401 with Forms Authentication and Roles

Discussion in 'ASP .Net Security' started by Chuck P, Aug 9, 2007.

  1. Chuck P

    Chuck P Guest

    In asp.net 2.0 with forms authentication and roles it appears that if a user
    is authenticated but puts in a url where he is not authorized, forms
    authentication redirects him to the logon page. Is their a way where if a
    user is authenticated but not authorized I could redirect him to a user
    friendly page?
    Is their a way to identify that the user was redirected to the logon page?
    Chuck P, Aug 9, 2007
    #1
    1. Advertising

  2. Chuck P

    csharper Guest

    "Chuck P" wrote:

    > In asp.net 2.0 with forms authentication and roles it appears that if a user
    > is authenticated but puts in a url where he is not authorized, forms
    > authentication redirects him to the logon page. Is their a way where if a
    > user is authenticated but not authorized I could redirect him to a user
    > friendly page?
    > Is their a way to identify that the user was redirected to the logon page?


    if you have a same user control on every page then you can write the code
    that compares the called URL (Request.Url.AbsolutePath) with the
    authorizations of the current user and accroding to the result of the
    comparig you can redirect him/her to a user friendly page.
    csharper, Aug 9, 2007
    #2
    1. Advertising

  3. Hi Chuck,

    From your description, you're using the forms authentication to secure your
    ASP.NET web application and is wondering how to redirect those
    unauthorized(but authenticated) users to a custom page(other than
    login.aspx), correct?

    As for this request, I've also met someone else raise this question.
    Actually, we can use some code to detect whether the user is an
    anonymous(unauthenticated user) or an authenticated but unauthroized(do not
    have sufficient permission) one. Here is a code snippet demonstrate this:

    ====in your login.aspx page=======

    protected void Page_Load(object sender, EventArgs e)
    {
    if (Context.User.Identity.IsAuthenticated)
    {
    //this is an authenticated but unauthorized user
    //redirect it to a friendly page
    }
    }

    =====================

    For the custom friendly page, you need to also mark its "authorization"
    setting as allow all authenticated user access, e.g.


    ====allow authenticated user to access that friendly page=======

    <location path="friendlyUnauthorizedpage.aspx">
    <system.web>
    <authorization>
    <deny users="?"/>
    </authorization>
    </system.web>
    </location>

    =============

    Hope this helps you. If you have any further questions, please feel free to
    let me know.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    ==================================================

    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.



    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Aug 10, 2007
    #3
  4. Chuck P

    Chuck P Guest

    That's was what I was doing but if a previously authenticated user just goes
    to the login page (e.g., to logout or change to a different user); they get
    the Unauthorized message.
    Chuck P, Aug 10, 2007
    #4
  5. Thanks for your reply Chuck,

    Good question. This does be problem when an authenticated user want to
    visit the login page (rather than be redirected there). My suggestion is
    use the "ReturnUrl" querystring parameter to determine whether the request
    is due to an unauthorized redirection(since ASP.NET forms authentication
    will append the "ReturnUrl" querystring parameter for unauthorized
    redirection request). How do you think?

    Please feel free to let me know if you have any other consideration or
    ideas on this.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Aug 13, 2007
    #5
  6. Chuck P

    Chuck P Guest

    thanks,
    I tried looking at the Global.asax:

    protected void Application_EndRequest(object sender, EventArgs e)
    {

    if (Response.StatusCode == 401 && Request.IsAuthenticated)
    {
    Response.ClearContent();
    Server.Execute(FormsAuthentication.LoginUrl +
    @"\NotAuthorized.aspx", false);
    }

    }


    void Application_Error(object sender, EventArgs e)
    {
    Exception ex = Server.GetLastError().GetBaseException();

    if (ex.GetType() ==
    Type.GetType("System.UnauthorizedAccessException"))
    {
    Server.ClearError();
    Response.Redirect("unauthorized.htm");
    }


    }

    Neither of these worked. I guess the FormsAuthentication HttpModule is
    doing something or these are more like ACL/OS events. Is the code to the
    FormsAuthentication Module available? I'd love to change a few things.

    Could I do something with an HTTP Module?
    Chuck P, Aug 13, 2007
    #6
  7. Chuck P

    Chuck P Guest

    I think I go it:


    protected void Application_EndRequest(object sender, EventArgs e)
    {
    //Normally you would look for a 401 Access denied. However forms
    authentication intercepts the 401 and
    //gives you a 302 redirect. So if your authenticated but getting
    redirected, it's because you're not authorized.

    if (Request.IsAuthenticated && Response.StatusCode == 302 &&
    Response.RedirectLocation.StartsWith(FormsAuthentication.LoginUrl))
    {

    Response.Redirect(FormsAuthentication.LoginUrl.ToUpper().Replace("LOGIN.ASPX", "NotAuthorized.aspx"), true);
    }

    }
    Chuck P, Aug 13, 2007
    #7
  8. Thanks for your further reply Chuck,

    So your current implementation is using the "Application_EndRequest" event
    and check both "IsAuthenticated" property and REsponse's StatusCode to
    determine the user authorization status.

    Actually, my suggestion in previous reply is to put the code logic directly
    in the login page's Page_load event(since any unauthorized users are always
    expected to be redirected to login page first). You can check the
    "User.IsAuthenticated" and Request.QueryString["ReturnUrl"] there to
    determine whether the current user is authenticated user and whether he is
    redirected to login page because of access denied(rather than manually
    navigate to login page).

    here is a test code snippet that also works in my test application:

    >>>>>>>>>>>>>>>>>>>>>>

    protected void Page_Load(object sender, EventArgs e)
    {

    if (Context.User.Identity.IsAuthenticated == true &&
    Request.QueryString["ReturnUrl"] != null)
    {
    Server.Transfer("~/AccessDeniedPage.aspx");
    }
    ...................
    <<<<<<<<<<<<<<<<<<<<<<

    One good point of using Login page is that it won't perform the check for
    each ASP.NET request(like what Application_XX event or httpmodule does).

    Hope this also helps.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Aug 14, 2007
    #8
  9. Chuck P

    Chuck P Guest

    Would be nice to keep it all in the logon. However, if you go to the login
    page after being authenticated. Say to change the logged in user to a
    different user, you would also get redirected.
    Chuck P, Aug 19, 2007
    #9
  10. Thanks for your followup Chuck,

    As for the following question you mentioned:

    ===========
    Say to change the logged in user to a
    different user, you would also get redirected.
    ===========

    In my login page, I can use "Request.QueryString["ReturnUrl"] != null" to
    detect whether it is visited due to unauthorized, therefore, if you
    manually or intentionaly visit the login page(there is no such a
    querystring item), it won't automatically redirect you, doesn't it?

    >>>>>>>>>>>>>>>>>>>>>>

    protected void Page_Load(object sender, EventArgs e)
    {

    if (Context.User.Identity.IsAuthenticated == true &&
    Request.QueryString["ReturnUrl"] != null)
    {
    Server.Transfer("~/AccessDeniedPage.aspx");
    }
    ..................
    <<<<<<<<<<<<<<<<<<<<<<

    Anyway, glad that you've got it working and thanks for sharing your
    experience.

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Steven Cheng[MSFT], Aug 20, 2007
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,388
    Tommy
    Feb 13, 2004
  2. Andy Fish
    Replies:
    2
    Views:
    857
    Andy Fish
    Feb 24, 2005
  3. =?Utf-8?B?UnlhbiBSaWZl?=

    Return 401 Error Code To Browser With Forms Authentication

    =?Utf-8?B?UnlhbiBSaWZl?=, May 18, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    707
    Brock Allen
    May 18, 2005
  4. Andy Fish
    Replies:
    0
    Views:
    101
    Andy Fish
    Feb 24, 2005
  5. Eric
    Replies:
    0
    Views:
    184
Loading...

Share This Page