Forms Authentication and Role-Based Security Issue
From: Clint Anderson (NoXSpamX_Clint@_SpamXNoThankYouX_DLS.net)
Date: 06/28/02
- Next message: Senthil: "Web Service service not working with SSL"
- Previous message: Easymoney: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Clint Anderson" <NoXSpamX_Clint@_SpamXNoThankYouX_DLS.net> Date: Fri, 28 Jun 2002 12:58:23 -0500
Forms Authentication and Role-Based Security Issue
Here is the scenario:
1) A user logs in / is successfully authenticated and assigned roles.
2) There are two role possibilities - User & Admin
3) There are two directories in question - /User & /Admin
4) Web.Config file in the root of /Admin as follows:
<configuration>
<system.web>
<authorization>
<deny users ="?" />
<allow roles="Admin" />
</authorization>
</system.web>
</configuration>
5) Web.Config file in the root of /User as follows:
<configuration>
<system.web>
<authorization>
<deny users ="?" />
<allow roles="User" />
</authorization>
</system.web>
</configuration>
The problem is that if the user doesn't have the correct role to access the
directory, he/she is redirected back to the login screen, not and
authorization failed /access denied screen. The User IS authenticated at
this point, just not authorized. I would like to redirect the user to a
friendly version of an access denied page instead.
I tried Todd M. Taylor's idea, and it appears to work.
Here is part of his post:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Assumptions:
The user is already AUTHENTICATED, but is being redirected back to the login
screen, that must mean that the user failed AUTHORIZATION for a certain
directory as defined in the web.config file.
###### Login.aspx ######
Private Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
If NOT(Page.IsPostBack) Then
'See if user is already Authenticated.
'If so, the "Roles" cookie should exist.
Dim context As HttpContext = HttpContext.Current
If (Not context.User Is Nothing) AndAlso
(context.User.Identity.IsAuthenticated) Then
'Access Denied Code Here...
End If
End If
End Sub
##########################
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This does work, but it seems to me there should be a method, event,
something in ASP.NET to handle this.
It seems to me that this would be a very common issue. I cannot believe that
there isn't a "HttpContext.Current.User.Identity.IsAuthorized" or something
like that available in the "Application_AuthenticateRequest" event or a way
to hook/use the "System.Web.Security.UrlAuthorizationModule".
Or better yet, in Web.Config:
<authentication mode="Forms">
<forms loginUrl="/Login.aspx" deniedUrl="/AccessDenied.aspx" />
</authentication>
Microsoft has pretty much included the "Kitchen Sink" in .NET! Did they
really miss the boat on this one???
Any help or insight on this matter would be greatly appreciated!!!
Thanx in advance...
Cheers :-)
Clint
- Next message: Senthil: "Web Service service not working with SSL"
- Previous message: Easymoney: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
