FormsAuthentication - how to specify redirect page for disallowed

[ranganh]

Dear Shaun,

What you can do is, on the page_load event of the pages which have only 'admin' priveleges (or whatever high privelege you give only for authorized users), you can check if the User Is In Role and redirect them to your custom page.

If(! User.IsInRole("admin"))
{

Response.Redirect("Notauthorized.aspx");

}

that would help you in acheiving your requirement.

Hope it helps.

"Shaun" wrote:

> I want to use asp.net forms authentication to control access to various parts of a site. Users subscribe to different content areas and are then assigned into the appropriate roles which are specified in the web.config for the content area (each content area is in separate folder with its own web.config).
>
> Login, storing and reading back the roles for the user is no problem (many resources on the web for that).
>
> What I am having trouble with is working out how (or even if - though I would have thought it possible somehow) it is possible to have a custom page shown telling the user they are not authorized for access the content requested - the default behaviour seems to be redirecting back to the login/home page.
>
> To achieve this I was thinking that perhaps an HttpModule handling the AuthorizeRequest event could be used, however what I need to be able to do is read the list of allowed roles for the request. I guess it would be possible to read back up through the path to the content and find the first web.config file then read the xml. Surely there must be an easier way to achieve this with all the File/Folder access this method would required.
>
> The end result should be that when a user tries to access content that their roles do not allow a custom page telling them this is the case is shown.
>
> Can anyone out there help as I've trawled the web for a long time now and not got an answer (and very mixed views from others).
>
> Thanks,
>
> --------------------------
> Shaun Venus
>
> emailid: sunevnuahs
> domain: hotmail.com
> --------------------------

[Shaun]

What I have is a site that gets syndicated by a CMS, the site contains around 60,000 pages of content in hundreds of different subscription packages. The syndication process build html page that are named as .aspx so that they fall under the asp.net forms authentication security model - there is no code in or behind them.

Doing as you say with the page_load would indeed accomplish this, however I do not want to have hardcoded package (role) information in pages as they may be subject to change - this is why I am using roles and setting access in web.config files across the site.

Using web.config and denying access results in the default redirect - it is this behaviour that I want to change site wide without having to code each page.

I have tried writing an HttpModule that locates the appropraite web.config and peforms the role checks itself. This works fine, but I now need to make the redirect work from one of the other events (I guess).



--------------------------
Shaun Venus

emailid: sunevnuahs
domain: hotmail.com
--------------------------


"ranganh" wrote:

> Dear Shaun,
>
> What you can do is, on the page_load event of the pages which have only 'admin' priveleges (or whatever high privelege you give only for authorized users), you can check if the User Is In Role and redirect them to your custom page.
>
> If(! User.IsInRole("admin"))
> {
>
> Response.Redirect("Notauthorized.aspx");
>
> }
>
> that would help you in acheiving your requirement.
>
> Hope it helps.
>
> "Shaun" wrote:
>

> > I want to use asp.net forms authentication to control access to various parts of a site. Users subscribe to different content areas and are then assigned into the appropriate roles which are specified in the web.config for the content area (each content area is in separate folder with its own web.config).
> >
> > Login, storing and reading back the roles for the user is no problem (many resources on the web for that).
> >
> > What I am having trouble with is working out how (or even if - though I would have thought it possible somehow) it is possible to have a custom page shown telling the user they are not authorized for access the content requested - the default behaviour seems to be redirecting back to the login/home page.
> >
> > To achieve this I was thinking that perhaps an HttpModule handling the AuthorizeRequest event could be used, however what I need to be able to do is read the list of allowed roles for the request. I guess it would be possible to read back up through the path to the content and find the first web.config file then read the xml. Surely there must be an easier way to achieve this with all the File/Folder access this method would required.
> >
> > The end result should be that when a user tries to access content that their roles do not allow a custom page telling them this is the case is shown.
> >
> > Can anyone out there help as I've trawled the web for a long time now and not got an answer (and very mixed views from others).
> >
> > Thanks,
> >
> > --------------------------
> > Shaun Venus
> >
> > emailid: sunevnuahs
> > domain: hotmail.com
> > --------------------------

[Shaun]

I think I was perhaps a little light on the explanation as to what I am trying to do.

The site I am working with has over 50,000 pages of content that are syndicated from a CMS. The CMS can create pages of many types such as htm, asp, aspx etc. This site is an asp.net site and so the pages are created as .aspx files, but have no .net code in them or any code behind – they just sit on the site and as aspx pages fall under the forms authentication security used on the site.

The sites content is broken down into areas which users can subscribe to. It is this that raises the requirement for different folders being marked as part of different subscriptions – hence using the role functionality of web.config and forms authentication to achieve it (but with the problem explained earlier).

I have written code for an HttpModule that finds the relevant web.config and reads the authorization section to get the list of allowed roles – this all works fine. What I now need to do is remember this and redirect the user in the appropriate event. If this works I may have cracked it, otherwise it’s back to square one!

So, any suggestions are very welcome to help me overcome this.



--------------------------
Shaun Venus

emailid: sunevnuahs
domain: hotmail.com
--------------------------


"ranganh" wrote:

> Dear Shaun,
>
> What you can do is, on the page_load event of the pages which have only 'admin' priveleges (or whatever high privelege you give only for authorized users), you can check if the User Is In Role and redirect them to your custom page.
>
> If(! User.IsInRole("admin"))
> {
>
> Response.Redirect("Notauthorized.aspx");
>
> }
>
> that would help you in acheiving your requirement.
>
> Hope it helps.
>
> "Shaun" wrote:
>

> > I want to use asp.net forms authentication to control access to various parts of a site. Users subscribe to different content areas and are then assigned into the appropriate roles which are specified in the web.config for the content area (each content area is in separate folder with its own web.config).
> >
> > Login, storing and reading back the roles for the user is no problem (many resources on the web for that).
> >
> > What I am having trouble with is working out how (or even if - though I would have thought it possible somehow) it is possible to have a custom page shown telling the user they are not authorized for access the content requested - the default behaviour seems to be redirecting back to the login/home page.
> >
> > To achieve this I was thinking that perhaps an HttpModule handling the AuthorizeRequest event could be used, however what I need to be able to do is read the list of allowed roles for the request. I guess it would be possible to read back up through the path to the content and find the first web.config file then read the xml. Surely there must be an easier way to achieve this with all the File/Folder access this method would required.
> >
> > The end result should be that when a user tries to access content that their roles do not allow a custom page telling them this is the case is shown.
> >
> > Can anyone out there help as I've trawled the web for a long time now and not got an answer (and very mixed views from others).
> >
> > Thanks,
> >
> > --------------------------
> > Shaun Venus
> >
> > emailid: sunevnuahs
> > domain: hotmail.com
> > --------------------------

[Shaun]

I think I was perhaps a little light on the explanation as to what I am trying to do.

The site I am working with has over 50,000 pages of content that are syndicated from a CMS. The CMS can create pages of many types such as htm, asp, aspx etc. This site is an asp.net site and so the pages are created as .aspx files, but have no .net code in them or any code behind – they just sit on the site and as aspx pages fall under the forms authentication security used on the site.

The sites content is broken down into areas which users can subscribe to. It is this that raises the requirement for different folders being marked as part of different subscriptions – hence using the role functionality of web.config and forms authentication to achieve it (but with the problem explained earlier).

I have written code for an HttpModule that finds the relevant web.config and reads the authorization section to get the list of allowed roles – this all works fine. What I now need to do is remember this and redirect the user in the appropriate event. If this works I may have cracked it, otherwise it’s back to square one!

So, any suggestions are very welcome to help me overcome this.

--
--------------------------
Shaun Venus

emailid: sunevnuahs
domain: hotmail.com
--------------------------


"ranganh" wrote:

> Dear Shaun,
>
> What you can do is, on the page_load event of the pages which have only 'admin' priveleges (or whatever high privelege you give only for authorized users), you can check if the User Is In Role and redirect them to your custom page.
>
> If(! User.IsInRole("admin"))
> {
>
> Response.Redirect("Notauthorized.aspx");
>
> }
>
> that would help you in acheiving your requirement.
>
> Hope it helps.
>
> "Shaun" wrote:
>

> > I want to use asp.net forms authentication to control access to various parts of a site. Users subscribe to different content areas and are then assigned into the appropriate roles which are specified in the web.config for the content area (each content area is in separate folder with its own web.config).
> >
> > Login, storing and reading back the roles for the user is no problem (many resources on the web for that).
> >
> > What I am having trouble with is working out how (or even if - though I would have thought it possible somehow) it is possible to have a custom page shown telling the user they are not authorized for access the content requested - the default behaviour seems to be redirecting back to the login/home page.
> >
> > To achieve this I was thinking that perhaps an HttpModule handling the AuthorizeRequest event could be used, however what I need to be able to do is read the list of allowed roles for the request. I guess it would be possible to read back up through the path to the content and find the first web.config file then read the xml. Surely there must be an easier way to achieve this with all the File/Folder access this method would required.
> >
> > The end result should be that when a user tries to access content that their roles do not allow a custom page telling them this is the case is shown.
> >
> > Can anyone out there help as I've trawled the web for a long time now and not got an answer (and very mixed views from others).
> >
> > Thanks,
> >
> > --------------------------
> > Shaun Venus
> >
> > emailid: sunevnuahs
> > domain: hotmail.com
> > --------------------------

[Shaun]

I think I was perhaps a little light on the explanation as to what I am trying to do.

The site I am working with has over 50,000 pages of content that are syndicated from a CMS. The CMS can create pages of many types such as htm, asp, aspx etc. This site is an asp.net site and so the pages are created as .aspx files, but have no .net code in them or any code behind – they just sit on the site and as aspx pages fall under the forms authentication security used on the site.

The sites content is broken down into areas which users can subscribe to. It is this that raises the requirement for different folders being marked as part of different subscriptions – hence using the role functionality of web.config and forms authentication to achieve it (but with the problem explained earlier).

I have written code for an HttpModule that finds the relevant web.config and reads the authorization section to get the list of allowed roles – this all works fine. This is done in the Module by handling AuthorizeRequest. If I find the user is denied access to the content then the request is redirected using the HttpApplication.Context.Current.RewritePath method.

Sorted. But why could this not be an option in the web,config to save all this work?




--------------------------
Shaun Venus

emailid: sunevnuahs
domain: hotmail.com
--------------------------


"ranganh" wrote:

> Dear Shaun,
>
> What you can do is, on the page_load event of the pages which have only 'admin' priveleges (or whatever high privelege you give only for authorized users), you can check if the User Is In Role and redirect them to your custom page.
>
> If(! User.IsInRole("admin"))
> {
>
> Response.Redirect("Notauthorized.aspx");
>
> }
>
> that would help you in acheiving your requirement.
>
> Hope it helps.
>
> "Shaun" wrote:
>

> > I want to use asp.net forms authentication to control access to various parts of a site. Users subscribe to different content areas and are then assigned into the appropriate roles which are specified in the web.config for the content area (each content area is in separate folder with its own web.config).
> >
> > Login, storing and reading back the roles for the user is no problem (many resources on the web for that).
> >
> > What I am having trouble with is working out how (or even if - though I would have thought it possible somehow) it is possible to have a custom page shown telling the user they are not authorized for access the content requested - the default behaviour seems to be redirecting back to the login/home page.
> >
> > To achieve this I was thinking that perhaps an HttpModule handling the AuthorizeRequest event could be used, however what I need to be able to do is read the list of allowed roles for the request. I guess it would be possible to read back up through the path to the content and find the first web.config file then read the xml. Surely there must be an easier way to achieve this with all the File/Folder access this method would required.
> >
> > The end result should be that when a user tries to access content that their roles do not allow a custom page telling them this is the case is shown.
> >
> > Can anyone out there help as I've trawled the web for a long time now and not got an answer (and very mixed views from others).
> >
> > Thanks,
> >
> > --------------------------
> > Shaun Venus
> >
> > emailid: sunevnuahs
> > domain: hotmail.com
> > --------------------------

[ranganh]

Ok Shaun,

Do it this way. Even though you have lots of pages, you will have only a single login page right?

In the Login page's page_load event, you can check if the User is Authenticated. Well if he is authenticated that means he has tried to access some authorized page, so you can redirect him to Your custom page which says you are not authorized to view this page.

Sounds good?



"Shaun" wrote:

> I think I was perhaps a little light on the explanation as to what I am trying to do.
>
> The site I am working with has over 50,000 pages of content that are syndicated from a CMS. The CMS can create pages of many types such as htm, asp, aspx etc. This site is an asp.net site and so the pages are created as .aspx files, but have no .net code in them or any code behind – they just sit on the site and as aspx pages fall under the forms authentication security used on the site.
>
> The sites content is broken down into areas which users can subscribe to. It is this that raises the requirement for different folders being marked as part of different subscriptions – hence using the role functionality of web.config and forms authentication to achieve it (but with the problem explained earlier).
>
> I have written code for an HttpModule that finds the relevant web.config and reads the authorization section to get the list of allowed roles – this all works fine. This is done in the Module by handling AuthorizeRequest. If I find the user is denied access to the content then the request is redirected using the HttpApplication.Context.Current.RewritePath method.
>
> Sorted. But why could this not be an option in the web,config to save all this work?
>
>
>
>
> --------------------------
> Shaun Venus
>
> emailid: sunevnuahs
> domain: hotmail.com
> --------------------------
>
>
> "ranganh" wrote:
>

> > Dear Shaun,
> >
> > What you can do is, on the page_load event of the pages which have only 'admin' priveleges (or whatever high privelege you give only for authorized users), you can check if the User Is In Role and redirect them to your custom page.
> >
> > If(! User.IsInRole("admin"))
> > {
> >
> > Response.Redirect("Notauthorized.aspx");
> >
> > }
> >
> > that would help you in acheiving your requirement.
> >
> > Hope it helps.
> >
> > "Shaun" wrote:
> >

> > > I want to use asp.net forms authentication to control access to various parts of a site. Users subscribe to different content areas and are then assigned into the appropriate roles which are specified in the web.config for the content area (each content area is in separate folder with its own web.config).
> > >
> > > Login, storing and reading back the roles for the user is no problem (many resources on the web for that).
> > >
> > > What I am having trouble with is working out how (or even if - though I would have thought it possible somehow) it is possible to have a custom page shown telling the user they are not authorized for access the content requested - the default behaviour seems to be redirecting back to the login/home page.
> > >
> > > To achieve this I was thinking that perhaps an HttpModule handling the AuthorizeRequest event could be used, however what I need to be able to do is read the list of allowed roles for the request. I guess it would be possible to read back up through the path to the content and find the first web.config file then read the xml. Surely there must be an easier way to achieve this with all the File/Folder access this method would required.
> > >
> > > The end result should be that when a user tries to access content that their roles do not allow a custom page telling them this is the case is shown.
> > >
> > > Can anyone out there help as I've trawled the web for a long time now and not got an answer (and very mixed views from others).
> > >
> > > Thanks,
> > >
> > > --------------------------
> > > Shaun Venus
> > >
> > > emailid: sunevnuahs
> > > domain: hotmail.com
> > > --------------------------

[ranganh]

Dear Shaun,

Check the ReturnURL paramteter. You can check if Request.QueryString(ReturnURl) is not null and then check if User.Identity.IsAuthenticated and then redirect him to your Custom Page.

If the user goes back to login page on his own, the ReturnUrl parameter won't come and hence he wont be redirected.

Well, this is just a solution for your problem since MS hasnt provided any custom authorization redirection technique as of now.

But, the above logic should work good. Lets hope for some better enhancements in 2.0

Thanks.

"Shaun" wrote:

> What about when a user goes back to the login page somehow - this would not be right, ie he should be pushed to the homepage rather than a 'this page is not included in your subscription' page.
>
> S
>
>
> --------------------------
> Shaun Venus
>
> emailid: sunevnuahs
> domain: hotmail.com
> --------------------------
>
>
> "ranganh" wrote:
>

> > Ok Shaun,
> >
> > Do it this way. Even though you have lots of pages, you will have only a single login page right?
> >
> > In the Login page's page_load event, you can check if the User is Authenticated. Well if he is authenticated that means he has tried to access some authorized page, so you can redirect him to Your custom page which says you are not authorized to view this page.
> >
> > Sounds good?
> >
> >
> >
> > "Shaun" wrote:
> >

> > > I think I was perhaps a little light on the explanation as to what I am trying to do.
> > >
> > > The site I am working with has over 50,000 pages of content that are syndicated from a CMS. The CMS can create pages of many types such as htm, asp, aspx etc. This site is an asp.net site and so the pages are created as .aspx files, but have no .net code in them or any code behind – they just sit on the site and as aspx pages fall under the forms authentication security used on the site.
> > >
> > > The sites content is broken down into areas which users can subscribe to. It is this that raises the requirement for different folders being marked as part of different subscriptions – hence using the role functionality of web.config and forms authentication to achieve it (but with the problem explained earlier).
> > >
> > > I have written code for an HttpModule that finds the relevant web.config and reads the authorization section to get the list of allowed roles – this all works fine. This is done in the Module by handling AuthorizeRequest. If I find the user is denied access to the content then the request is redirected using the HttpApplication.Context.Current.RewritePath method.
> > >
> > > Sorted. But why could this not be an option in the web,config to save all this work?
> > >
> > >
> > >
> > >
> > > --------------------------
> > > Shaun Venus
> > >
> > > emailid: sunevnuahs
> > > domain: hotmail.com
> > > --------------------------
> > >
> > >
> > > "ranganh" wrote:
> > >
> > > > Dear Shaun,
> > > >
> > > > What you can do is, on the page_load event of the pages which have only 'admin' priveleges (or whatever high privelege you give only for authorized users), you can check if the User Is In Role and redirect them to your custom page.
> > > >
> > > > If(! User.IsInRole("admin"))
> > > > {
> > > >
> > > > Response.Redirect("Notauthorized.aspx");
> > > >
> > > > }
> > > >
> > > > that would help you in acheiving your requirement.
> > > >
> > > > Hope it helps.
> > > >
> > > > "Shaun" wrote:
> > > >
> > > > > I want to use asp.net forms authentication to control access to various parts of a site. Users subscribe to different content areas and are then assigned into the appropriate roles which are specified in the web.config for the content area (each content area is in separate folder with its own web.config).
> > > > >
> > > > > Login, storing and reading back the roles for the user is no problem (many resources on the web for that).
> > > > >
> > > > > What I am having trouble with is working out how (or even if - though I would have thought it possible somehow) it is possible to have a custom page shown telling the user they are not authorized for access the content requested - the default behaviour seems to be redirecting back to the login/home page.
> > > > >
> > > > > To achieve this I was thinking that perhaps an HttpModule handling the AuthorizeRequest event could be used, however what I need to be able to do is read the list of allowed roles for the request. I guess it would be possible to read back up through the path to the content and find the first web.config file then read the xml. Surely there must be an easier way to achieve this with all the File/Folder access this method would required.
> > > > >
> > > > > The end result should be that when a user tries to access content that their roles do not allow a custom page telling them this is the case is shown.
> > > > >
> > > > > Can anyone out there help as I've trawled the web for a long time now and not got an answer (and very mixed views from others).
> > > > >
> > > > > Thanks,
> > > > >
> > > > > --------------------------
> > > > > Shaun Venus
> > > > >
> > > > > emailid: sunevnuahs
> > > > > domain: hotmail.com
> > > > > --------------------------

[Shaun]

That would indeed alow me to show the required page, however what I want to do is see which roles were allowed for that page and what the user has (as these dictate the subscriptions to portions of the site) so that we can tell them what they need to add to their subscription if they want to view that content.

This is why I'm having to write an HttpModule for it.
I have come up with a tool allow admin staff to scan a site and build an xml file that describes the site based up on the roles in the web.config files scattered around the site. This xml can then be edited and the tool will write back web.config files around the site. The xml is then cached by the applciation to work out which roles are allowed for the different areas of the site - to save having to read the web.config files at request time, saving lots of I/O etc.

With this I can work out why the user was not allowed access and tell them the detail I want to.

I also hope that MS will see the light on this matter and make the requests authorization settings available to code.

Shaun




--------------------------
Shaun Venus

emailid: sunevnuahs
domain: hotmail.com
--------------------------


"ranganh" wrote:

> Dear Shaun,
>
> Check the ReturnURL paramteter. You can check if Request.QueryString(ReturnURl) is not null and then check if User.Identity.IsAuthenticated and then redirect him to your Custom Page.
>
> If the user goes back to login page on his own, the ReturnUrl parameter won't come and hence he wont be redirected.
>
> Well, this is just a solution for your problem since MS hasnt provided any custom authorization redirection technique as of now.
>
> But, the above logic should work good. Lets hope for some better enhancements in 2.0
>
> Thanks.
>
> "Shaun" wrote:
>

> > What about when a user goes back to the login page somehow - this would not be right, ie he should be pushed to the homepage rather than a 'this page is not included in your subscription' page.
> >
> > S
> >
> >
> > --------------------------
> > Shaun Venus
> >
> > emailid: sunevnuahs
> > domain: hotmail.com
> > --------------------------
> >
> >
> > "ranganh" wrote:
> >

> > > Ok Shaun,
> > >
> > > Do it this way. Even though you have lots of pages, you will have only a single login page right?
> > >
> > > In the Login page's page_load event, you can check if the User is Authenticated. Well if he is authenticated that means he has tried to access some authorized page, so you can redirect him to Your custom page which says you are not authorized to view this page.
> > >
> > > Sounds good?
> > >
> > >
> > >
> > > "Shaun" wrote:
> > >
> > > > I think I was perhaps a little light on the explanation as to what I am trying to do.
> > > >
> > > > The site I am working with has over 50,000 pages of content that are syndicated from a CMS. The CMS can create pages of many types such as htm, asp, aspx etc. This site is an asp.net site and so the pages are created as .aspx files, but have no .net code in them or any code behind – they just sit on the site and as aspx pages fall under the forms authentication security used on the site.
> > > >
> > > > The sites content is broken down into areas which users can subscribe to. It is this that raises the requirement for different folders being marked as part of different subscriptions – hence using the role functionality of web.config and forms authentication to achieve it (but with the problem explained earlier).
> > > >
> > > > I have written code for an HttpModule that finds the relevant web.config and reads the authorization section to get the list of allowed roles – this all works fine. This is done in the Module by handling AuthorizeRequest. If I find the user is denied access to the content then the request is redirected using the HttpApplication.Context.Current.RewritePath method.
> > > >
> > > > Sorted. But why could this not be an option in the web,config to save all this work?
> > > >
> > > >
> > > >
> > > >
> > > > --------------------------
> > > > Shaun Venus
> > > >
> > > > emailid: sunevnuahs
> > > > domain: hotmail.com
> > > > --------------------------
> > > >
> > > >
> > > > "ranganh" wrote:
> > > >
> > > > > Dear Shaun,
> > > > >
> > > > > What you can do is, on the page_load event of the pages which have only 'admin' priveleges (or whatever high privelege you give only for authorized users), you can check if the User Is In Role and redirect them to your custom page.
> > > > >
> > > > > If(! User.IsInRole("admin"))
> > > > > {
> > > > >
> > > > > Response.Redirect("Notauthorized.aspx");
> > > > >
> > > > > }
> > > > >
> > > > > that would help you in acheiving your requirement.
> > > > >
> > > > > Hope it helps.
> > > > >
> > > > > "Shaun" wrote:
> > > > >
> > > > > > I want to use asp.net forms authentication to control access to various parts of a site. Users subscribe to different content areas and are then assigned into the appropriate roles which are specified in the web.config for the content area (each content area is in separate folder with its own web.config).
> > > > > >
> > > > > > Login, storing and reading back the roles for the user is no problem (many resources on the web for that).
> > > > > >
> > > > > > What I am having trouble with is working out how (or even if - though I would have thought it possible somehow) it is possible to have a custom page shown telling the user they are not authorized for access the content requested - the default behaviour seems to be redirecting back to the login/home page.
> > > > > >
> > > > > > To achieve this I was thinking that perhaps an HttpModule handling the AuthorizeRequest event could be used, however what I need to be able to do is read the list of allowed roles for the request. I guess it would be possible to read back up through the path to the content and find the first web.config file then read the xml. Surely there must be an easier way to achieve this with all the File/Folder access this method would required.
> > > > > >
> > > > > > The end result should be that when a user tries to access content that their roles do not allow a custom page telling them this is the case is shown.
> > > > > >
> > > > > > Can anyone out there help as I've trawled the web for a long time now and not got an answer (and very mixed views from others).
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > --------------------------
> > > > > > Shaun Venus
> > > > > >
> > > > > > emailid: sunevnuahs
> > > > > > domain: hotmail.com
> > > > > > --------------------------