Re: Can I force 401 error when user not authenticated?
From: Joseph E Shook [MVP - ADSI] (joeshook_at_deploymentCentric.com)
Date: 04/26/04
- Next message: Paul Glavich [MVP - ASP.NET]: "Re: Sessions & SSL"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: change password in active directory by webapplication (vb.net)"
- In reply to: Bigtoga: "Re: Can I force 401 error when user not authenticated?"
- Next in thread: Bigtoga: "Re: Can I force 401 error when user not authenticated?"
- Reply: Bigtoga: "Re: Can I force 401 error when user not authenticated?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 25 Apr 2004 21:36:09 -0700 To: Bigtoga <bigtoga@maratrane.com>
Not possible?... This is .NET. I think what you want is the same kind
of functionality you get from windows role based authorization. Meaning
even if you have authenticated already and received your token with
group membership info, a subsequent visit to a page with authorization
requirements not meeting your token contents you are presented with a
authentication dialog. At that point you either login again hoping to
get an updated token with new group added or you just change to a
different user to get access to that more secure content.
So if you want to get that going with forms based authentication then
you need a way to redirect when a authorization attempt fails post
successful authentication.
The following code will help: You could be more creative and write your
own HttpModule but this works for me. I haven't put a whole lot of time
behind it but I am sure it is the ingredient you are looking for.
Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)
If
Server.GetLastError().GetType().Equals(GetType(System.Security.SecurityException))
Then
Response.Redirect("login.aspx?ReturnUrl=" &
HttpUtility.UrlEncode(Context.Request.Url.PathAndQuery,
Context.Request.ContentEncoding))
End If
End Sub
Bigtoga wrote:
> Thanks. Sorry for my unclear response - I am using Forms auth. The problem,
> just for clarity, is:
>
> <allow users="*"> for full site
>
> "/specialAccessOnly/" - <allow roles="Special">
> "/authenticated/" - <allow roles="Special, Auth">
>
> As you can see, the "Special" role has more perms than the "Auth" role.
>
> Here's the issue:
> ** If a "Auth" role tries to visit the "/specialAccessOnly/" folder, they
> will get redirected to the page specified in loginUrl (but they are actually
> already logged in).
>
> What I'm trying to do (if not possible, just say "Not possible" and I'll be
> happy and quit looking!):
> ** Instead of redirecting back to the loginUrl, I'd like to redirect to a
> page that says they don't have access to reach this page (simluating a 401
> error with a customError).
>
> I only want to use Forms Auth on this; like I said, if what I want can't be
> done, then that's okay too!
>
> Thanks for the responses :)
>
> PS - I could do this, I think, in the loginUrl page by using
> if ( Request.Params["ReturnURL"] != null)
>
> // my code to put Unauthorized Access message here
>
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:OG133BgKEHA.1892@TK2MSFTNGP09.phx.gbl...
>
>>Hi,
>>
>>What type of authentication are you talking about? If you are talking
>
> about
>
>>HTTP Authentication, you can't (as a general rule [1]) do this with a
>
> form.
>
>>Why? Because you need to authenticate *before* the form can be loaded
>>(before ASP.NET even kicks in). This happens directly between the
>
> webserver
>
>>and webbrowser.
>>
>>If you are talking about forms auth, then you specify your own login page.
>>Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
>>concerned, all user access is "anonymous". It is ASP.NET that keeps track
>
> of
>
>>users, and who's authenticated etc.
>>
>>Cheers
>>Ken
>>
>>[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP
>
> auth
>
>>via a form. Whether this also works with ASP.NET I don't know, and it's
>
> not
>
>>an officially supported product. The source code for this tool is in the
>>Windows 2003 Platform SDK.
>>
>>
>>"Bigtoga" <bigtoga@maratrane.com> wrote in message
>>news:n6tic.1445$UP.281@newssvr15.news.prodigy.com...
>>: Excellent info - thanks very much.
>>:
>>: So, if I have a page/section that requies authentication and a user who
>
> is
>
>>: not authenticated tries to visit, can I redirect to a different page
>
> than
>
>>: the loginUrl specified inweb.config?
>>:
>>: Essentially, I'm using
>>: <?xml version="1.0" encoding="utf-8" ?>
>>: <configuration>
>>: <system.web>
>>: <authorization>
>>: <allow roles="SuperPeople"/>
>>: <deny users="*" />
>>: </authorization>
>>: </system.web>
>>: </configuration>
>>:
>>: in my web.config file for each "secure" drectory. If the user is already
>>: logged in but doesn't belong to the SuperPeople role, it sends them to
>
> the
>
>>: login page (but they've already logged in).
>>:
>>: Any ideas would be helpful
>>:
>>:
>>: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
>>: news:eXlMpJcKEHA.2396@TK2MSFTNGP12.phx.gbl...
>>: > Hi
>>: >
>>: > When using forms authentication, you are never sending back a 403
>>header.
>>: > You are just redirecting the user to another ASP.NET page. A 403
>
> header
>
>>: > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
>>: etc).
>>: >
>>: > Forms auth never involves these HTTP status codes - all pages are 200
>>OK.
>>: It
>>: > is at the application layer (of your ASP.NET app) that you enforce
>>: > authentication, not at the lower HTTP level.
>>: >
>>: > Cheers
>>: > Ken
>>:
>>:
>>
>>
>
>
>
- Next message: Paul Glavich [MVP - ASP.NET]: "Re: Sessions & SSL"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: change password in active directory by webapplication (vb.net)"
- In reply to: Bigtoga: "Re: Can I force 401 error when user not authenticated?"
- Next in thread: Bigtoga: "Re: Can I force 401 error when user not authenticated?"
- Reply: Bigtoga: "Re: Can I force 401 error when user not authenticated?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
