request page I can't have -> goes to login -- asp.net security

asp.net security : request page I can't have -> goes to login

David Thielen
6/2/2006 10:37:01 AM

Hi;

Ok, I have role restriction working for pages - thank you everyone.

I have two follow-on questions:

I want to require a role for access to all pages except 3 specific ones if a
user does not have a specific role. Is there a way to do this other than
listing out each other page as a location? (I'm afraid we will add a page and
forget to add it to the list in Web.Config.)

If a user goes to a page that they are not allowed to view, it sends them to
login.aspx. I think it would be better to send them to a page that says they
are not allowed on the page they wanted. Or send them to default.aspx. Is
there a way to do this?

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Joe Kaplan (MVP - ADSI)
6/4/2006 9:29:46 PM

You can also programmatically set HttpContext.SkipAuthorization to true
based on a specific request URL.

However, you might be better off doing what you need to do declaratively in
config. Programmatic path parsing has its own set of canonicalization
attacks you have to be careful with. It is a balancing act, as you also run
a risk of having an overly complex config file as well that could be hard to
maintain or that your customers may be tempted to muck with.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
[quoted text, click to view]

stcheng NO[at]SPAM online.microsoft.com
6/5/2006 12:00:00 AM

Hello Dave,

As for your scenario that there are some particular pages which have
different authroization requiement from other ones, I think we'll still
have to use the <location > element or group those particular pages into a
single sub directory in the application.

As for the redirecting to login page behavior you mentioned, it is the
fixed behavior of ASP.NET forms authentication and unauthorized user
request will always be redirected to the login page. However, you can
customize the login page's Url through the <forms > configuration element's
"loginUrl" attribute:

#forms Element for authentication (ASP.NET Settings Schema)
http://msdn2.microsoft.com/en-us/library/1d3t3c61.aspx

Therefore, you can edit this attribute to your own "login" page, and put
your own customized UI in that page. e.g.

=============
<authentication mode="Forms">
<forms loginUrl ="MyUnauthorizedPage.aspx">

</forms>
</authentication>
=====================

Hope this helps.

Regards,

Steven Cheng
Microsoft Online Community Support

==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

David Thielen
6/5/2006 10:25:02 AM

Hi;

The problem with that approach is it takes you to that page if they are not
logged in also - and in that case I do want them on the login page.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

[quoted text, click to view]

stcheng NO[at]SPAM online.microsoft.com
6/6/2006 12:00:00 AM

Thanks for the response Dave,

As for the below point you mentioned:
==========
The problem with that approach is it takes you to that page if they are not
logged in also - and in that case I do want them on the login page.
==========

I still think it is because the user is unauthorized (rather than
unauthenticated or not login), because it is because the page is prevent
from anonymous user(and the user hasn't login , so hasn't any roles or user
identity) that cause the user be redirected to the login page. So the login
page always accept unauthorized redirected requests(except we explicitly
visit it). My suggestion on this is you can dynamically determine whether
this is an unauthorized redirection request by looking for the "ReturnUrl"
querystring in the request. This is because when unauthorized user is
redirect to the login page, the formsauthentication will always append a
"ReturnUrl" querystring, so that it can redirect the user back to the
target resource(after logedIn). e.g.

http://localhost/IISTestSite/login.aspx?ReturnUrl=%2fIISTestSite%2fWSEAdmins
%2fDefault.aspx

You can display different UI according to this querystring in your login
page or even redirect it to your custom error page...

Regards,

Steven Cheng
Microsoft Online Community Support

==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages about asp.net security

View Other Months
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008

home · blog · groups

Questions? Comments? Contact the dn