Re: Forms Authentication behavior on request denial

From: Paul Hatcher (phatcher@cix.co.uk)
Date: 03/29/03 

From: "Paul Hatcher" <phatcher@cix.co.uk>
Date: Sat, 29 Mar 2003 05:56:26 -0800

Role based authorisation is not supported out of the box
by Forms Authentication.

What you can do is write a page template to perform the
work for you - e.g. read the web.config to get the list of
roles authorised and then check if they are authorised.

You could then also get around your authorisation problem
by explicitly redirecting authenticated, unauthorised
users to the correct page.

Paul
>-----Original Message-----
>"John Saunders" <john.saunders@surfcontrol.com> wrote in
message
>
>> You're seeing the expected behavior. This is how Forms
Authentication
>works.
>
>John,
>
>Thanks for the reply.
>
>Shouldn't a user who is not allowed access to a resource
be redirected to an
>"Access Denied" page as opposed to the Login page?
>
>I get the same (undesired) behavior when I set the
<authorization> as
>follows in the protected directory.
>
><authorization>
> <deny users="?" />
> <allow roles="Allowed Role, Etc" />
></authorization>
>
>As expected, all users are redirected to login.
>But ALL authenticated users who redirect back to the
originally requested
>page
>are allowed access, not simply the ones who have
the "Allowed Role" role.
>Shouldn't the authenticated users NOT in the <allow
roles> setting be denied
>access?
>If not, then I need to PROGRAMMATICALLY add checks for
IsInRole() to every
>page. Yuck.
>
>Thanks,
>
>David Dabbs
>
>
>.
>

Relevant Pages

  • Re: authentication using custom UsernameTokenManager class.....
    ... authorisation has been completed but this has to be done from inside the web ... authorisation in a similar way to it does authentication? ... > check this against the web method that is being called..... ... > What I don't want to do is to use the UsernameTokenManager to do implicit ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Active Directory authentication / authorisation
    ... authentication / authorisation functionality in MS Access; ... The parameters used there are the LDAP parameters for AD: ...
    (comp.databases.ms-access)
  • RPC and Kerberos v5 ?
    ... I'm currently working on the design of an authorisation system. ... I need to use Kerberos v5 authentication. ... Or should I use sun-rpc with this gss stuf as defined in the rpc header files on solaris? ...
    (comp.unix.programmer)
  • Re: Authenticate Against the Domain
    ... password and so can confirm that you know it but without *it* knowing it ... There's a difference between 'authentication' and 'authorisation'. ... Can you provide any more information about what your FAX server will accept ...
    (microsoft.public.vb.general.discussion)
  • Re: Authentication login screen appears on both frames of the framset
    ... wouldn't be redirecting to the login. ... give all users permission to the page that shouldn't redirect, ... >> If you're using forms authentication when a user is not authorized to see ... >> page they are automatically redirected to the login page. ...
    (microsoft.public.dotnet.framework.aspnet)