Re: Can I force 401 error when user not authenticated?
From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 04/24/04
- Previous message: Ken Schaefer: "Re: Writing to a network share"
- In reply to: Bigtoga: "Can I force 401 error when user not authenticated?"
- Next in thread: Bigtoga: "Re: Can I force 401 error when user not authenticated?"
- Reply: Bigtoga: "Re: Can I force 401 error when user not authenticated?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 24 Apr 2004 16:07:20 +1000
Hi
When using forms authentication, you are never sending back a 403 header.
You are just redirecting the user to another ASP.NET page. A 403 header
forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest etc).
Forms auth never involves these HTTP status codes - all pages are 200 OK. It
is at the application layer (of your ASP.NET app) that you enforce
authentication, not at the lower HTTP level.
Cheers
Ken
"Bigtoga" <bigtoga@maratrane.com> wrote in message
news:BM9ic.11313$004.293@newssvr31.news.prodigy.com...
: Currently I have succesfully implemented role-based folder security using
: roles and web.config in each folder. This works great - if a user is not
: authenticated or a member of an allowed role, that user cannot access the
: resource (woohoo!). When the disallowed user tries to access the resource,
: it redirects them to a login page.
:
: What I want is that, when an unauthorized user tries to access a secure
: resource, I want it to raise a 401 error (which would then call my 401
: customer error page).
:
: Can I do this?
:
: In my web.config for the application, I have:
:
: <forms name="Auth" loginUrl="login.aspx" protection="All" path="/"/>
:
: If the user fails, it auto-redirects to login.aspx.
:
:
:
: I tried this:
:
: <forms name="Auth" protection="All" path="/"/> <!-- loginUrl omitted-->
:
: And rebuilt then restarted the webserver - same thing.
:
:
:
: How can I set it up so that unathorized requests raise a 403 error? i have
: this in web.config as well...
:
: <customErrors mode="On" defaultRedirect="/errors/404.aspx">
:
: <error statusCode="400" redirect="/errors/400.aspx"/><!--400 (Bad
: Request)-->
:
: <error statusCode="401" redirect="/errors/401.aspx"/><!--401
: (Unauthorized)-->
:
: <error statusCode="403" redirect="/errors/403.aspx"/><!--403
(Forbidden)-->
:
: <error statusCode="404" redirect="/errors/404.aspx"/><!--404 (Not
Found)-->
:
: <error statusCode="500" redirect="/errors/500.aspx"/><!--500 (Internal
: Server Error)-->
:
: </customErrors>
:
:
- Previous message: Ken Schaefer: "Re: Writing to a network share"
- In reply to: Bigtoga: "Can I force 401 error when user not authenticated?"
- Next in thread: Bigtoga: "Re: Can I force 401 error when user not authenticated?"
- Reply: Bigtoga: "Re: Can I force 401 error when user not authenticated?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
