Forms Auth Redirect on Access Denied - Question/Help

[Brad]

If a web app uses forms authentication and a specific aspx page has a role
authorization, where should a browser be directed if a user is not in the
role for that location?

Background to my question:
I'm using forms authentication on a web app, setting the ticket in
code...also setting the role in the ticket. I then later set the
context.user to a new generic principal which includes the roles from the
ticket. This works fine and the user (me in this case) is authenticated.

I placed role authorization on a specific location (aspx file) and when I'm
in that role I correctly see the page. If I remove myself (or another
tester) from the role for that page access is correctly denied, however the
browser is displays the message below instead of something like a 401 error.
It seems I can't even use a custom 401 in the config to trap this.

Is the message below what I should be getting? If so, can I trap to
redirect? If not, what might be going on to cause this message?

Thanks

Brad

Role setting example
================================================
<location path="securepage.aspx">
<system.web>
<authorization>
<allow roles="Manager"/>
<deny users="*" />
</authorization>
</system.web>
</location>


================================================
Browser display when access is denied.
================================================
The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be
experiencing technical difficulties, or you may need to adjust your browser
settings.



Please try the following:
Click the Refresh button, or try again later.

If you typed the page address in the Address bar, make sure that it is
spelled correctly.

To check your connection settings, click the Tools menu, and then click
Internet Options. On the Connections tab, click Settings. The settings
should match those provided by your local area network (LAN) administrator
or Internet service provider (ISP).
If your Network Administrator has enabled it, Microsoft Windows can examine
your network and automatically discover network connection settings.
If you would like Windows to try and discover them,
click Detect Network Settings
Some sites require 128-bit connection security. Click the Help menu and then
click About Internet Explorer to determine what strength security you have
installed.
If you are trying to reach a secure site, make sure your Security settings
can support it. Click the Tools menu, and then click Internet Options. On
the Advanced tab, scroll to the Security section and check settings for SSL
2.0, SSL 3.0, TLS 1.0, PCT 1.0.
Click the Back button to try another link.


Cannot find server or DNS Error
Internet Explorer
=======================================

[MSFT]

Hi Brad,

You may set the custom error page in <customErrors> Element of web.config:

[url]http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn[/url]
ol/windowsserver2003/proddocs/standard/aaconcustomerrorselement.asp

Hope this help,

Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

[Brad]

Luke - As I mentioned, that's my problem and thus my question: I'm
setting custom errors and it's not hitting any.
Again my question. If access is denied to a specific location (aspx) what
result should IIS or .Net product (what should the browser get) And if
customer error s is NOT trapping it how can I trap it...or is something
wrong going on. (please review my original post again).


Brad

"MSFT" <lukezhan@online.microsoft.com> wrote in message
news:U4fhplAsDHA.3428@cpmsftngxa07.phx.gbl...

> Hi Brad,
>
> You may set the custom error page in <customErrors> Element of web.config:
>
>

[url]http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn[/url]

> ol/windowsserver2003/proddocs/standard/aaconcustomerrorselement.asp
>
> Hope this help,
>
> Luke
> Microsoft Online Support
>
> Get Secure! [url]www.microsoft.com/security[/url]
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>

[MSFT]

Hi Brad,

Can you catch the error in the method Application_Error of global.asax? For
more information about asp.net error handling, you may refer to:

[url]http://www.15seconds.com/issue/030102.htm[/url]

Hope this help,

Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

[Brad]

No. I have applicaiton error handling and it's not picking it up. Let me
ask this another way: Using the following example what should a client
expect to see and/or how does asp.net react if the client attempts to access
securepage.aspx and they NOT a memeber of the Manager Role.

<location path="securepage.aspx">
<system.web>
<authorization>
<allow roles="Manager"/>
<deny users="*" />
</authorization>
</system.web>
</location>




"MSFT" <lukezhan@online.microsoft.com> wrote in message
news:LdGap5nsDHA.3644@cpmsftngxa07.phx.gbl...

> Hi Brad,
>
> Can you catch the error in the method Application_Error of global.asax?

For

> more information about asp.net error handling, you may refer to:
>
> [url]http://www.15seconds.com/issue/030102.htm[/url]
>
> Hope this help,
>
> Luke
> Microsoft Online Support
>
> Get Secure! [url]www.microsoft.com/security[/url]
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>

[Brad]

Never mind, Luke. Seems that ASP.NET will just keep redirecting the user
to the login page is they are not in the role....an error can't be trapped
and user really can't be redirected if the roles are using in the web
config. To bad...you'd think their would be a means to trap that access was
denied. It just means I do forms auth in code on the page as I have been
doing to date.


"Brad" <nospam@co.lane.or.us> wrote in message
news:Otq$ERqsDHA.2416@TK2MSFTNGP10.phx.gbl...

> No. I have applicaiton error handling and it's not picking it up. Let me
> ask this another way: Using the following example what should a client
> expect to see and/or how does asp.net react if the client attempts to

access

> securepage.aspx and they NOT a memeber of the Manager Role.
>
> <location path="securepage.aspx">
> <system.web>
> <authorization>
> <allow roles="Manager"/>
> <deny users="*" />
> </authorization>
> </system.web>
> </location>
>
>
>
>
> "MSFT" <lukezhan@online.microsoft.com> wrote in message
> news:LdGap5nsDHA.3644@cpmsftngxa07.phx.gbl...

> > Hi Brad,
> >
> > Can you catch the error in the method Application_Error of global.asax?

> For

> > more information about asp.net error handling, you may refer to:
> >
> > [url]http://www.15seconds.com/issue/030102.htm[/url]
> >
> > Hope this help,
> >
> > Luke
> > Microsoft Online Support
> >
> > Get Secure! [url]www.microsoft.com/security[/url]
> > (This posting is provided "AS IS", with no warranties, and confers no
> > rights.)
> >

>
>

[MSFT]

Hi Brad,

I think we may try other approach to achieve this. For example, in the form
load of the security.aspx, check the user with IsInRole method, perform
further rocess or redirect it to a special form.

Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)