Re: Forms Authentication - "Deny users = ?" necessary

• Previous message: Steve Yaworsky: "Re: CDOSYS.dll System.Web.Mail"
• In reply to: bob biris: "Re: Forms Authentication - "Deny users = ?" necessary"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 5 Sep 2003 13:16:02 -0300

Hi!,

well, actually that's exactly what you do.

I wouldn't say rhar auth and aurthz are mixed. I'd say that forms auth lets
you do that, but does not restrict you to only doing that.

I mean, you can use forms auth to manage 'Sessions' in your webapp. and it
works great (is very convenient), if any user wants to access some page of
your app before authenicating (before establishing a valid session, AFTER
authentication) he/she is redirected to the login page (you can customize
this behavior). That saves you from adding a call to a function to check the
session inside every page of your application.
Then, once a user is logged on, based on the user's credenials you can use
ROLES (role security) to perform authorization tasks inside your webapp,
according to the logic of your webapp.

so, auth and authz are conviniently separated. Then, you have millions of
other auth and authz options that can complicate things, but you can code
your app very cleanly.

bye~

"bob biris" <bobbiris@hotmail.com> wrote in message
news:ce8efab7.0309040615.105a14f1@posting.google.com...
> Thanks for your reply Hernan.
>
> I can't believe Authentication and Authorization are mixed...
>
> If I want to identify/authenticate a user (for example to retrieve his
> settings from the server, let's say), the only way is to direct him to
> a page which denies him access for him to be presented with a login
> page. I'm surpised there is no way to force everybody to authenticate
> (through forms authentication) and then leave the authorization doing
> what it does best: "authorize" or not access to it to the page.

• Previous message: Steve Yaworsky: "Re: CDOSYS.dll System.Web.Mail"
• In reply to: bob biris: "Re: Forms Authentication - "Deny users = ?" necessary"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Can I force 401 error when user not authenticated? ... of functionality you get from windows role based authorization. ... So if you want to get that going with forms based authentication then ... Sorry for my unclear response - I am using Forms auth. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Authentication? Forms without Anynymous access ... No, forms auth is secure, as long as the authentication mechanism you ... Windows auth happens at the IIS ... (microsoft.public.dotnet.security) Re: SSO advice ... You can do both Windows Integrated aith and forms auth if you want. ... Basically, the main site is forms authentication, it has a "sub-site" within ... > applications that the user has authorization. ... (microsoft.public.dotnet.security) Re: Relay of smtp server ... is only issued when authentication succeeded. ... which will Sendmail instruct to only allow plaintext ... transport the auth credentials in readable plain text over the wire. ... The confAUTH_MECHANISMS is a list of authentication mechanisms for AUTH ... (Fedora) Re: Properly configuring SMTP Service ... server, but no one else. ... you) to "anonymous" as an SMTP authentication method, ... SMTP protocol is very specific about where and what authentication ... the SMTP AUTH mechanisms that your server will support. ... (microsoft.public.inetserver.iis.smtp_nntp)