Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Forms Auth Redirect on Access Denied - Question/Help

Reply
Thread Tools

Forms Auth Redirect on Access Denied - Question/Help

 
 
Brad
Guest
Posts: n/a
 
      11-21-2003
If a web app uses forms authentication and a specific aspx page has a role
authorization, where should a browser be directed if a user is not in the
role for that location?

Background to my question:
I'm using forms authentication on a web app, setting the ticket in
code...also setting the role in the ticket. I then later set the
context.user to a new generic principal which includes the roles from the
ticket. This works fine and the user (me in this case) is authenticated.

I placed role authorization on a specific location (aspx file) and when I'm
in that role I correctly see the page. If I remove myself (or another
tester) from the role for that page access is correctly denied, however the
browser is displays the message below instead of something like a 401 error.
It seems I can't even use a custom 401 in the config to trap this.

Is the message below what I should be getting? If so, can I trap to
redirect? If not, what might be going on to cause this message?

Thanks

Brad

Role setting example
================================================
<location path="securepage.aspx">
<system.web>
<authorization>
<allow roles="Manager"/>
<deny users="*" />
</authorization>
</system.web>
</location>


================================================
Browser display when access is denied.
================================================
The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be
experiencing technical difficulties, or you may need to adjust your browser
settings.



Please try the following:
Click the Refresh button, or try again later.

If you typed the page address in the Address bar, make sure that it is
spelled correctly.

To check your connection settings, click the Tools menu, and then click
Internet Options. On the Connections tab, click Settings. The settings
should match those provided by your local area network (LAN) administrator
or Internet service provider (ISP).
If your Network Administrator has enabled it, Microsoft Windows can examine
your network and automatically discover network connection settings.
If you would like Windows to try and discover them,
click Detect Network Settings
Some sites require 128-bit connection security. Click the Help menu and then
click About Internet Explorer to determine what strength security you have
installed.
If you are trying to reach a secure site, make sure your Security settings
can support it. Click the Tools menu, and then click Internet Options. On
the Advanced tab, scroll to the Security section and check settings for SSL
2.0, SSL 3.0, TLS 1.0, PCT 1.0.
Click the Back button to try another link.


Cannot find server or DNS Error
Internet Explorer
=======================================


 
Reply With Quote
 
 
 
 
MSFT
Guest
Posts: n/a
 
      11-21-2003
Hi Brad,

You may set the custom error page in <customErrors> Element of web.config:

http://www.microsoft.com/technet/tre...hnet/prodtechn
ol/windowsserver2003/proddocs/standard/aaconcustomerrorselement.asp

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
 
 
 
Brad
Guest
Posts: n/a
 
      11-21-2003
Luke - As I mentioned, that's my problem and thus my question: I'm
setting custom errors and it's not hitting any.
Again my question. If access is denied to a specific location (aspx) what
result should IIS or .Net product (what should the browser get) And if
customer error s is NOT trapping it how can I trap it...or is something
wrong going on. (please review my original post again).


Brad

"MSFT" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Brad,
>
> You may set the custom error page in <customErrors> Element of web.config:
>
>

http://www.microsoft.com/technet/tre...hnet/prodtechn
> ol/windowsserver2003/proddocs/standard/aaconcustomerrorselement.asp
>
> Hope this help,
>
> Luke
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>



 
Reply With Quote
 
MSFT
Guest
Posts: n/a
 
      11-24-2003
Hi Brad,

Can you catch the error in the method Application_Error of global.asax? For
more information about asp.net error handling, you may refer to:

http://www.15seconds.com/issue/030102.htm

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
Brad
Guest
Posts: n/a
 
      11-24-2003
No. I have applicaiton error handling and it's not picking it up. Let me
ask this another way: Using the following example what should a client
expect to see and/or how does asp.net react if the client attempts to access
securepage.aspx and they NOT a memeber of the Manager Role.

<location path="securepage.aspx">
<system.web>
<authorization>
<allow roles="Manager"/>
<deny users="*" />
</authorization>
</system.web>
</location>




"MSFT" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Brad,
>
> Can you catch the error in the method Application_Error of global.asax?

For
> more information about asp.net error handling, you may refer to:
>
> http://www.15seconds.com/issue/030102.htm
>
> Hope this help,
>
> Luke
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>



 
Reply With Quote
 
Brad
Guest
Posts: n/a
 
      11-24-2003
Never mind, Luke. Seems that ASP.NET will just keep redirecting the user
to the login page is they are not in the role....an error can't be trapped
and user really can't be redirected if the roles are using in the web
config. To bad...you'd think their would be a means to trap that access was
denied. It just means I do forms auth in code on the page as I have been
doing to date.


"Brad" <(E-Mail Removed)> wrote in message
news:Otq$(E-Mail Removed)...
> No. I have applicaiton error handling and it's not picking it up. Let me
> ask this another way: Using the following example what should a client
> expect to see and/or how does asp.net react if the client attempts to

access
> securepage.aspx and they NOT a memeber of the Manager Role.
>
> <location path="securepage.aspx">
> <system.web>
> <authorization>
> <allow roles="Manager"/>
> <deny users="*" />
> </authorization>
> </system.web>
> </location>
>
>
>
>
> "MSFT" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi Brad,
> >
> > Can you catch the error in the method Application_Error of global.asax?

> For
> > more information about asp.net error handling, you may refer to:
> >
> > http://www.15seconds.com/issue/030102.htm
> >
> > Hope this help,
> >
> > Luke
> > Microsoft Online Support
> >
> > Get Secure! www.microsoft.com/security
> > (This posting is provided "AS IS", with no warranties, and confers no
> > rights.)
> >

>
>



 
Reply With Quote
 
MSFT
Guest
Posts: n/a
 
      11-26-2003
Hi Brad,

I think we may try other approach to achieve this. For example, in the form
load of the security.aspx, check the user with IsInRole method, perform
further rocess or redirect it to a special form.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
windows auth and forms auth Smokey Grindle ASP .Net 1 06-08-2006 03:14 PM
Windows Auth, but Forms Auth for one page? =?Utf-8?B?ZGhucml2ZXJzaWRl?= ASP .Net 1 01-08-2005 05:50 PM
Roles based Forms Auth - denied pages redirect Shaun ASP .Net Security 3 07-21-2004 04:47 PM
Configuring Windows Auth & Forms Auth in Asp.Net Chris Mohan ASP .Net Security 2 04-29-2004 06:46 AM
Configuring Windows Auth & Forms Auth in Asp.Net =?Utf-8?B?Q2hyaXMgTW9oYW4=?= ASP .Net 0 04-28-2004 06:11 PM



Advertisments