Re: Can I force 401 error when user not authenticated?

From: Bigtoga (bigtoga_at_maratrane.com)
Date: 04/26/04

  • Next message: Joe Kaplan \(MVP - ADSI\): "Re: change password in active directory by webapplication (vb.net)" 
    Date: Mon, 26 Apr 2004 14:37:38 GMT

    Thanks - while your code would work, I went the easy way out in my other
    post:

    in my page specified in the loginUrl, I use:

    if ( Request.Params["ReturnURL"] != null)
        // code to write message, redirect, etc

    this is the easiest solution, I suppose. It does what I need.

    Are you suggesting there are other problems with my method that I'm not
    aware of? I'd certainly like to know if my method would cause
    errors/elevated-access...

    "Joseph E Shook [MVP - ADSI]" <joeshook@deploymentCentric.com> wrote in
    message news:408C91B9.3030503@deploymentCentric.com...
    > Not possible?... This is .NET. I think what you want is the same kind
    > of functionality you get from windows role based authorization. Meaning
    > even if you have authenticated already and received your token with
    > group membership info, a subsequent visit to a page with authorization
    > requirements not meeting your token contents you are presented with a
    > authentication dialog. At that point you either login again hoping to
    > get an updated token with new group added or you just change to a
    > different user to get access to that more secure content.
    >
    > So if you want to get that going with forms based authentication then
    > you need a way to redirect when a authorization attempt fails post
    > successful authentication.
    >
    > The following code will help: You could be more creative and write your
    > own HttpModule but this works for me. I haven't put a whole lot of time
    > behind it but I am sure it is the ingredient you are looking for.
    >
    > Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)
    >
    > If
    >
    Server.GetLastError().GetType().Equals(GetType(System.Security.SecurityExcep
    tion))
    > Then
    > Response.Redirect("login.aspx?ReturnUrl=" &
    > HttpUtility.UrlEncode(Context.Request.Url.PathAndQuery,
    > Context.Request.ContentEncoding))
    > End If
    >
    > End Sub
    >
    >
    >
    > Bigtoga wrote:
    > > Thanks. Sorry for my unclear response - I am using Forms auth. The
    problem,
    > > just for clarity, is:
    > >
    > > <allow users="*"> for full site
    > >
    > > "/specialAccessOnly/" - <allow roles="Special">
    > > "/authenticated/" - <allow roles="Special, Auth">
    > >
    > > As you can see, the "Special" role has more perms than the "Auth" role.
    > >
    > > Here's the issue:
    > > ** If a "Auth" role tries to visit the "/specialAccessOnly/" folder,
    they
    > > will get redirected to the page specified in loginUrl (but they are
    actually
    > > already logged in).
    > >
    > > What I'm trying to do (if not possible, just say "Not possible" and I'll
    be
    > > happy and quit looking!):
    > > ** Instead of redirecting back to the loginUrl, I'd like to redirect to
    a
    > > page that says they don't have access to reach this page (simluating a
    401
    > > error with a customError).
    > >
    > > I only want to use Forms Auth on this; like I said, if what I want can't
    be
    > > done, then that's okay too!
    > >
    > > Thanks for the responses :)
    > >
    > > PS - I could do this, I think, in the loginUrl page by using
    > > if ( Request.Params["ReturnURL"] != null)
    > >
    > > // my code to put Unauthorized Access message here
    > >
    > >
    > > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
    > > news:OG133BgKEHA.1892@TK2MSFTNGP09.phx.gbl...
    > >
    > >>Hi,
    > >>
    > >>What type of authentication are you talking about? If you are talking
    > >
    > > about
    > >
    > >>HTTP Authentication, you can't (as a general rule [1]) do this with a
    > >
    > > form.
    > >
    > >>Why? Because you need to authenticate *before* the form can be loaded
    > >>(before ASP.NET even kicks in). This happens directly between the
    > >
    > > webserver
    > >
    > >>and webbrowser.
    > >>
    > >>If you are talking about forms auth, then you specify your own login
    page.
    > >>Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
    > >>concerned, all user access is "anonymous". It is ASP.NET that keeps
    track
    > >
    > > of
    > >
    > >>users, and who's authenticated etc.
    > >>
    > >>Cheers
    > >>Ken
    > >>
    > >>[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP
    > >
    > > auth
    > >
    > >>via a form. Whether this also works with ASP.NET I don't know, and it's
    > >
    > > not
    > >
    > >>an officially supported product. The source code for this tool is in the
    > >>Windows 2003 Platform SDK.
    > >>
    > >>
    > >>"Bigtoga" <bigtoga@maratrane.com> wrote in message
    > >>news:n6tic.1445$UP.281@newssvr15.news.prodigy.com...
    > >>: Excellent info - thanks very much.
    > >>:
    > >>: So, if I have a page/section that requies authentication and a user
    who
    > >
    > > is
    > >
    > >>: not authenticated tries to visit, can I redirect to a different page
    > >
    > > than
    > >
    > >>: the loginUrl specified inweb.config?
    > >>:
    > >>: Essentially, I'm using
    > >>: <?xml version="1.0" encoding="utf-8" ?>
    > >>: <configuration>
    > >>: <system.web>
    > >>: <authorization>
    > >>: <allow roles="SuperPeople"/>
    > >>: <deny users="*" />
    > >>: </authorization>
    > >>: </system.web>
    > >>: </configuration>
    > >>:
    > >>: in my web.config file for each "secure" drectory. If the user is
    already
    > >>: logged in but doesn't belong to the SuperPeople role, it sends them to
    > >
    > > the
    > >
    > >>: login page (but they've already logged in).
    > >>:
    > >>: Any ideas would be helpful
    > >>:
    > >>:
    > >>: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
    > >>: news:eXlMpJcKEHA.2396@TK2MSFTNGP12.phx.gbl...
    > >>: > Hi
    > >>: >
    > >>: > When using forms authentication, you are never sending back a 403
    > >>header.
    > >>: > You are just redirecting the user to another ASP.NET page. A 403
    > >
    > > header
    > >
    > >>: > forces the browser to use HTTP authentication (e.g. Basic, IWA,
    Digest
    > >>: etc).
    > >>: >
    > >>: > Forms auth never involves these HTTP status codes - all pages are
    200
    > >>OK.
    > >>: It
    > >>: > is at the application layer (of your ASP.NET app) that you enforce
    > >>: > authentication, not at the lower HTTP level.
    > >>: >
    > >>: > Cheers
    > >>: > Ken
    > >>:
    > >>:
    > >>
    > >>
    > >
    > >
    > >

  • Next message: Joe Kaplan \(MVP - ADSI\): "Re: change password in active directory by webapplication (vb.net)"

    Relevant Pages

    • Re: RedirectFromLoginPage never returns to original page
      ... subfolder become a separate application from its parent virutal dir's ... The <authentication> element is per-application based,so each ... Still use a sub web.config in your sub dir(must remove that subdir as ... your <authorization> setting in sub dir's web.config. ...
      (microsoft.public.dotnet.framework.aspnet)
    • asp.net vulnerability
      ... From: Windows NTBugtraq Mailing List ... More details on ASP.NET vulnerability ... There has been some confusion with the ASP.NET forms authentication issue ... authorization issue, not an authentication issue. ...
      (microsoft.public.sharepoint.portalserver)
    • Re: application pool custom identity
      ... Kerberos becomes a possibility when the web server is in a Domain, ... The problem happens when the browser/server selects Kerberos authentication, ... LocalSystem credentials will work for Kerberos; custom AppPool Identity ... Authorization. ...
      (microsoft.public.inetserver.iis)
    • Re: Kerberos OpenLDAP Frontend
      ... Jonathan Javier Cordoba Gonzalez wrote: ... but then you are mixing the authentication with the authorization. ... A KDC with passwords and LDAP ...
      (comp.protocols.kerberos)
    • Re: Simple Login programming: Authentication does not work for me!
      ... but have no code to do the authentication. ... The Login1.Authenticate sub may not be necessary. ... Protected Sub Login1_LoggedIn(ByVal sender As Object, ...
      (microsoft.public.dotnet.framework.aspnet)