Re: Can I force 401 error when user not authenticated?

• Previous message: Ken Schaefer: "Re: Can I force 401 error when user not authenticated?"
• In reply to: Ken Schaefer: "Re: Can I force 401 error when user not authenticated?"
• Next in thread: Joseph E Shook [MVP - ADSI]: "Re: Can I force 401 error when user not authenticated?"
• Reply: Joseph E Shook [MVP - ADSI]: "Re: Can I force 401 error when user not authenticated?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 24 Apr 2004 15:50:54 GMT

Thanks. Sorry for my unclear response - I am using Forms auth. The problem,
just for clarity, is:

<allow users="*"> for full site

"/specialAccessOnly/" - <allow roles="Special">
"/authenticated/" - <allow roles="Special, Auth">

As you can see, the "Special" role has more perms than the "Auth" role.

Here's the issue:
** If a "Auth" role tries to visit the "/specialAccessOnly/" folder, they
will get redirected to the page specified in loginUrl (but they are actually
already logged in).

What I'm trying to do (if not possible, just say "Not possible" and I'll be
happy and quit looking!):
** Instead of redirecting back to the loginUrl, I'd like to redirect to a
page that says they don't have access to reach this page (simluating a 401
error with a customError).

I only want to use Forms Auth on this; like I said, if what I want can't be
done, then that's okay too!

Thanks for the responses :)

PS - I could do this, I think, in the loginUrl page by using
if ( Request.Params["ReturnURL"] != null)

   // my code to put Unauthorized Access message here

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OG133BgKEHA.1892@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> What type of authentication are you talking about? If you are talking
about
> HTTP Authentication, you can't (as a general rule [1]) do this with a
form.
> Why? Because you need to authenticate *before* the form can be loaded
> (before ASP.NET even kicks in). This happens directly between the
webserver
> and webbrowser.
>
> If you are talking about forms auth, then you specify your own login page.
> Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
> concerned, all user access is "anonymous". It is ASP.NET that keeps track
of
> users, and who's authenticated etc.
>
> Cheers
> Ken
>
> [1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP
auth
> via a form. Whether this also works with ASP.NET I don't know, and it's
not
> an officially supported product. The source code for this tool is in the
> Windows 2003 Platform SDK.
>
>
> "Bigtoga" <bigtoga@maratrane.com> wrote in message
> news:n6tic.1445$UP.281@newssvr15.news.prodigy.com...
> : Excellent info - thanks very much.
> :
> : So, if I have a page/section that requies authentication and a user who
is
> : not authenticated tries to visit, can I redirect to a different page
than
> : the loginUrl specified inweb.config?
> :
> : Essentially, I'm using
> : <?xml version="1.0" encoding="utf-8" ?>
> : <configuration>
> : <system.web>
> : <authorization>
> : <allow roles="SuperPeople"/>
> : <deny users="*" />
> : </authorization>
> : </system.web>
> : </configuration>
> :
> : in my web.config file for each "secure" drectory. If the user is already
> : logged in but doesn't belong to the SuperPeople role, it sends them to
the
> : login page (but they've already logged in).
> :
> : Any ideas would be helpful
> :
> :
> : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> : news:eXlMpJcKEHA.2396@TK2MSFTNGP12.phx.gbl...
> : > Hi
> : >
> : > When using forms authentication, you are never sending back a 403
> header.
> : > You are just redirecting the user to another ASP.NET page. A 403
header
> : > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
> : etc).
> : >
> : > Forms auth never involves these HTTP status codes - all pages are 200
> OK.
> : It
> : > is at the application layer (of your ASP.NET app) that you enforce
> : > authentication, not at the lower HTTP level.
> : >
> : > Cheers
> : > Ken
> :
> :
>
>

• Previous message: Ken Schaefer: "Re: Can I force 401 error when user not authenticated?"
• In reply to: Ken Schaefer: "Re: Can I force 401 error when user not authenticated?"
• Next in thread: Joseph E Shook [MVP - ADSI]: "Re: Can I force 401 error when user not authenticated?"
• Reply: Joseph E Shook [MVP - ADSI]: "Re: Can I force 401 error when user not authenticated?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Default.aspx - newbie Q` ... > If you have the AUTH setup in the web.config to not allow access to this ... > page it should redirect to the login page specified in the web.config. ... > proper authentication have it redirect back to the URL specified in the ... (microsoft.public.dotnet.framework.aspnet) Re: Default.aspx - newbie Q` ... > If you have the AUTH setup in the web.config to not allow access to this ... > page it should redirect to the login page specified in the web.config. ... > proper authentication have it redirect back to the URL specified in the ... (microsoft.public.dotnet.framework.aspnet) FormsAuthentication.RedirectFromLoginPage ... After logging in I am redirected ... to the root of the website. ... Where do I define in Forms Auth. ... where to redirect after a successful ... (microsoft.public.dotnet.framework.aspnet) Re: Denying access to a JSP page directly ... My login page is index.html. ... redirect it to secure.html. ... This is often achieved via a Servlet Filter. ... If no auth, redirect the user to login page, if auth'd, let him ... (comp.lang.java.programmer) Re: Authentication? Forms without Anynymous access ... No, forms auth is secure, as long as the authentication mechanism you ... Windows auth happens at the IIS ... (microsoft.public.dotnet.security)