URL Authorzation Problem

nicemonitor_at_hotmail.com
Date: 08/19/05

Next message: Dominick Baier [DevelopMentor]: "Re: Role-based authentication and Forms and System.UnauthorizedAccessException"
Previous message: paul.taylor.ctr_at_dla.mil: "Re: How can roles be determined for a resource?"
Next in thread: Dominick Baier [DevelopMentor]: "Re: URL Authorzation Problem"
Reply: Dominick Baier [DevelopMentor]: "Re: URL Authorzation Problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 19 Aug 2005 13:26:31 -0700

I have created a web application that is utilizing Forms Authentication
and URL Authorzation for application security.

The problem arises when an authenticated user (the authentication
ticket cookie has been set) attempts to access a sub directory or file
where I have explicitely denied them access. For example the code in
the root web.config is as follows:

A web.config created in a protected directory called "protected" has
the following authorization tags:

Now if i attempt to visit a page within the "protected" sub directory
the forms authentication ticket is created for the user however if i
attempt to access the directory as any other user but "admin" I do not
get an access denied page or message. Instead it stays at the loginUrl
page (seems to reload over and over). If I do access the directory as
"admin" everything works fine.

Is there a way to display an access denied page to the user?

Note that when I use Windows authentication a nice access denied page
is displayed. If you try to use forms authentication the user is left
hanging. This cannot be by Microsoft's design can it? Is it a bug?

Any insight is *GREATLY* appreciated.

Thanks

Next message: Dominick Baier [DevelopMentor]: "Re: Role-based authentication and Forms and System.UnauthorizedAccessException"
Previous message: paul.taylor.ctr_at_dla.mil: "Re: How can roles be determined for a resource?"
Next in thread: Dominick Baier [DevelopMentor]: "Re: URL Authorzation Problem"
Reply: Dominick Baier [DevelopMentor]: "Re: URL Authorzation Problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Membership Provider Woes
... You set the FormsAuth ticket on the Login_LoggingIn. ... cookie regardless of whether the user's authentication failed or not. ... Doens't the membership provider set a forms auth cookie for me ...
(microsoft.public.dotnet.framework.aspnet)
RE: Forms authentication cookie handling question (C#)
... programmatically generate forms authentication ticket and set it in ASP.NET ... You use the Login control's "Authentication" event to do the user ... LoginControl's default code logic to generate authentication cookie. ...
(microsoft.public.dotnet.framework.aspnet)
RE: Forms authentication failed - ticket supplied has expired
... Forms authentication failed for the request. ... As for the ticket expired issue, is it frequently occuring or just occur ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
(microsoft.public.dotnet.framework.aspnet)
RE: Forms authentication cookie handling question (C#)
... I also replaced all of my ticket authentication code with the ... // Username and or password not found in our database... ... LoginControl's default code logic to generate authentication cookie. ...
(microsoft.public.dotnet.framework.aspnet)
Re: Mystery Variable Change
... we all use different forms of authentication. ... authentication in past and you create a ticket which is stored in the ... >>> dim objconnection as New SqlConnection ... >>> end sub ...
(microsoft.public.dotnet.framework.aspnet)