Re: authorization problems

From: Jason Chiu (qysjc@yahoo.com.tw)
Date: 12/06/02


From: "Jason Chiu" <qysjc@yahoo.com.tw>
Date: Fri, 6 Dec 2002 16:59:32 +0800


Thanks for your response.

I read
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/htm
l/cpconaspnetauthorization.asp
and
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/ht
ml/secnetlpMSDN.asp?frame=true ,
it says:
a.. Given a set of merged rules for a URL, the system starts at the head of
the list and checks rules until the first match is found. Note that the
default configuration for ASP.NET contains an <allow users="*"> element,
which authorizes all users. If no rules match, the request is allowed unless
otherwise denied. If a match is found and the match is a <deny> element, it
returns 401. Applications or sites can easily configure a <deny users="*">
element at the top level of their site or application to prevent this
behavior.
If an <allow> matches, the module does nothing and lets the request be
processed further.

There is also a <location> tag that you can use to specify a particular file
or directory to which settings wrapped by that tag (between <location> and
</location> tags) should apply.

a.. When the UrlAuthorizationModule is called, it checks for an
<authorization> tag in Machine.config and Web.config. If present, it
retrieves the IPrincipal object from HttpContext.User and checks to see
whether the user is authorized to access the requested resource using the
specified verb (GET, POST, and so on).
If the user is not authorized, the UrlAuthorizationModule calls
HttpApplication.CompleteRequest, which aborts normal message processing. The
UrlAuthorizationModule returns an HTTP 401 status code.

If status code RFC 401 is reserved in RFC and send back 200 status code,
How can I know the user is not authorized?

"Larry Hastings" <greg.NOSPAM.@NOSPAM.unixsucks.com> 撰寫於郵件新聞
:uus7ldf5g3jfda@corp.supernews.com...
> 401 is status code reserved in RFC for failed server security
negotiations.
> As far as forms are corncerned then regardless wether you are authorised
or
> not you are still supposed to get back some content and the only way to do
> that is to send you back 200 status code. If server would send back 401
then
> your IE would pop up login screen asking for username and password.
>
> --
>
> G
> http://www.unixsucks.com
> "Jason Chiu" <qysjc@yahoo.com.tw> wrote in message
> news:uAleOx2mCHA.2412@TK2MSFTNGP09...
> > I encounter the same problem.
> > When I use form authentication, the response.StateCode always 200 and
> > redirect to login page.
> > When I use Windows authentication, response.StateCode can get 401, So I
> > think it is BUG.
> >
> > Maybe you can write a custom http module, and do urlauthorization
> yourself,
> > and attached it to the http modules pipeline.
> >
> > "Sascha Ellerhoff" <sellerhoff@itbnet.de> 撰寫於郵件新聞
> > :#GX5TwrlCHA.2224@tkmsftngp02...
> > > hello newsgroup!
> > >
> > > I try to have a secure web. I use the asp.net security feature 'forms
> > > authentification' and the 'url authorization'
> > > forms authenfication does a correct job with cookies etc. But I think
> > > authorization caused problems.
> > >
> > > Situation:
> > > i have a public web site with secure subdirs.
> > >
> > > If a user choose one of the secure dirs the login.aspx will open. this
> is
> > > right.
> > > user with correct credentials and rights to enter the directory will
> > > redirect to the right website.
> > >
> > > problem:
> > > User with correct credentials but without rights do NOT get http 401
> > access
> > > denied message.
> > > (In MSDN of Microsoft it is descibed that user will get this error)
> > > Instead of this users will stay authenficated (but without
autorization)
> > on
> > > login page with no information what happend.
> > >
> > > Question: Does the authorization act wrong? Has my configuration in
> > > web.config mistakes?
> > >
> > > web.config:
> > >
> > > <?xml version="1.0" encoding="utf-8" ?>
> > > <configuration>
> > > <system.web>
> > > <compilation defaultLanguage="vb" debug="true" />
> > > <customErrors mode="Off" />
> > > <globalization requestEncoding="utf-8"
responseEncoding="utf-8"
> />
> > > <authentication mode="Forms">
> > > <forms path="/" name="WeckeAuth" loginUrl="login.aspx">
> > > <credentials passwordFormat="Clear">
> > > <user name="admin1" password="geheim" />
> > > <user name="admin2" password="geheim" />
> > > </credentials>
> > > </forms>
> > > </authentication>
> > > <authorization>
> > > <allow users="*" />
> > > </authorization>
> > > </system.web>
> > >
> > > <location path="admindir1">
> > > <system.web>
> > > <authorization>
> > > <allow users="admin1" />
> > > <deny users="*" />
> > > </authorization>
> > > </system.web>
> > > </location>
> > >
> > > <location path="admindir2">
> > > <system.web>
> > > <authorization>
> > > <allow users="admin2" />
> > > <deny users="*" />
> > > </authorization>
> > > </system.web>
> > > </location>
> > > </configuration>
> > >
> > >
> > >
> > > only admin1 has access zu admindir1
> > > only admin2 has access zu admindir2
> > >
> > > If admin2 use his credentials in admindir1 he does not get an error
> > message.
> > > he stay on login page.
> > >
> > > Does someone know my problem?
> > > Is the protection of the subdirs wrong?
> > >
> > >
> > > thx 4 help
> > > Sascha
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
>
>