Re: authorization problems

From: Larry Hastings (greg.NOSPAM.@NOSPAM.unixsucks.com)
Date: 12/04/02 

From: "Larry Hastings" <greg.NOSPAM.@NOSPAM.unixsucks.com>
Date: Wed, 4 Dec 2002 09:26:25 -0600

401 is status code reserved in RFC for failed server security negotiations.
As far as forms are corncerned then regardless wether you are authorised or
not you are still supposed to get back some content and the only way to do
that is to send you back 200 status code. If server would send back 401 then
your IE would pop up login screen asking for username and password. 

--
G
http://www.unixsucks.com
"Jason Chiu" <qysjc@yahoo.com.tw> wrote in message
news:uAleOx2mCHA.2412@TK2MSFTNGP09...
> I encounter the same problem.
> When I use form authentication, the response.StateCode always 200 and
> redirect to login page.
> When I use Windows authentication, response.StateCode can get 401, So I
> think it is BUG.
>
> Maybe you can write a custom http module, and do urlauthorization
yourself,
> and attached it to the http modules pipeline.
>
> "Sascha Ellerhoff" <sellerhoff@itbnet.de> ¼¶¼g©ó¶l¥ó·s»D
> :#GX5TwrlCHA.2224@tkmsftngp02...
> > hello newsgroup!
> >
> > I try to have a secure web. I use the asp.net security feature 'forms
> > authentification' and the 'url authorization'
> > forms authenfication does a correct job with cookies etc.  But I think
> > authorization caused problems.
> >
> > Situation:
> > i have a public web site with secure subdirs.
> >
> > If a user choose one of the secure dirs the login.aspx will open. this
is
> > right.
> > user with correct credentials and rights to enter the directory will
> > redirect to the right website.
> >
> > problem:
> > User with correct credentials but without rights do NOT get http 401
> access
> > denied message.
> > (In MSDN of Microsoft it is descibed that user will get this error)
> > Instead of this users will stay authenficated (but without autorization)
> on
> > login page with no information what happend.
> >
> > Question: Does the authorization act wrong? Has my configuration in
> > web.config mistakes?
> >
> > web.config:
> >
> > <?xml version="1.0" encoding="utf-8" ?>
> > <configuration>
> >     <system.web>
> >         <compilation defaultLanguage="vb" debug="true" />
> >         <customErrors mode="Off" />
> >         <globalization requestEncoding="utf-8" responseEncoding="utf-8"
/>
> >         <authentication mode="Forms">
> >             <forms path="/" name="WeckeAuth" loginUrl="login.aspx">
> >                 <credentials passwordFormat="Clear">
> >                     <user name="admin1" password="geheim" />
> >                     <user name="admin2" password="geheim" />
> >                 </credentials>
> >             </forms>
> >         </authentication>
> >         <authorization>
> >             <allow users="*" />
> >         </authorization>
> >     </system.web>
> >
> >     <location path="admindir1">
> >         <system.web>
> >             <authorization>
> >                 <allow users="admin1" />
> >                 <deny users="*" />
> >             </authorization>
> >         </system.web>
> >     </location>
> >
> >     <location path="admindir2">
> >         <system.web>
> >             <authorization>
> >                 <allow users="admin2" />
> >                 <deny users="*" />
> >             </authorization>
> >         </system.web>
> >     </location>
> > </configuration>
> >
> >
> >
> > only admin1 has access zu admindir1
> > only admin2 has access zu admindir2
> >
> > If admin2 use his credentials in admindir1 he does not get an error
> message.
> > he stay on login page.
> >
> > Does someone know my problem?
> > Is the protection of the subdirs wrong?
> >
> >
> > thx 4 help
> > Sascha
> >
> >
> >
> >
> >
> >
>
>

Relevant Pages

  • Re: Authentication login screen appears on both frames of the framset
    ... If you're using forms authentication when a user is not authorized to see a ... page they are automatically redirected to the login page. ... Since both of your frames are checking if the user is authorized they each ... > I am using the authentication and authorization mechanism, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: asp password
    ... If you use Forms authentication it will automatically redirect users to a ... login page you specify if they are not logged in. ... Web.Config or you could put them in an xml file or a database. ... This section sets the authorization policies of the application. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: get redirect url before login
    ... I suggest using HTTP Module for authentication and authorization. ... all requests will go through one central place where you will be doing ... >> My users who try to access a page before login are ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Form Level Authentication
    ... there is authorization tag which denies access to the pages ... > Which redirects all the pages to login page if not authenticated. ... > Can we open few pages which does not need authentication. ...
    (microsoft.public.dotnet.framework.aspnet)
  • asp.net vulnerability
    ... From: Windows NTBugtraq Mailing List ... More details on ASP.NET vulnerability ... There has been some confusion with the ASP.NET forms authentication issue ... authorization issue, not an authentication issue. ...
    (microsoft.public.sharepoint.portalserver)
Loading