Re: Can I force 401 error when user not authenticated?

From: Bigtoga (bigtoga_at_maratrane.com)
Date: 04/24/04

• Next message: Ken Schaefer: "Re: Can I force 401 error when user not authenticated?"
• Previous message: Ken Schaefer: "Re: Forms Auth Problems."
• In reply to: Ken Schaefer: "Re: Can I force 401 error when user not authenticated?"
• Next in thread: Ken Schaefer: "Re: Can I force 401 error when user not authenticated?"
• Reply: Ken Schaefer: "Re: Can I force 401 error when user not authenticated?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 24 Apr 2004 12:31:15 GMT

Excellent info - thanks very much.

So, if I have a page/section that requies authentication and a user who is
not authenticated tries to visit, can I redirect to a different page than
the loginUrl specified inweb.config?

Essentially, I'm using
<?xml version="1.0" encoding="utf-8" ?>
 <configuration>
  <system.web>
   <authorization>
    <allow roles="SuperPeople"/>
    <deny users="*" />
   </authorization>
 </system.web>
</configuration>

in my web.config file for each "secure" drectory. If the user is already
logged in but doesn't belong to the SuperPeople role, it sends them to the
login page (but they've already logged in).

Any ideas would be helpful

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:eXlMpJcKEHA.2396@TK2MSFTNGP12.phx.gbl...
> Hi
>
> When using forms authentication, you are never sending back a 403 header.
> You are just redirecting the user to another ASP.NET page. A 403 header
> forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
etc).
>
> Forms auth never involves these HTTP status codes - all pages are 200 OK.
It
> is at the application layer (of your ASP.NET app) that you enforce
> authentication, not at the lower HTTP level.
>
> Cheers
> Ken

• Next message: Ken Schaefer: "Re: Can I force 401 error when user not authenticated?"
• Previous message: Ken Schaefer: "Re: Forms Auth Problems."
• In reply to: Ken Schaefer: "Re: Can I force 401 error when user not authenticated?"
• Next in thread: Ken Schaefer: "Re: Can I force 401 error when user not authenticated?"
• Reply: Ken Schaefer: "Re: Can I force 401 error when user not authenticated?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: HTTP_AUTHORIZATION header ... authentication sequence. ... this in your setup by directly accessing the CGI EXE a couple of timems. ... i.e. the HTTP_AUTHORIZATION header gets sent every time ... I use WFetch to make a Basic authenticated POST request against my CGI ... (microsoft.public.inetserver.iis.security) Re: Accessing Authenticate Header ... .NET HTTPModule receives request from client on the BeginRequest event, ... HTTP_AUTHORIZATION header is not included on the HTTPRequest because IIS ... > 1) IIS configuration for anonymous access ONLY (NO Basic Authentication) ... > 3) Handler or Module reads the AUTHORIZATION header and authenticates ... (microsoft.public.dotnet.security) Re: Accessing Authenticate Header ... IIS configuration for anonymous access ONLY (NO Basic Authentication) ... Handler or Module reads the AUTHORIZATION header and authenticates ... (microsoft.public.dotnet.security) Re: Accessing Authenticate Header ... >From my experience with building a custom authorization module, ... a basic auth header, parse it and then use the username and password from ... ability to provide authentication services. ... >> of IIS. ... (microsoft.public.dotnet.security) Re: IPSec without AH ... > header from being modified. ... Another IPSEC protocol ESP (Encrypted ... > problem with NAT traversal. ... encrypting the packet payload, and AH for authentication. ... (freebsd-questions)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint