And rebuilt then restarted the webserver - same thing. How can I set it up so that unathorized requests raise a 403 error? i have this in web.config as well... [allowsmilie] => 1 [showsignature] => 0 [ipaddress] => [iconid] => 0 [visible] => 1 [attach] => 0 [infraction] => 0 [reportthreadid] => 0 [isusenetpost] => 1 [msgid] => [ref] => [htmlstate] => on_nl2br [postusername] => Bigtoga [ip] => bigtoga@maratra [isdeleted] => 0 [usergroupid] => [membergroupids] => [displaygroupid] => [password] => [passworddate] => [email] => [styleid] => [parentemail] => [homepage] => [icq] => [aim] => [yahoo] => [msn] => [skype] => [showvbcode] => [showbirthday] => [usertitle] => [customtitle] => [joindate] => [daysprune] => [lastvisit] => [lastactivity] => [lastpost] => [lastpostid] => [posts] => [reputation] => [reputationlevelid] => [timezoneoffset] => [pmpopup] => [avatarid] => [avatarrevision] => [profilepicrevision] => [sigpicrevision] => [options] => [akvbghsfs_optionsfield] => [birthday] => [birthday_search] => [maxposts] => [startofweek] => [referrerid] => [languageid] => [emailstamp] => [threadedmode] => [autosubscribe] => [pmtotal] => [pmunread] => [salt] => [ipoints] => [infractions] => [warnings] => [infractiongroupids] => [infractiongroupid] => [adminoptions] => [profilevisits] => [friendcount] => [friendreqcount] => [vmunreadcount] => [vmmoderatedcount] => [socgroupinvitecount] => [socgroupreqcount] => [pcunreadcount] => [pcmoderatedcount] => [gmmoderatedcount] => [assetposthash] => [fbuserid] => [fbjoindate] => [fbname] => [logintype] => [fbaccesstoken] => [newrepcount] => [vbseo_likes_in] => [vbseo_likes_out] => [vbseo_likes_unread] => [temp] => [field1] => [field2] => [field3] => [field4] => [field5] => [subfolders] => [pmfolders] => [buddylist] => [ignorelist] => [signature] => [searchprefs] => [rank] => [icontitle] => [iconpath] => [avatarpath] => [hascustomavatar] => 0 [avatardateline] => [avwidth] => [avheight] => [edit_userid] => [edit_username] => [edit_dateline] => [edit_reason] => [hashistory] => [pagetext_html] => [hasimages] => [signatureparsed] => [sighasimages] => [sigpic] => [sigpicdateline] => [sigpicwidth] => [sigpicheight] => [postcount] => 1 [islastshown] => [isfirstshown] => 1 [attachments] => [allattachments] => ) --> : : And rebuilt then restarted the webserver - same thing. : : : : How can I set it up so that unathorized requests raise a 403 error? i have : this in web.config as well... : : : : : : : : : : : : : : : : [allowsmilie] => 1 [showsignature] => 0 [ipaddress] => [iconid] => 0 [visible] => 1 [attach] => 0 [infraction] => 0 [reportthreadid] => 0 [isusenetpost] => 1 [msgid] => [ref] => [htmlstate] => on_nl2br [postusername] => Ken Schaefer [ip] => kenREMOVE@THISa [isdeleted] => 0 [usergroupid] => [membergroupids] => [displaygroupid] => [password] => [passworddate] => [email] => [styleid] => [parentemail] => [homepage] => [icq] => [aim] => [yahoo] => [msn] => [skype] => [showvbcode] => [showbirthday] => [usertitle] => [customtitle] => [joindate] => [daysprune] => [lastvisit] => [lastactivity] => [lastpost] => [lastpostid] => [posts] => [reputation] => [reputationlevelid] => [timezoneoffset] => [pmpopup] => [avatarid] => [avatarrevision] => [profilepicrevision] => [sigpicrevision] => [options] => [akvbghsfs_optionsfield] => [birthday] => [birthday_search] => [maxposts] => [startofweek] => [referrerid] => [languageid] => [emailstamp] => [threadedmode] => [autosubscribe] => [pmtotal] => [pmunread] => [salt] => [ipoints] => [infractions] => [warnings] => [infractiongroupids] => [infractiongroupid] => [adminoptions] => [profilevisits] => [friendcount] => [friendreqcount] => [vmunreadcount] => [vmmoderatedcount] => [socgroupinvitecount] => [socgroupreqcount] => [pcunreadcount] => [pcmoderatedcount] => [gmmoderatedcount] => [assetposthash] => [fbuserid] => [fbjoindate] => [fbname] => [logintype] => [fbaccesstoken] => [newrepcount] => [vbseo_likes_in] => [vbseo_likes_out] => [vbseo_likes_unread] => [temp] => [field1] => [field2] => [field3] => [field4] => [field5] => [subfolders] => [pmfolders] => [buddylist] => [ignorelist] => [signature] => [searchprefs] => [rank] => [icontitle] => [iconpath] => [avatarpath] => [hascustomavatar] => 0 [avatardateline] => [avwidth] => [avheight] => [edit_userid] => [edit_username] => [edit_dateline] => [edit_reason] => [hashistory] => [pagetext_html] => [hasimages] => [signatureparsed] => [sighasimages] => [sigpic] => [sigpicdateline] => [sigpicwidth] => [sigpicheight] => [postcount] => 2 [islastshown] => [isfirstshown] => [attachments] => [allattachments] => ) --> As you can see, this denies access to anonymous users and users in the role "5", which is my "low-level" user. So the question is this: (1) how to make the application kick the low-level user to the special folder once he/she is authorized and a principal has been generated for them, without ever going to the root default.aspx. I also thought I should include either a location section in my root web.config that allows role 5 into the special folder, or add a new web.config to that special folder allowing authenticated users and all roles, overriding the root web.config. Does anybody have any suggestions to this problem? Thiago Silva web developer ------------------------------------------------------- "Bigtoga" wrote in message news:...[quote] > in my page specified in the loginUrl, I use: > > if ( Request.Params["ReturnURL"] != null) > // code to write message, redirect, etc > > this is the easiest solution, I suppose. It does what I need. > > Thanks for the help but, if anyone has any further ideas, please post[/quote] [allowsmilie] => 1 [showsignature] => 0 [ipaddress] => [iconid] => 0 [visible] => 1 [attach] => 0 [infraction] => 0 [reportthreadid] => 0 [isusenetpost] => 1 [msgid] => <8ac52dd0.0404300718.70cb1355@posting.google.com> [ref] => [htmlstate] => on_nl2br [postusername] => tafs7 [ip] => tafs7@yahoo.com [isdeleted] => 0 [usergroupid] => [membergroupids] => [displaygroupid] => [password] => [passworddate] => [email] => [styleid] => [parentemail] => [homepage] => [icq] => [aim] => [yahoo] => [msn] => [skype] => [showvbcode] => [showbirthday] => [usertitle] => [customtitle] => [joindate] => [daysprune] => [lastvisit] => [lastactivity] => [lastpost] => [lastpostid] => [posts] => [reputation] => [reputationlevelid] => [timezoneoffset] => [pmpopup] => [avatarid] => [avatarrevision] => [profilepicrevision] => [sigpicrevision] => [options] => [akvbghsfs_optionsfield] => [birthday] => [birthday_search] => [maxposts] => [startofweek] => [referrerid] => [languageid] => [emailstamp] => [threadedmode] => [autosubscribe] => [pmtotal] => [pmunread] => [salt] => [ipoints] => [infractions] => [warnings] => [infractiongroupids] => [infractiongroupid] => [adminoptions] => [profilevisits] => [friendcount] => [friendreqcount] => [vmunreadcount] => [vmmoderatedcount] => [socgroupinvitecount] => [socgroupreqcount] => [pcunreadcount] => [pcmoderatedcount] => [gmmoderatedcount] => [assetposthash] => [fbuserid] => [fbjoindate] => [fbname] => [logintype] => [fbaccesstoken] => [newrepcount] => [vbseo_likes_in] => [vbseo_likes_out] => [vbseo_likes_unread] => [temp] => [field1] => [field2] => [field3] => [field4] => [field5] => [subfolders] => [pmfolders] => [buddylist] => [ignorelist] => [signature] => [searchprefs] => [rank] => [icontitle] => [iconpath] => [avatarpath] => [hascustomavatar] => 0 [avatardateline] => [avwidth] => [avheight] => [edit_userid] => [edit_username] => [edit_dateline] => [edit_reason] => [hashistory] => [pagetext_html] => [hasimages] => [signatureparsed] => [sighasimages] => [sigpic] => [sigpicdateline] => [sigpicwidth] => [sigpicheight] => [postcount] => 9 [islastshown] => 1 [isfirstshown] => [attachments] => [allattachments] => ) --> Can I force 401 error when user not authenticated? - ASP.NET Security

Can I force 401 error when user not authenticated? - ASP.NET Security

Currently I have succesfully implemented role-based folder security using roles and web.config in each folder. This works great - if a user is not authenticated or a member of an allowed role, that user cannot access the resource (woohoo!). When the disallowed user tries to access the resource, it redirects them to a login page. What I want is that, when an unauthorized user tries to access a secure resource, I want it to raise a 401 error (which would then call my 401 customer error page). Can I do this? In my web.config for the application, I have: <forms ...

  1. #1

    Default Can I force 401 error when user not authenticated?

    Currently I have succesfully implemented role-based folder security using
    roles and web.config in each folder. This works great - if a user is not
    authenticated or a member of an allowed role, that user cannot access the
    resource (woohoo!). When the disallowed user tries to access the resource,
    it redirects them to a login page.

    What I want is that, when an unauthorized user tries to access a secure
    resource, I want it to raise a 401 error (which would then call my 401
    customer error page).

    Can I do this?

    In my web.config for the application, I have:

    <forms name="Auth" loginUrl="login.aspx" protection="All" path="/"/>

    If the user fails, it auto-redirects to login.aspx.



    I tried this:

    <forms name="Auth" protection="All" path="/"/> <!-- loginUrl omitted-->

    And rebuilt then restarted the webserver - same thing.



    How can I set it up so that unathorized requests raise a 403 error? i have
    this in web.config as well...

    <customErrors mode="On" defaultRedirect="/errors/404.aspx">

    <error statusCode="400" redirect="/errors/400.aspx"/><!--400 (Bad
    Request)-->

    <error statusCode="401" redirect="/errors/401.aspx"/><!--401
    (Unauthorized)-->

    <error statusCode="403" redirect="/errors/403.aspx"/><!--403 (Forbidden)-->

    <error statusCode="404" redirect="/errors/404.aspx"/><!--404 (Not Found)-->

    <error statusCode="500" redirect="/errors/500.aspx"/><!--500 (Internal
    Server Error)-->

    </customErrors>


    Bigtoga Guest

  2. #2

    Default Re: Can I force 401 error when user not authenticated?

    Hi

    When using forms authentication, you are never sending back a 403 header.
    You are just redirecting the user to another ASP.NET page. A 403 header
    forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest etc).

    Forms auth never involves these HTTP status codes - all pages are 200 OK. It
    is at the application layer (of your ASP.NET app) that you enforce
    authentication, not at the lower HTTP level.

    Cheers
    Ken


    "Bigtoga" <bigtogamaratrane.com> wrote in message
    news:BM9ic.11313$004.293newssvr31.news.prodigy.co m...
    : Currently I have succesfully implemented role-based folder security using
    : roles and web.config in each folder. This works great - if a user is not
    : authenticated or a member of an allowed role, that user cannot access the
    : resource (woohoo!). When the disallowed user tries to access the resource,
    : it redirects them to a login page.
    :
    : What I want is that, when an unauthorized user tries to access a secure
    : resource, I want it to raise a 401 error (which would then call my 401
    : customer error page).
    :
    : Can I do this?
    :
    : In my web.config for the application, I have:
    :
    : <forms name="Auth" loginUrl="login.aspx" protection="All" path="/"/>
    :
    : If the user fails, it auto-redirects to login.aspx.
    :
    :
    :
    : I tried this:
    :
    : <forms name="Auth" protection="All" path="/"/> <!-- loginUrl omitted-->
    :
    : And rebuilt then restarted the webserver - same thing.
    :
    :
    :
    : How can I set it up so that unathorized requests raise a 403 error? i have
    : this in web.config as well...
    :
    : <customErrors mode="On" defaultRedirect="/errors/404.aspx">
    :
    : <error statusCode="400" redirect="/errors/400.aspx"/><!--400 (Bad
    : Request)-->
    :
    : <error statusCode="401" redirect="/errors/401.aspx"/><!--401
    : (Unauthorized)-->
    :
    : <error statusCode="403" redirect="/errors/403.aspx"/><!--403
    (Forbidden)-->
    :
    : <error statusCode="404" redirect="/errors/404.aspx"/><!--404 (Not
    Found)-->
    :
    : <error statusCode="500" redirect="/errors/500.aspx"/><!--500 (Internal
    : Server Error)-->
    :
    : </customErrors>
    :
    :


    Ken Schaefer Guest

  3. #3

    Default Re: Can I force 401 error when user not authenticated?

    Excellent info - thanks very much.

    So, if I have a page/section that requies authentication and a user who is
    not authenticated tries to visit, can I redirect to a different page than
    the loginUrl specified inweb.config?

    Essentially, I'm using
    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
    <system.web>
    <authorization>
    <allow roles="SuperPeople"/>
    <deny users="*" />
    </authorization>
    </system.web>
    </configuration>

    in my web.config file for each "secure" drectory. If the user is already
    logged in but doesn't belong to the SuperPeople role, it sends them to the
    login page (but they've already logged in).

    Any ideas would be helpful


    "Ken Schaefer" <kenREMOVETHISadOpenStatic.com> wrote in message
    news:eXlMpJcKEHA.2396TK2MSFTNGP12.phx.gbl...
    > Hi
    >
    > When using forms authentication, you are never sending back a 403 header.
    > You are just redirecting the user to another ASP.NET page. A 403 header
    > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
    etc).
    >
    > Forms auth never involves these HTTP status codes - all pages are 200 OK.
    It
    > is at the application layer (of your ASP.NET app) that you enforce
    > authentication, not at the lower HTTP level.
    >
    > Cheers
    > Ken

    Bigtoga Guest

  4. #4

    Default Re: Can I force 401 error when user not authenticated?

    Hi,

    What type of authentication are you talking about? If you are talking about
    HTTP Authentication, you can't (as a general rule [1]) do this with a form.
    Why? Because you need to authenticate *before* the form can be loaded
    (before ASP.NET even kicks in). This happens directly between the webserver
    and webbrowser.

    If you are talking about forms auth, then you specify your own login page.
    Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
    concerned, all user access is "anonymous". It is ASP.NET that keeps track of
    users, and who's authenticated etc.

    Cheers
    Ken

    [1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP auth
    via a form. Whether this also works with ASP.NET I don't know, and it's not
    an officially supported product. The source code for this tool is in the
    Windows 2003 Platform SDK.


    "Bigtoga" <bigtogamaratrane.com> wrote in message
    news:n6tic.1445$UP.281newssvr15.news.prodigy.com. ..
    : Excellent info - thanks very much.
    :
    : So, if I have a page/section that requies authentication and a user who is
    : not authenticated tries to visit, can I redirect to a different page than
    : the loginUrl specified inweb.config?
    :
    : Essentially, I'm using
    : <?xml version="1.0" encoding="utf-8" ?>
    : <configuration>
    : <system.web>
    : <authorization>
    : <allow roles="SuperPeople"/>
    : <deny users="*" />
    : </authorization>
    : </system.web>
    : </configuration>
    :
    : in my web.config file for each "secure" drectory. If the user is already
    : logged in but doesn't belong to the SuperPeople role, it sends them to the
    : login page (but they've already logged in).
    :
    : Any ideas would be helpful
    :
    :
    : "Ken Schaefer" <kenREMOVETHISadOpenStatic.com> wrote in message
    : news:eXlMpJcKEHA.2396TK2MSFTNGP12.phx.gbl...
    : > Hi
    : >
    : > When using forms authentication, you are never sending back a 403
    header.
    : > You are just redirecting the user to another ASP.NET page. A 403 header
    : > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
    : etc).
    : >
    : > Forms auth never involves these HTTP status codes - all pages are 200
    OK.
    : It
    : > is at the application layer (of your ASP.NET app) that you enforce
    : > authentication, not at the lower HTTP level.
    : >
    : > Cheers
    : > Ken
    :
    :


    Ken Schaefer Guest

  5. #5

    Default Re: Can I force 401 error when user not authenticated?

    Thanks. Sorry for my unclear response - I am using Forms auth. The problem,
    just for clarity, is:

    <allow users="*"> for full site

    "/specialAccessOnly/" - <allow roles="Special">
    "/authenticated/" - <allow roles="Special, Auth">

    As you can see, the "Special" role has more perms than the "Auth" role.

    Here's the issue:
    ** If a "Auth" role tries to visit the "/specialAccessOnly/" folder, they
    will get redirected to the page specified in loginUrl (but they are actually
    already logged in).

    What I'm trying to do (if not possible, just say "Not possible" and I'll be
    happy and quit looking!):
    ** Instead of redirecting back to the loginUrl, I'd like to redirect to a
    page that says they don't have access to reach this page (simluating a 401
    error with a customError).

    I only want to use Forms Auth on this; like I said, if what I want can't be
    done, then that's okay too!

    Thanks for the responses :)

    PS - I could do this, I think, in the loginUrl page by using
    if ( Request.Params["ReturnURL"] != null)

    // my code to put Unauthorized Access message here


    "Ken Schaefer" <kenREMOVETHISadOpenStatic.com> wrote in message
    news:OG133BgKEHA.1892TK2MSFTNGP09.phx.gbl...
    > Hi,
    >
    > What type of authentication are you talking about? If you are talking
    about
    > HTTP Authentication, you can't (as a general rule [1]) do this with a
    form.
    > Why? Because you need to authenticate *before* the form can be loaded
    > (before ASP.NET even kicks in). This happens directly between the
    webserver
    > and webbrowser.
    >
    > If you are talking about forms auth, then you specify your own login page.
    > Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
    > concerned, all user access is "anonymous". It is ASP.NET that keeps track
    of
    > users, and who's authenticated etc.
    >
    > Cheers
    > Ken
    >
    > [1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP
    auth
    > via a form. Whether this also works with ASP.NET I don't know, and it's
    not
    > an officially supported product. The source code for this tool is in the
    > Windows 2003 Platform SDK.
    >
    >
    > "Bigtoga" <bigtogamaratrane.com> wrote in message
    > news:n6tic.1445$UP.281newssvr15.news.prodigy.com. ..
    > : Excellent info - thanks very much.
    > :
    > : So, if I have a page/section that requies authentication and a user who
    is
    > : not authenticated tries to visit, can I redirect to a different page
    than
    > : the loginUrl specified inweb.config?
    > :
    > : Essentially, I'm using
    > : <?xml version="1.0" encoding="utf-8" ?>
    > : <configuration>
    > : <system.web>
    > : <authorization>
    > : <allow roles="SuperPeople"/>
    > : <deny users="*" />
    > : </authorization>
    > : </system.web>
    > : </configuration>
    > :
    > : in my web.config file for each "secure" drectory. If the user is already
    > : logged in but doesn't belong to the SuperPeople role, it sends them to
    the
    > : login page (but they've already logged in).
    > :
    > : Any ideas would be helpful
    > :
    > :
    > : "Ken Schaefer" <kenREMOVETHISadOpenStatic.com> wrote in message
    > : news:eXlMpJcKEHA.2396TK2MSFTNGP12.phx.gbl...
    > : > Hi
    > : >
    > : > When using forms authentication, you are never sending back a 403
    > header.
    > : > You are just redirecting the user to another ASP.NET page. A 403
    header
    > : > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
    > : etc).
    > : >
    > : > Forms auth never involves these HTTP status codes - all pages are 200
    > OK.
    > : It
    > : > is at the application layer (of your ASP.NET app) that you enforce
    > : > authentication, not at the lower HTTP level.
    > : >
    > : > Cheers
    > : > Ken
    > :
    > :
    >
    >

    Bigtoga Guest

  6. #6

    Default Re: Can I force 401 error when user not authenticated?

    in my page specified in the loginUrl, I use:

    if ( Request.Params["ReturnURL"] != null)
    // code to write message, redirect, etc

    this is the easiest solution, I suppose. It does what I need.

    Thanks for the help but, if anyone has any further ideas, please post


    Bigtoga Guest

  7. #7

    Default Re: Can I force 401 error when user not authenticated?

    Not possible?... This is .NET. I think what you want is the same kind
    of functionality you get from windows role based authorization. Meaning
    even if you have authenticated already and received your token with
    group membership info, a subsequent visit to a page with authorization
    requirements not meeting your token contents you are presented with a
    authentication dialog. At that point you either login again hoping to
    get an updated token with new group added or you just change to a
    different user to get access to that more secure content.

    So if you want to get that going with forms based authentication then
    you need a way to redirect when a authorization attempt fails post
    successful authentication.

    The following code will help: You could be more creative and write your
    own HttpModule but this works for me. I haven't put a whole lot of time
    behind it but I am sure it is the ingredient you are looking for.

    Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)

    If
    Server.GetLastError().GetType().Equals(GetType(Sys tem.Security.SecurityException))
    Then
    Response.Redirect("login.aspx?ReturnUrl=" &
    HttpUtility.UrlEncode(Context.Request.Url.PathAndQ uery,
    Context.Request.ContentEncoding))
    End If

    End Sub



    Bigtoga wrote:
    > Thanks. Sorry for my unclear response - I am using Forms auth. The problem,
    > just for clarity, is:
    >
    > <allow users="*"> for full site
    >
    > "/specialAccessOnly/" - <allow roles="Special">
    > "/authenticated/" - <allow roles="Special, Auth">
    >
    > As you can see, the "Special" role has more perms than the "Auth" role.
    >
    > Here's the issue:
    > ** If a "Auth" role tries to visit the "/specialAccessOnly/" folder, they
    > will get redirected to the page specified in loginUrl (but they are actually
    > already logged in).
    >
    > What I'm trying to do (if not possible, just say "Not possible" and I'll be
    > happy and quit looking!):
    > ** Instead of redirecting back to the loginUrl, I'd like to redirect to a
    > page that says they don't have access to reach this page (simluating a 401
    > error with a customError).
    >
    > I only want to use Forms Auth on this; like I said, if what I want can't be
    > done, then that's okay too!
    >
    > Thanks for the responses :)
    >
    > PS - I could do this, I think, in the loginUrl page by using
    > if ( Request.Params["ReturnURL"] != null)
    >
    > // my code to put Unauthorized Access message here
    >
    >
    > "Ken Schaefer" <kenREMOVETHISadOpenStatic.com> wrote in message
    > news:OG133BgKEHA.1892TK2MSFTNGP09.phx.gbl...
    >
    >>Hi,
    >>
    >>What type of authentication are you talking about? If you are talking
    >
    > about
    >
    >>HTTP Authentication, you can't (as a general rule [1]) do this with a
    >
    > form.
    >
    >>Why? Because you need to authenticate *before* the form can be loaded
    >>(before ASP.NET even kicks in). This happens directly between the
    >
    > webserver
    >
    >>and webbrowser.
    >>
    >>If you are talking about forms auth, then you specify your own login page.
    >>Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
    >>concerned, all user access is "anonymous". It is ASP.NET that keeps track
    >
    > of
    >
    >>users, and who's authenticated etc.
    >>
    >>Cheers
    >>Ken
    >>
    >>[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP
    >
    > auth
    >
    >>via a form. Whether this also works with ASP.NET I don't know, and it's
    >
    > not
    >
    >>an officially supported product. The source code for this tool is in the
    >>Windows 2003 Platform SDK.
    >>
    >>
    >>"Bigtoga" <bigtogamaratrane.com> wrote in message
    >>news:n6tic.1445$UP.281newssvr15.news.prodigy.co m...
    >>: Excellent info - thanks very much.
    >>:
    >>: So, if I have a page/section that requies authentication and a user who
    >
    > is
    >
    >>: not authenticated tries to visit, can I redirect to a different page
    >
    > than
    >
    >>: the loginUrl specified inweb.config?
    >>:
    >>: Essentially, I'm using
    >>: <?xml version="1.0" encoding="utf-8" ?>
    >>: <configuration>
    >>: <system.web>
    >>: <authorization>
    >>: <allow roles="SuperPeople"/>
    >>: <deny users="*" />
    >>: </authorization>
    >>: </system.web>
    >>: </configuration>
    >>:
    >>: in my web.config file for each "secure" drectory. If the user is already
    >>: logged in but doesn't belong to the SuperPeople role, it sends them to
    >
    > the
    >
    >>: login page (but they've already logged in).
    >>:
    >>: Any ideas would be helpful
    >>:
    >>:
    >>: "Ken Schaefer" <kenREMOVETHISadOpenStatic.com> wrote in message
    >>: news:eXlMpJcKEHA.2396TK2MSFTNGP12.phx.gbl...
    >>: > Hi
    >>: >
    >>: > When using forms authentication, you are never sending back a 403
    >>header.
    >>: > You are just redirecting the user to another ASP.NET page. A 403
    >
    > header
    >
    >>: > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
    >>: etc).
    >>: >
    >>: > Forms auth never involves these HTTP status codes - all pages are 200
    >>OK.
    >>: It
    >>: > is at the application layer (of your ASP.NET app) that you enforce
    >>: > authentication, not at the lower HTTP level.
    >>: >
    >>: > Cheers
    >>: > Ken
    >>:
    >>:
    >>
    >>
    >
    >
    >
    Joseph E Shook [MVP - ADSI] Guest

  8. #8

    Default Re: Can I force 401 error when user not authenticated?

    Thanks - while your code would work, I went the easy way out in my other
    post:

    in my page specified in the loginUrl, I use:

    if ( Request.Params["ReturnURL"] != null)
    // code to write message, redirect, etc

    this is the easiest solution, I suppose. It does what I need.

    Are you suggesting there are other problems with my method that I'm not
    aware of? I'd certainly like to know if my method would cause
    errors/elevated-access...


    "Joseph E Shook [MVP - ADSI]" <joeshookdeploymentCentric.com> wrote in
    message news:408C91B9.3030503deploymentCentric.com...
    > Not possible?... This is .NET. I think what you want is the same kind
    > of functionality you get from windows role based authorization. Meaning
    > even if you have authenticated already and received your token with
    > group membership info, a subsequent visit to a page with authorization
    > requirements not meeting your token contents you are presented with a
    > authentication dialog. At that point you either login again hoping to
    > get an updated token with new group added or you just change to a
    > different user to get access to that more secure content.
    >
    > So if you want to get that going with forms based authentication then
    > you need a way to redirect when a authorization attempt fails post
    > successful authentication.
    >
    > The following code will help: You could be more creative and write your
    > own HttpModule but this works for me. I haven't put a whole lot of time
    > behind it but I am sure it is the ingredient you are looking for.
    >
    > Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)
    >
    > If
    >
    Server.GetLastError().GetType().Equals(GetType(Sys tem.Security.SecurityExcep
    tion))
    > Then
    > Response.Redirect("login.aspx?ReturnUrl=" &
    > HttpUtility.UrlEncode(Context.Request.Url.PathAndQ uery,
    > Context.Request.ContentEncoding))
    > End If
    >
    > End Sub
    >
    >
    >
    > Bigtoga wrote:
    > > Thanks. Sorry for my unclear response - I am using Forms auth. The
    problem,
    > > just for clarity, is:
    > >
    > > <allow users="*"> for full site
    > >
    > > "/specialAccessOnly/" - <allow roles="Special">
    > > "/authenticated/" - <allow roles="Special, Auth">
    > >
    > > As you can see, the "Special" role has more perms than the "Auth" role.
    > >
    > > Here's the issue:
    > > ** If a "Auth" role tries to visit the "/specialAccessOnly/" folder,
    they
    > > will get redirected to the page specified in loginUrl (but they are
    actually
    > > already logged in).
    > >
    > > What I'm trying to do (if not possible, just say "Not possible" and I'll
    be
    > > happy and quit looking!):
    > > ** Instead of redirecting back to the loginUrl, I'd like to redirect to
    a
    > > page that says they don't have access to reach this page (simluating a
    401
    > > error with a customError).
    > >
    > > I only want to use Forms Auth on this; like I said, if what I want can't
    be
    > > done, then that's okay too!
    > >
    > > Thanks for the responses :)
    > >
    > > PS - I could do this, I think, in the loginUrl page by using
    > > if ( Request.Params["ReturnURL"] != null)
    > >
    > > // my code to put Unauthorized Access message here
    > >
    > >
    > > "Ken Schaefer" <kenREMOVETHISadOpenStatic.com> wrote in message
    > > news:OG133BgKEHA.1892TK2MSFTNGP09.phx.gbl...
    > >
    > >>Hi,
    > >>
    > >>What type of authentication are you talking about? If you are talking
    > >
    > > about
    > >
    > >>HTTP Authentication, you can't (as a general rule [1]) do this with a
    > >
    > > form.
    > >
    > >>Why? Because you need to authenticate *before* the form can be loaded
    > >>(before ASP.NET even kicks in). This happens directly between the
    > >
    > > webserver
    > >
    > >>and webbrowser.
    > >>
    > >>If you are talking about forms auth, then you specify your own login
    page.
    > >>Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
    > >>concerned, all user access is "anonymous". It is ASP.NET that keeps
    track
    > >
    > > of
    > >
    > >>users, and who's authenticated etc.
    > >>
    > >>Cheers
    > >>Ken
    > >>
    > >>[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP
    > >
    > > auth
    > >
    > >>via a form. Whether this also works with ASP.NET I don't know, and it's
    > >
    > > not
    > >
    > >>an officially supported product. The source code for this tool is in the
    > >>Windows 2003 Platform SDK.
    > >>
    > >>
    > >>"Bigtoga" <bigtogamaratrane.com> wrote in message
    > >>news:n6tic.1445$UP.281newssvr15.news.prodigy.co m...
    > >>: Excellent info - thanks very much.
    > >>:
    > >>: So, if I have a page/section that requies authentication and a user
    who
    > >
    > > is
    > >
    > >>: not authenticated tries to visit, can I redirect to a different page
    > >
    > > than
    > >
    > >>: the loginUrl specified inweb.config?
    > >>:
    > >>: Essentially, I'm using
    > >>: <?xml version="1.0" encoding="utf-8" ?>
    > >>: <configuration>
    > >>: <system.web>
    > >>: <authorization>
    > >>: <allow roles="SuperPeople"/>
    > >>: <deny users="*" />
    > >>: </authorization>
    > >>: </system.web>
    > >>: </configuration>
    > >>:
    > >>: in my web.config file for each "secure" drectory. If the user is
    already
    > >>: logged in but doesn't belong to the SuperPeople role, it sends them to
    > >
    > > the
    > >
    > >>: login page (but they've already logged in).
    > >>:
    > >>: Any ideas would be helpful
    > >>:
    > >>:
    > >>: "Ken Schaefer" <kenREMOVETHISadOpenStatic.com> wrote in message
    > >>: news:eXlMpJcKEHA.2396TK2MSFTNGP12.phx.gbl...
    > >>: > Hi
    > >>: >
    > >>: > When using forms authentication, you are never sending back a 403
    > >>header.
    > >>: > You are just redirecting the user to another ASP.NET page. A 403
    > >
    > > header
    > >
    > >>: > forces the browser to use HTTP authentication (e.g. Basic, IWA,
    Digest
    > >>: etc).
    > >>: >
    > >>: > Forms auth never involves these HTTP status codes - all pages are
    200
    > >>OK.
    > >>: It
    > >>: > is at the application layer (of your ASP.NET app) that you enforce
    > >>: > authentication, not at the lower HTTP level.
    > >>: >
    > >>: > Cheers
    > >>: > Ken
    > >>:
    > >>:
    > >>
    > >>
    > >
    > >
    > >

    Bigtoga Guest

  9. #9

    Default Re: Can I force 401 error when user not authenticated?

    What you can do, is this:

    on your Login page, check if the request is authenticated, and if so,
    that means the user has already logged in but didn't have the correct
    permission to access the resource, so he/she got bumped back to the
    login.

    thus....login.aspx:

    private void Page_Load(object sender, EventArgs e)
    {
    if(Request.IsAuthenticated)
    {
    //the user has already logged in, but
    //did not have the rights to the requested resource
    //so let's redirect to our custom 403 page
    // and let him/her know that access was denied!

    Response.Redirect("my403.aspx", true)
    }
    else
    {
    //do my regular page load stuff here
    }
    }

    Hope this helps you.

    And while I am at it....I just put a post with a question on
    role-based authentication/authorization, but no replies...so here it
    is, and if you have any suggestions I'd appreciate it!

    I have an ASP.NET application that uses forms authentication. I
    rolled my own CustomPrincipal class for role-based authentication, and
    wired the Application_AuthenticateRequest() event on my global.asax.
    All is working great.

    Now my new requirement is that I make a role on my SQLServer db that
    is a "low level" user. This role will only have access to ONE
    specific folder on my application, and nothing else outside of it.
    Other roles can access other folders including this one. I should
    also note that there is no anonymous access on this application.
    Everything is password protected, so when the first request fires, the
    user is automatically redirected to the login page, then, once
    authenticated, he/she is taken to the default.aspx on the root.

    Everyone uses the same login page, but if the user name is in the
    "low-level" role, I need to automatically redirect to the special
    folder, while all other users get taken to my root's default.aspx (if
    no other return url string is specified).

    This is a snippet of my web.config on the root directory:
    <authentication mode="Forms">
    <forms name=".ELITECTSUSERAUTH" loginUrl="~/login.aspx"
    protection="All"
    timeout="30"
    slidingExpiration="true"
    path="/" />
    </authentication>
    <authorization>
    <deny users="?" roles="5" /> <!-- Deny anonymous users and low-level
    roles-->
    <allow users="*" />
    </authorization>

    As you can see, this denies access to anonymous users and users in the
    role "5", which is my "low-level" user.
    So the question is this: (1) how to make the application kick the
    low-level user to the special folder once he/she is authorized and a
    principal has been generated for them, without ever going to the root
    default.aspx.

    I also thought I should include either a location section in my root
    web.config that allows role 5 into the special folder, or add a new
    web.config to that special folder allowing authenticated users and all
    roles, overriding the root web.config.

    Does anybody have any suggestions to this problem?

    Thiago Silva
    web developer

    -------------------------------------------------------



    "Bigtoga" <bigtogamaratrane.com> wrote in message news:<v5wic.1478$ZJ4.1367newssvr15.news.prodigy.c om>...
    > in my page specified in the loginUrl, I use:
    >
    > if ( Request.Params["ReturnURL"] != null)
    > // code to write message, redirect, etc
    >
    > this is the easiest solution, I suppose. It does what I need.
    >
    > Thanks for the help but, if anyone has any further ideas, please post
    tafs7 Guest

Similar Threads

  1. How to allow authenticated user to impersonate
    By Hernan de Lahitte in forum ASP.NET Security
    Replies: 2
    Last Post: August 9th, 12:55 PM
  2. User details in authenticated page
    By NWx in forum ASP.NET Security
    Replies: 1
    Last Post: February 11th, 05:14 PM
  3. impersonating windows authenticated user?
    By Jamie in forum ASP.NET Security
    Replies: 5
    Last Post: February 11th, 11:57 AM
  4. Replies: 0
    Last Post: July 10th, 12:55 PM
  5. Terminating a authenticated user
    By Kristofer Liljeblad in forum ASP.NET General
    Replies: 3
    Last Post: June 30th, 01:32 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •