Can I force 401 error when user not authenticated?

[Bigtoga]

Currently I have succesfully implemented role-based folder security using
roles and web.config in each folder. This works great - if a user is not
authenticated or a member of an allowed role, that user cannot access the
resource (woohoo!). When the disallowed user tries to access the resource,
it redirects them to a login page.

What I want is that, when an unauthorized user tries to access a secure
resource, I want it to raise a 401 error (which would then call my 401
customer error page).

Can I do this?

In my web.config for the application, I have:

<forms name="Auth" loginUrl="login.aspx" protection="All" path="/"/>

If the user fails, it auto-redirects to login.aspx.



I tried this:

<forms name="Auth" protection="All" path="/"/> <!-- loginUrl omitted-->

And rebuilt then restarted the webserver - same thing.



How can I set it up so that unathorized requests raise a 403 error? i have
this in web.config as well...

<customErrors mode="On" defaultRedirect="/errors/404.aspx">

<error statusCode="400" redirect="/errors/400.aspx"/><!--400 (Bad
Request)-->

<error statusCode="401" redirect="/errors/401.aspx"/><!--401
(Unauthorized)-->

<error statusCode="403" redirect="/errors/403.aspx"/><!--403 (Forbidden)-->

<error statusCode="404" redirect="/errors/404.aspx"/><!--404 (Not Found)-->

<error statusCode="500" redirect="/errors/500.aspx"/><!--500 (Internal
Server Error)-->

</customErrors>

[Ken Schaefer]

Hi

When using forms authentication, you are never sending back a 403 header.
You are just redirecting the user to another ASP.NET page. A 403 header
forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest etc).

Forms auth never involves these HTTP status codes - all pages are 200 OK. It
is at the application layer (of your ASP.NET app) that you enforce
authentication, not at the lower HTTP level.

Cheers
Ken


"Bigtoga" <bigtoga@maratrane.com> wrote in message
news:BM9ic.11313$004.293@newssvr31.news.prodigy.co m...
: Currently I have succesfully implemented role-based folder security using
: roles and web.config in each folder. This works great - if a user is not
: authenticated or a member of an allowed role, that user cannot access the
: resource (woohoo!). When the disallowed user tries to access the resource,
: it redirects them to a login page.
:
: What I want is that, when an unauthorized user tries to access a secure
: resource, I want it to raise a 401 error (which would then call my 401
: customer error page).
:
: Can I do this?
:
: In my web.config for the application, I have:
:
: <forms name="Auth" loginUrl="login.aspx" protection="All" path="/"/>
:
: If the user fails, it auto-redirects to login.aspx.
:
:
:
: I tried this:
:
: <forms name="Auth" protection="All" path="/"/> <!-- loginUrl omitted-->
:
: And rebuilt then restarted the webserver - same thing.
:
:
:
: How can I set it up so that unathorized requests raise a 403 error? i have
: this in web.config as well...
:
: <customErrors mode="On" defaultRedirect="/errors/404.aspx">
:
: <error statusCode="400" redirect="/errors/400.aspx"/><!--400 (Bad
: Request)-->
:
: <error statusCode="401" redirect="/errors/401.aspx"/><!--401
: (Unauthorized)-->
:
: <error statusCode="403" redirect="/errors/403.aspx"/><!--403
(Forbidden)-->
:
: <error statusCode="404" redirect="/errors/404.aspx"/><!--404 (Not
Found)-->
:
: <error statusCode="500" redirect="/errors/500.aspx"/><!--500 (Internal
: Server Error)-->
:
: </customErrors>
:
:

[Bigtoga]

Excellent info - thanks very much.

So, if I have a page/section that requies authentication and a user who is
not authenticated tries to visit, can I redirect to a different page than
the loginUrl specified inweb.config?

Essentially, I'm using
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authorization>
<allow roles="SuperPeople"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>

in my web.config file for each "secure" drectory. If the user is already
logged in but doesn't belong to the SuperPeople role, it sends them to the
login page (but they've already logged in).

Any ideas would be helpful


"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:eXlMpJcKEHA.2396@TK2MSFTNGP12.phx.gbl...

> Hi
>
> When using forms authentication, you are never sending back a 403 header.
> You are just redirecting the user to another ASP.NET page. A 403 header
> forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest

etc).

>
> Forms auth never involves these HTTP status codes - all pages are 200 OK.

It

> is at the application layer (of your ASP.NET app) that you enforce
> authentication, not at the lower HTTP level.
>
> Cheers
> Ken

[Ken Schaefer]

Hi,

What type of authentication are you talking about? If you are talking about
HTTP Authentication, you can't (as a general rule [1]) do this with a form.
Why? Because you need to authenticate *before* the form can be loaded
(before ASP.NET even kicks in). This happens directly between the webserver
and webbrowser.

If you are talking about forms auth, then you specify your own login page.
Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
concerned, all user access is "anonymous". It is ASP.NET that keeps track of
users, and who's authenticated etc.

Cheers
Ken

[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP auth
via a form. Whether this also works with ASP.NET I don't know, and it's not
an officially supported product. The source code for this tool is in the
Windows 2003 Platform SDK.


"Bigtoga" <bigtoga@maratrane.com> wrote in message
news:n6tic.1445$UP.281@newssvr15.news.prodigy.com. ..
: Excellent info - thanks very much.
:
: So, if I have a page/section that requies authentication and a user who is
: not authenticated tries to visit, can I redirect to a different page than
: the loginUrl specified inweb.config?
:
: Essentially, I'm using
: <?xml version="1.0" encoding="utf-8" ?>
: <configuration>
: <system.web>
: <authorization>
: <allow roles="SuperPeople"/>
: <deny users="*" />
: </authorization>
: </system.web>
: </configuration>
:
: in my web.config file for each "secure" drectory. If the user is already
: logged in but doesn't belong to the SuperPeople role, it sends them to the
: login page (but they've already logged in).
:
: Any ideas would be helpful
:
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:eXlMpJcKEHA.2396@TK2MSFTNGP12.phx.gbl...
: > Hi
: >
: > When using forms authentication, you are never sending back a 403
header.
: > You are just redirecting the user to another ASP.NET page. A 403 header
: > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
: etc).
: >
: > Forms auth never involves these HTTP status codes - all pages are 200
OK.
: It
: > is at the application layer (of your ASP.NET app) that you enforce
: > authentication, not at the lower HTTP level.
: >
: > Cheers
: > Ken
:
:

[Bigtoga]

Thanks. Sorry for my unclear response - I am using Forms auth. The problem,
just for clarity, is:

<allow users="*"> for full site

"/specialAccessOnly/" - <allow roles="Special">
"/authenticated/" - <allow roles="Special, Auth">

As you can see, the "Special" role has more perms than the "Auth" role.

Here's the issue:
** If a "Auth" role tries to visit the "/specialAccessOnly/" folder, they
will get redirected to the page specified in loginUrl (but they are actually
already logged in).

What I'm trying to do (if not possible, just say "Not possible" and I'll be
happy and quit looking!):
** Instead of redirecting back to the loginUrl, I'd like to redirect to a
page that says they don't have access to reach this page (simluating a 401
error with a customError).

I only want to use Forms Auth on this; like I said, if what I want can't be
done, then that's okay too!

Thanks for the responses :)

PS - I could do this, I think, in the loginUrl page by using
if ( Request.Params["ReturnURL"] != null)

// my code to put Unauthorized Access message here


"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OG133BgKEHA.1892@TK2MSFTNGP09.phx.gbl...

> Hi,
>
> What type of authentication are you talking about? If you are talking

about

> HTTP Authentication, you can't (as a general rule [1]) do this with a

form.

> Why? Because you need to authenticate *before* the form can be loaded
> (before ASP.NET even kicks in). This happens directly between the

webserver

> and webbrowser.
>
> If you are talking about forms auth, then you specify your own login page.
> Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
> concerned, all user access is "anonymous". It is ASP.NET that keeps track

of

> users, and who's authenticated etc.
>
> Cheers
> Ken
>
> [1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP

auth

> via a form. Whether this also works with ASP.NET I don't know, and it's

not

> an officially supported product. The source code for this tool is in the
> Windows 2003 Platform SDK.
>
>
> "Bigtoga" <bigtoga@maratrane.com> wrote in message
> news:n6tic.1445$UP.281@newssvr15.news.prodigy.com. ..
> : Excellent info - thanks very much.
> :
> : So, if I have a page/section that requies authentication and a user who

is

> : not authenticated tries to visit, can I redirect to a different page

than

> : the loginUrl specified inweb.config?
> :
> : Essentially, I'm using
> : <?xml version="1.0" encoding="utf-8" ?>
> : <configuration>
> : <system.web>
> : <authorization>
> : <allow roles="SuperPeople"/>
> : <deny users="*" />
> : </authorization>
> : </system.web>
> : </configuration>
> :
> : in my web.config file for each "secure" drectory. If the user is already
> : logged in but doesn't belong to the SuperPeople role, it sends them to

the

> : login page (but they've already logged in).
> :
> : Any ideas would be helpful
> :
> :
> : "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> : news:eXlMpJcKEHA.2396@TK2MSFTNGP12.phx.gbl...
> : > Hi
> : >
> : > When using forms authentication, you are never sending back a 403
> header.
> : > You are just redirecting the user to another ASP.NET page. A 403

header

> : > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
> : etc).
> : >
> : > Forms auth never involves these HTTP status codes - all pages are 200
> OK.
> : It
> : > is at the application layer (of your ASP.NET app) that you enforce
> : > authentication, not at the lower HTTP level.
> : >
> : > Cheers
> : > Ken
> :
> :
>
>

[Bigtoga]

in my page specified in the loginUrl, I use:

if ( Request.Params["ReturnURL"] != null)
// code to write message, redirect, etc

this is the easiest solution, I suppose. It does what I need.

Thanks for the help but, if anyone has any further ideas, please post

[Joseph E Shook [MVP - ADSI]]

Not possible?... This is .NET. I think what you want is the same kind
of functionality you get from windows role based authorization. Meaning
even if you have authenticated already and received your token with
group membership info, a subsequent visit to a page with authorization
requirements not meeting your token contents you are presented with a
authentication dialog. At that point you either login again hoping to
get an updated token with new group added or you just change to a
different user to get access to that more secure content.

So if you want to get that going with forms based authentication then
you need a way to redirect when a authorization attempt fails post
successful authentication.

The following code will help: You could be more creative and write your
own HttpModule but this works for me. I haven't put a whole lot of time
behind it but I am sure it is the ingredient you are looking for.

Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)

If
Server.GetLastError().GetType().Equals(GetType(Sys tem.Security.SecurityException))
Then
Response.Redirect("login.aspx?ReturnUrl=" &
HttpUtility.UrlEncode(Context.Request.Url.PathAndQ uery,
Context.Request.ContentEncoding))
End If

End Sub



Bigtoga wrote:

> Thanks. Sorry for my unclear response - I am using Forms auth. The problem,
> just for clarity, is:
>
> <allow users="*"> for full site
>
> "/specialAccessOnly/" - <allow roles="Special">
> "/authenticated/" - <allow roles="Special, Auth">
>
> As you can see, the "Special" role has more perms than the "Auth" role.
>
> Here's the issue:
> ** If a "Auth" role tries to visit the "/specialAccessOnly/" folder, they
> will get redirected to the page specified in loginUrl (but they are actually
> already logged in).
>
> What I'm trying to do (if not possible, just say "Not possible" and I'll be
> happy and quit looking!):
> ** Instead of redirecting back to the loginUrl, I'd like to redirect to a
> page that says they don't have access to reach this page (simluating a 401
> error with a customError).
>
> I only want to use Forms Auth on this; like I said, if what I want can't be
> done, then that's okay too!
>
> Thanks for the responses :)
>
> PS - I could do this, I think, in the loginUrl page by using
> if ( Request.Params["ReturnURL"] != null)
>
> // my code to put Unauthorized Access message here
>
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:OG133BgKEHA.1892@TK2MSFTNGP09.phx.gbl...
>

>>Hi,
>>
>>What type of authentication are you talking about? If you are talking

>
> about
>

>>HTTP Authentication, you can't (as a general rule [1]) do this with a

>
> form.
>

>>Why? Because you need to authenticate *before* the form can be loaded
>>(before ASP.NET even kicks in). This happens directly between the

>
> webserver
>

>>and webbrowser.
>>
>>If you are talking about forms auth, then you specify your own login page.
>>Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
>>concerned, all user access is "anonymous". It is ASP.NET that keeps track

>
> of
>

>>users, and who's authenticated etc.
>>
>>Cheers
>>Ken
>>
>>[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP

>
> auth
>

>>via a form. Whether this also works with ASP.NET I don't know, and it's

>
> not
>

>>an officially supported product. The source code for this tool is in the
>>Windows 2003 Platform SDK.
>>
>>
>>"Bigtoga" <bigtoga@maratrane.com> wrote in message
>>news:n6tic.1445$UP.281@newssvr15.news.prodigy.co m...
>>: Excellent info - thanks very much.
>>:
>>: So, if I have a page/section that requies authentication and a user who

>
> is
>

>>: not authenticated tries to visit, can I redirect to a different page

>
> than
>

>>: the loginUrl specified inweb.config?
>>:
>>: Essentially, I'm using
>>: <?xml version="1.0" encoding="utf-8" ?>
>>: <configuration>
>>: <system.web>
>>: <authorization>
>>: <allow roles="SuperPeople"/>
>>: <deny users="*" />
>>: </authorization>
>>: </system.web>
>>: </configuration>
>>:
>>: in my web.config file for each "secure" drectory. If the user is already
>>: logged in but doesn't belong to the SuperPeople role, it sends them to

>
> the
>

>>: login page (but they've already logged in).
>>:
>>: Any ideas would be helpful
>>:
>>:
>>: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
>>: news:eXlMpJcKEHA.2396@TK2MSFTNGP12.phx.gbl...
>>: > Hi
>>: >
>>: > When using forms authentication, you are never sending back a 403
>>header.
>>: > You are just redirecting the user to another ASP.NET page. A 403

>
> header
>

>>: > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
>>: etc).
>>: >
>>: > Forms auth never involves these HTTP status codes - all pages are 200
>>OK.
>>: It
>>: > is at the application layer (of your ASP.NET app) that you enforce
>>: > authentication, not at the lower HTTP level.
>>: >
>>: > Cheers
>>: > Ken
>>:
>>:
>>
>>

>
>
>

[Bigtoga]

Thanks - while your code would work, I went the easy way out in my other
post:

in my page specified in the loginUrl, I use:

if ( Request.Params["ReturnURL"] != null)
// code to write message, redirect, etc

this is the easiest solution, I suppose. It does what I need.

Are you suggesting there are other problems with my method that I'm not
aware of? I'd certainly like to know if my method would cause
errors/elevated-access...


"Joseph E Shook [MVP - ADSI]" <joeshook@deploymentCentric.com> wrote in
message news:408C91B9.3030503@deploymentCentric.com...

> Not possible?... This is .NET. I think what you want is the same kind
> of functionality you get from windows role based authorization. Meaning
> even if you have authenticated already and received your token with
> group membership info, a subsequent visit to a page with authorization
> requirements not meeting your token contents you are presented with a
> authentication dialog. At that point you either login again hoping to
> get an updated token with new group added or you just change to a
> different user to get access to that more secure content.
>
> So if you want to get that going with forms based authentication then
> you need a way to redirect when a authorization attempt fails post
> successful authentication.
>
> The following code will help: You could be more creative and write your
> own HttpModule but this works for me. I haven't put a whole lot of time
> behind it but I am sure it is the ingredient you are looking for.
>
> Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)
>
> If
>

Server.GetLastError().GetType().Equals(GetType(Sys tem.Security.SecurityExcep
tion))

> Then
> Response.Redirect("login.aspx?ReturnUrl=" &
> HttpUtility.UrlEncode(Context.Request.Url.PathAndQ uery,
> Context.Request.ContentEncoding))
> End If
>
> End Sub
>
>
>
> Bigtoga wrote:

> > Thanks. Sorry for my unclear response - I am using Forms auth. The

problem,

> > just for clarity, is:
> >
> > <allow users="*"> for full site
> >
> > "/specialAccessOnly/" - <allow roles="Special">
> > "/authenticated/" - <allow roles="Special, Auth">
> >
> > As you can see, the "Special" role has more perms than the "Auth" role.
> >
> > Here's the issue:
> > ** If a "Auth" role tries to visit the "/specialAccessOnly/" folder,

they

> > will get redirected to the page specified in loginUrl (but they are

actually

> > already logged in).
> >
> > What I'm trying to do (if not possible, just say "Not possible" and I'll

be

> > happy and quit looking!):
> > ** Instead of redirecting back to the loginUrl, I'd like to redirect to

a

> > page that says they don't have access to reach this page (simluating a

401

> > error with a customError).
> >
> > I only want to use Forms Auth on this; like I said, if what I want can't

be

> > done, then that's okay too!
> >
> > Thanks for the responses :)
> >
> > PS - I could do this, I think, in the loginUrl page by using
> > if ( Request.Params["ReturnURL"] != null)
> >
> > // my code to put Unauthorized Access message here
> >
> >
> > "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> > news:OG133BgKEHA.1892@TK2MSFTNGP09.phx.gbl...
> >

> >>Hi,
> >>
> >>What type of authentication are you talking about? If you are talking

> >
> > about
> >

> >>HTTP Authentication, you can't (as a general rule [1]) do this with a

> >
> > form.
> >

> >>Why? Because you need to authenticate *before* the form can be loaded
> >>(before ASP.NET even kicks in). This happens directly between the

> >
> > webserver
> >

> >>and webbrowser.
> >>
> >>If you are talking about forms auth, then you specify your own login

page.

> >>Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
> >>concerned, all user access is "anonymous". It is ASP.NET that keeps

track

> >
> > of
> >

> >>users, and who's authenticated etc.
> >>
> >>Cheers
> >>Ken
> >>
> >>[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP

> >
> > auth
> >

> >>via a form. Whether this also works with ASP.NET I don't know, and it's

> >
> > not
> >

> >>an officially supported product. The source code for this tool is in the
> >>Windows 2003 Platform SDK.
> >>
> >>
> >>"Bigtoga" <bigtoga@maratrane.com> wrote in message
> >>news:n6tic.1445$UP.281@newssvr15.news.prodigy.co m...
> >>: Excellent info - thanks very much.
> >>:
> >>: So, if I have a page/section that requies authentication and a user

who

> >
> > is
> >

> >>: not authenticated tries to visit, can I redirect to a different page

> >
> > than
> >

> >>: the loginUrl specified inweb.config?
> >>:
> >>: Essentially, I'm using
> >>: <?xml version="1.0" encoding="utf-8" ?>
> >>: <configuration>
> >>: <system.web>
> >>: <authorization>
> >>: <allow roles="SuperPeople"/>
> >>: <deny users="*" />
> >>: </authorization>
> >>: </system.web>
> >>: </configuration>
> >>:
> >>: in my web.config file for each "secure" drectory. If the user is

already

> >>: logged in but doesn't belong to the SuperPeople role, it sends them to

> >
> > the
> >

> >>: login page (but they've already logged in).
> >>:
> >>: Any ideas would be helpful
> >>:
> >>:
> >>: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> >>: news:eXlMpJcKEHA.2396@TK2MSFTNGP12.phx.gbl...
> >>: > Hi
> >>: >
> >>: > When using forms authentication, you are never sending back a 403
> >>header.
> >>: > You are just redirecting the user to another ASP.NET page. A 403

> >
> > header
> >

> >>: > forces the browser to use HTTP authentication (e.g. Basic, IWA,

Digest

> >>: etc).
> >>: >
> >>: > Forms auth never involves these HTTP status codes - all pages are

200

> >>OK.
> >>: It
> >>: > is at the application layer (of your ASP.NET app) that you enforce
> >>: > authentication, not at the lower HTTP level.
> >>: >
> >>: > Cheers
> >>: > Ken
> >>:
> >>:
> >>
> >>

> >
> >
> >

[tafs7]

What you can do, is this:

on your Login page, check if the request is authenticated, and if so,
that means the user has already logged in but didn't have the correct
permission to access the resource, so he/she got bumped back to the
login.

thus....login.aspx:

private void Page_Load(object sender, EventArgs e)
{
if(Request.IsAuthenticated)
{
//the user has already logged in, but
//did not have the rights to the requested resource
//so let's redirect to our custom 403 page
// and let him/her know that access was denied!

Response.Redirect("my403.aspx", true)
}
else
{
//do my regular page load stuff here
}
}

Hope this helps you.

And while I am at it....I just put a post with a question on
role-based authentication/authorization, but no replies...so here it
is, and if you have any suggestions I'd appreciate it!

I have an ASP.NET application that uses forms authentication. I
rolled my own CustomPrincipal class for role-based authentication, and
wired the Application_AuthenticateRequest() event on my global.asax.
All is working great.

Now my new requirement is that I make a role on my SQLServer db that
is a "low level" user. This role will only have access to ONE
specific folder on my application, and nothing else outside of it.
Other roles can access other folders including this one. I should
also note that there is no anonymous access on this application.
Everything is password protected, so when the first request fires, the
user is automatically redirected to the login page, then, once
authenticated, he/she is taken to the default.aspx on the root.

Everyone uses the same login page, but if the user name is in the
"low-level" role, I need to automatically redirect to the special
folder, while all other users get taken to my root's default.aspx (if
no other return url string is specified).

This is a snippet of my web.config on the root directory:
<authentication mode="Forms">
<forms name=".ELITECTSUSERAUTH" loginUrl="~/login.aspx"
protection="All"
timeout="30"
slidingExpiration="true"
path="/" />
</authentication>
<authorization>
<deny users="?" roles="5" /> <!-- Deny anonymous users and low-level
roles-->
<allow users="*" />
</authorization>

As you can see, this denies access to anonymous users and users in the
role "5", which is my "low-level" user.
So the question is this: (1) how to make the application kick the
low-level user to the special folder once he/she is authorized and a
principal has been generated for them, without ever going to the root
default.aspx.

I also thought I should include either a location section in my root
web.config that allows role 5 into the special folder, or add a new
web.config to that special folder allowing authenticated users and all
roles, overriding the root web.config.

Does anybody have any suggestions to this problem?

Thiago Silva
web developer

-------------------------------------------------------



"Bigtoga" <bigtoga@maratrane.com> wrote in message news:<v5wic.1478$ZJ4.1367@newssvr15.news.prodigy.c om>...

> in my page specified in the loginUrl, I use:
>
> if ( Request.Params["ReturnURL"] != null)
> // code to write message, redirect, etc
>
> this is the easiest solution, I suppose. It does what I need.
>
> Thanks for the help but, if anyone has any further ideas, please post