Professional Web Applications Themes

request page I can't have -> goes to login - ASP.NET Security

Hi; Ok, I have role restriction working for pages - thank you everyone. I have two follow-on questions: I want to require a role for access to all pages except 3 specific ones if a user does not have a specific role. Is there a way to do this other than listing out each other page as a location? (I'm afraid we will add a page and forget to add it to the list in Web.Config.) If a user goes to a page that they are not allowed to view, it sends them to login.aspx. I think it would be ...

  1. #1

    Default request page I can't have -> goes to login

    Hi;

    Ok, I have role restriction working for pages - thank you everyone.

    I have two follow-on questions:

    I want to require a role for access to all pages except 3 specific ones if a
    user does not have a specific role. Is there a way to do this other than
    listing out each other page as a location? (I'm afraid we will add a page and
    forget to add it to the list in Web.Config.)

    If a user goes to a page that they are not allowed to view, it sends them to
    login.aspx. I think it would be better to send them to a page that says they
    are not allowed on the page they wanted. Or send them to default.aspx. Is
    there a way to do this?

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    David Guest

  2. #2

    Default Re: request page I can't have -> goes to login

    You can also programmatically set HttpContext.SkipAuthorization to true
    based on a specific request URL.

    However, you might be better off doing what you need to do declaratively in
    config. Programmatic path parsing has its own set of canonicalization
    attacks you have to be careful with. It is a balancing act, as you also run
    a risk of having an overly complex config file as well that could be hard to
    maintain or that your customers may be tempted to muck with.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "David Thielen" <nospam> wrote in message
    news:com... 


    Joe Guest

  3. #3

    Default RE: request page I can't have -> goes to login

    Hello Dave,

    As for your scenario that there are some particular pages which have
    different authroization requiement from other ones, I think we'll still
    have to use the <location > element or group those particular pages into a
    single sub directory in the application.

    As for the redirecting to login page behavior you mentioned, it is the
    fixed behavior of ASP.NET forms authentication and unauthorized user
    request will always be redirected to the login page. However, you can
    customize the login page's Url through the <forms > configuration element's
    "loginUrl" attribute:

    #forms Element for authentication (ASP.NET Settings Schema)
    http://msdn2.microsoft.com/en-us/library/1d3t3c61.aspx

    Therefore, you can edit this attribute to your own "login" page, and put
    your own customized UI in that page. e.g.

    =============
    <authentication mode="Forms">
    <forms loginUrl ="MyUnauthorizedPage.aspx">


    </forms>
    </authentication>
    =====================

    Hope this helps.

    Regards,

    Steven Cheng
    Microsoft Online Community Support


    ==================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.



    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)



    Steven Guest

  4. #4

    Default RE: request page I can't have -> goes to login

    Hi;

    The problem with that approach is it takes you to that page if they are not
    logged in also - and in that case I do want them on the login page.

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com



    "Steven Cheng[MSFT]" wrote:
     
    David Guest

  5. #5

    Default RE: request page I can't have -> goes to login

    Thanks for the response Dave,

    As for the below point you mentioned:
    ==========
    The problem with that approach is it takes you to that page if they are not
    logged in also - and in that case I do want them on the login page.
    ==========

    I still think it is because the user is unauthorized (rather than
    unauthenticated or not login), because it is because the page is prevent
    from anonymous user(and the user hasn't login , so hasn't any roles or user
    identity) that cause the user be redirected to the login page. So the login
    page always accept unauthorized redirected requests(except we explicitly
    visit it). My suggestion on this is you can dynamically determine whether
    this is an unauthorized redirection request by looking for the "ReturnUrl"
    querystring in the request. This is because when unauthorized user is
    redirect to the login page, the formsauthentication will always append a
    "ReturnUrl" querystring, so that it can redirect the user back to the
    target resource(after logedIn). e.g.

    http://localhost/IISTestSite/login.aspx?ReturnUrl=%2fIISTestSite%2fWSEAdmins
    %2fDefault.aspx

    You can display different UI according to this querystring in your login
    page or even redirect it to your custom error page...

    Regards,

    Steven Cheng
    Microsoft Online Community Support


    ==================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.



    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)

    Steven Guest

Similar Threads

  1. Replies: 4
    Last Post: September 18th, 11:58 PM
  2. user and admin login on same login page
    By davellaman in forum Coldfusion - Advanced Techniques
    Replies: 1
    Last Post: May 16th, 07:47 PM
  3. Please help with login / pass and quotation request forms
    By Wayne Lodwig in forum Macromedia Flash Sitedesign
    Replies: 0
    Last Post: September 11th, 01:35 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139