Can't get access with some role logins - on IIS 6 only

[David Thielen]

Hi;

This is turning into a major PITA. Someone is in the admin part of our web
app and they logout to login back in without admin privleges (least
privleges). They enter their uname/pw and what happens???

It tries to go back to the page they were last on - which is almost always
an admin only page. They are not allowed there ands so are kicked to the
login page. And we get reports that our permissions are broken.

How can I set it so if a user is loged in but not allowed on a page, it
redirects to default.aspx instead? This is a major usability issue.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[Dominick Baier]

you can write a module to handle end_request and check for a combination
of 401 status code and if the user is authenticated or not.

The problem is that FormsAuthentication will convert the 401 to a 302 to
the login page. That means that you have to modify the <httpModules> section
to make your module called first (the order of that list decides in which
order modules are called that subscribe to the same event).

 

[Steven Cheng[MSFT]]

Thanks for Dominick's input.

Hi Dave,

Use custom httpmodule and change the response status may make it a bit
complex. My concern here is why would your user be redirect to the login
page after he login the second time(with a non-admin) account. He is try
to request an admin-only page, correct? If this is the case, I think it is
reasonable to redirect him to the login page since a non-admin user should
not request a admin-only page.

Actually, after the login control correctly validate the user, it will call
FormsAuthentication.GetRedirectUrl to get the url which it will reirect the
user toward later. So for your scenario, when a non-admin user originally
request a admin-only page, and is redirect to the login page, he will go
through the following steps:

1. first time go to login page, the Context.User.Identity.IsAuthenticated
== false (because hasn't login)

2. After login, the login control automatically redirect user to the
original requested page

3.since this page is admin-only, the user is redirected to login page
again. However, this time, Context.User.Identity.IsAuthenticated ==
true(because he has already login , but hasn't sufficient permission)

Then, we can find that what we can do is check the
Context.User.Identity.IsAuthenticated to determine whether the current
login redirect is due to unauthenticated or lack of permission. If the
user is already authenticated, you can manually redirect him to the default
page instead. You can do this in the login control's "OnLoggedIn" event
..e.g

===================
protected void Login1_LoggedIn(object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated)
{
Response.Redirect(ResolveUrl("~/default.aspx"));
}
}
=====================

Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[David Thielen]

Brilliant!!!

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[David Thielen]

Major problem - the user is not authenticated when that event handler is
called. It should be - but it isn't.

However, the following works great:

protected void Page_Load(object sender, EventArgs e)
{

if (! IsPostBack)
{
// will come here if logged in but went to a page not allowed on. In that
case go to default
if (User.Identity.IsAuthenticated &&
PortalRole.IsInRole(PortalRole.ROLES.USER))
Response.Redirect(ResolveUrl("~/default.aspx"));
}
}


--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm

 

[Steven Cheng[MSFT]]

Thanks for the additional followup and sharing your new solution.

Good luck

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



This posting is provided "AS IS" with no warranties, and confers no rights.