Re: Can I force 401 error when user not authenticated?
From: tafs7 (tafs7_at_yahoo.com)
Date: 04/30/04
- Previous message: A.M: "testing SSL"
- In reply to: Bigtoga: "Re: Can I force 401 error when user not authenticated?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 30 Apr 2004 08:18:43 -0700
What you can do, is this:
on your Login page, check if the request is authenticated, and if so,
that means the user has already logged in but didn't have the correct
permission to access the resource, so he/she got bumped back to the
login.
thus....login.aspx:
private void Page_Load(object sender, EventArgs e)
{
if(Request.IsAuthenticated)
{
//the user has already logged in, but
//did not have the rights to the requested resource
//so let's redirect to our custom 403 page
// and let him/her know that access was denied!
Response.Redirect("my403.aspx", true)
}
else
{
//do my regular page load stuff here
}
}
Hope this helps you.
And while I am at it....I just put a post with a question on
role-based authentication/authorization, but no replies...so here it
is, and if you have any suggestions I'd appreciate it!
I have an ASP.NET application that uses forms authentication. I
rolled my own CustomPrincipal class for role-based authentication, and
wired the Application_AuthenticateRequest() event on my global.asax.
All is working great.
Now my new requirement is that I make a role on my SQLServer db that
is a "low level" user. This role will only have access to ONE
specific folder on my application, and nothing else outside of it.
Other roles can access other folders including this one. I should
also note that there is no anonymous access on this application.
Everything is password protected, so when the first request fires, the
user is automatically redirected to the login page, then, once
authenticated, he/she is taken to the default.aspx on the root.
Everyone uses the same login page, but if the user name is in the
"low-level" role, I need to automatically redirect to the special
folder, while all other users get taken to my root's default.aspx (if
no other return url string is specified).
This is a snippet of my web.config on the root directory:
<authentication mode="Forms">
<forms name=".ELITECTSUSERAUTH" loginUrl="~/login.aspx"
protection="All"
timeout="30"
slidingExpiration="true"
path="/" />
</authentication>
<authorization>
<deny users="?" roles="5" /> <!-- Deny anonymous users and low-level
roles-->
<allow users="*" />
</authorization>
As you can see, this denies access to anonymous users and users in the
role "5", which is my "low-level" user.
So the question is this: (1) how to make the application kick the
low-level user to the special folder once he/she is authorized and a
principal has been generated for them, without ever going to the root
default.aspx.
I also thought I should include either a location section in my root
web.config that allows role 5 into the special folder, or add a new
web.config to that special folder allowing authenticated users and all
roles, overriding the root web.config.
Does anybody have any suggestions to this problem?
Thiago Silva
web developer
-------------------------------------------------------
"Bigtoga" <bigtoga@maratrane.com> wrote in message news:<v5wic.1478$ZJ4.1367@newssvr15.news.prodigy.com>...
> in my page specified in the loginUrl, I use:
>
> if ( Request.Params["ReturnURL"] != null)
> // code to write message, redirect, etc
>
> this is the easiest solution, I suppose. It does what I need.
>
> Thanks for the help but, if anyone has any further ideas, please post
- Previous message: A.M: "testing SSL"
- In reply to: Bigtoga: "Re: Can I force 401 error when user not authenticated?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
