Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Role base security and RedirectUrl

Reply
Thread Tools

Role base security and RedirectUrl

 
 
RedHair
Guest
Posts: n/a
 
      10-06-2008
I use the Form Authentication and Role base security to secure one ASP.NET
3.5 appication.
Below are security settings in web.config

<location path="testAdmin.aspx">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

If a anonymous user tries to access testAdmin.aspx then he/she will be
redirected to login page
based on the loginUrl setting of <authentication> element
but if a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page, in this case, is it possible to
redirect user to another page other
than login page? via configuration.
Or I need to add Context.User,IsInRoles("Admin") to each page?

Thanks.



 
Reply With Quote
 
 
 
 
rote
Guest
Posts: n/a
 
      10-06-2008
RedHair
I think the setting you provided is doing the right thing as only people with the Admin roles can get to the page.
If you are using Forms auth then u can changed the property loginurl to suit your need (to a different page)

You stated:
.. a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page

But thats what its suppose to do.

If you want more control you can switch to Windows Auth and do the authorization in your code.
Then in code use User,IsInRoles("Admin")
Look at this samples by Scott:
http://weblogs.asp.net/scottgu/pages...QL-Server.aspx
Hope that helps
Patrick


"RedHair" <(E-Mail Removed)> wrote in message news:OPIDQl$(E-Mail Removed)...
>I use the Form Authentication and Role base security to secure one ASP.NET
> 3.5 appication.
> Below are security settings in web.config
>
> <location path="testAdmin.aspx">
> <system.web>
> <authorization>
> <allow roles="Admin"/>
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
>
> If a anonymous user tries to access testAdmin.aspx then he/she will be
> redirected to login page
> based on the loginUrl setting of <authentication> element
> but if a logoned user whose role is not "Admin" tries access the
> testAdmin.aspx page, the system
> still redirect him/her to login page, in this case, is it possible to
> redirect user to another page other
> than login page? via configuration.
> Or I need to add Context.User,IsInRoles("Admin") to each page?
>
> Thanks.
>
>
>

 
Reply With Quote
 
 
 
 
RedHair
Guest
Posts: n/a
 
      10-07-2008
Thanks.
I hope there is a way to tell user in login page that why he/she be
redirected to login page, because his role or he is anonymous.

if it's due to role security setting, the user will be redirected to login
page again and again without any information because he has a
valid account


"rote" <(E-Mail Removed)> wrote in message
news:OAi%(E-Mail Removed)...
RedHair
I think the setting you provided is doing the right thing as only people
with the Admin roles can get to the page.
If you are using Forms auth then u can changed the property loginurl to
suit your need (to a different page)

You stated:
.. a logoned user whose role is not "Admin" tries access the
testAdmin.aspx page, the system
still redirect him/her to login page

But thats what its suppose to do.

If you want more control you can switch to Windows Auth and do the
authorization in your code.
Then in code use User,IsInRoles("Admin")
Look at this samples by Scott:
http://weblogs.asp.net/scottgu/pages...QL-Server.aspx
Hope that helps
Patrick


"RedHair" <(E-Mail Removed)> wrote in message
news:OPIDQl$(E-Mail Removed)...
>I use the Form Authentication and Role base security to secure one ASP.NET
> 3.5 appication.
> Below are security settings in web.config
>
> <location path="testAdmin.aspx">
> <system.web>
> <authorization>
> <allow roles="Admin"/>
> <deny users="*"/>
> </authorization>
> </system.web>
> </location>
>
> If a anonymous user tries to access testAdmin.aspx then he/she will be
> redirected to login page
> based on the loginUrl setting of <authentication> element
> but if a logoned user whose role is not "Admin" tries access the
> testAdmin.aspx page, the system
> still redirect him/her to login page, in this case, is it possible to
> redirect user to another page other
> than login page? via configuration.
> Or I need to add Context.User,IsInRoles("Admin") to each page?
>
> Thanks.
>
>
>



 
Reply With Quote
 
Joe Kaplan
Guest
Posts: n/a
 
      10-07-2008
As I recall, there is a way to detect that the forms auth has redirected you
to the logon page in the EndRequest event (in global.asax) and to change
that show a different page instead of doing a redirect. You would need to
execute the logic to test to see if the user is authenticated first as you
need to ensure that the user is being redirected as authenticated but not
authorized as opposed to just "authenticated".

I think if you do some searches you'll find some samples of how to achieve
this. It is a bit of a pain that the built in system isn't a little more
flexible with this.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"RedHair" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks.
> I hope there is a way to tell user in login page that why he/she be
> redirected to login page, because his role or he is anonymous.
>
> if it's due to role security setting, the user will be redirected to login
> page again and again without any information because he has a
> valid account
>
>
> "rote" <(E-Mail Removed)> wrote in message
> news:OAi%(E-Mail Removed)...
> RedHair
> I think the setting you provided is doing the right thing as only people
> with the Admin roles can get to the page.
> If you are using Forms auth then u can changed the property loginurl to
> suit your need (to a different page)
>
> You stated:
> . a logoned user whose role is not "Admin" tries access the
> testAdmin.aspx page, the system
> still redirect him/her to login page
>
> But thats what its suppose to do.
>
> If you want more control you can switch to Windows Auth and do the
> authorization in your code.
> Then in code use User,IsInRoles("Admin")
> Look at this samples by Scott:
> http://weblogs.asp.net/scottgu/pages...QL-Server.aspx
> Hope that helps
> Patrick
>
>
> "RedHair" <(E-Mail Removed)> wrote in message
> news:OPIDQl$(E-Mail Removed)...
>>I use the Form Authentication and Role base security to secure one ASP.NET
>> 3.5 appication.
>> Below are security settings in web.config
>>
>> <location path="testAdmin.aspx">
>> <system.web>
>> <authorization>
>> <allow roles="Admin"/>
>> <deny users="*"/>
>> </authorization>
>> </system.web>
>> </location>
>>
>> If a anonymous user tries to access testAdmin.aspx then he/she will be
>> redirected to login page
>> based on the loginUrl setting of <authentication> element
>> but if a logoned user whose role is not "Admin" tries access the
>> testAdmin.aspx page, the system
>> still redirect him/her to login page, in this case, is it possible to
>> redirect user to another page other
>> than login page? via configuration.
>> Or I need to add Context.User,IsInRoles("Admin") to each page?
>>
>> Thanks.
>>
>>
>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Role base security and RedirectUrl RedHair ASP .Net 3 10-07-2008 02:04 AM
AzMan Role Based Security vs. ASP.NET Role Based Security Kursat ASP .Net Security 1 05-07-2007 01:33 PM
RedirectFromLoginPage not redirecting to RedirectUrl jjjooooohhnnn@mail.com ASP .Net 4 03-01-2005 06:02 AM
Role-Based Security: ACLs and Role Hierarchies Liet Kynes ASP .Net 0 11-26-2003 08:08 AM
Role-based security: Access the role of current user Jesper Stocholm ASP .Net 2 08-23-2003 06:59 PM



Advertisments