY_AUTH_COMPLETE notification, it will be removed.
Server: Requires Windows Server 2003 or
Windows 2000.
Version: Requires Internet Security and Acceleration
Server 2004.
Header: Declared in Wpxhttpfilt.h.