G
gilly3
I'm coming across all kinds of frustration implementing custom errors in
ASP.NET 1.1.
First, 401 - Authorization Failed
My application uses Windows Integrated Authentication, and restricts
access to a single Windows User Group like this (in web.config):
<authorization>
<allow roles="Domain\UserGroup" />
<deny users="*" />
</authorization>
I used this to handle 401 errors:
<customErrors mode="On" defaultRedirect="/GeneralError.aspx">
<error statusCode="401" redirect="/AccessDenied.aspx" />
</customErrors>
That didn't work - I was presented with a logon box where I entered my
username and password 4 times. I was then taken to the ASP.NET default
401 error page. Note that it was NOT the page specified in IIS for my
website, nor was it the page specified in the web.config.
I hypothesized that perhaps first the authorization failed on the
requested page, so it redirected to AccessDenied.aspx and then
authorization failed on that page as well. So I debugged it and watched
Request.FilePath and AccessDenied.aspx was never called.
Just to be sure, I changed the redirect to an html page,
AccessDenied.htm. There was no change in behavior.
My workaround:
I got rid of the web.config authorization stuff and I put this in
Global.asax.cs:
void Application_AuthenticateRequest(Object sender, EventArgs e)
{
String AuthURL = "/AccessDenied.aspx";
if (!User.IsInRole("Domain\UserGroup")
&& Request.FilePath != AuthURL)
{
Server.Transfer(AuthURL);
}
}
Well, that works a treat, but what a hack! Isn't this what the
web.config settings should be doing anyway? Is there a better way of
doing it?
Next, A Global Error handler. It seems so silly to me that when using
the <customErrors> block in web.config, ASP.NET doesn't pass the
exception to the redirect page. Server.GetLastError() returns Null.
The documentation mentions storing the Exception in a Session variable
for use in the error page. So, I put this in global.asax.cs:
protected void Application_Error(Object sender, EventArgs e)
{
Exception ex = Server.GetLastError();
if (ex != null)
{
ex = ex.GetBaseException();
Session["lastErr"] = ex;
}
}
And in GeneralError.aspx.cs:
Exception ex = (Exception) Session["lastErr"];
if (ex != null)
errMsg.InnerHtml = ex.Message;
But Session["lastErr"] always returns null
So, now I've added Server.Transfer("/GeneralError.aspx") to
Application_Error. And that allows me to call Server.GetLastError() in
GeneralError.aspx. But now I can't use any custom errors in the
<customErrors> node. Adding this:
<error statusCode="404" redirect="/NotFound.htm" />
has no effect.
So, is there a better way of passing the exception to GeneralError.aspx
without doing a Server.Transfer so that I can still use my custom
errors? If not, what's the best way to check for a 404 in
Application_Error?
I'm sure I can work around all these things, but I find myself
contstantly thinking, "There must be a better way" and "Surely, I'm not
the first person to have these issues". Any feedback is appreciated.
thanks
-ivan.
ASP.NET 1.1.
First, 401 - Authorization Failed
My application uses Windows Integrated Authentication, and restricts
access to a single Windows User Group like this (in web.config):
<authorization>
<allow roles="Domain\UserGroup" />
<deny users="*" />
</authorization>
I used this to handle 401 errors:
<customErrors mode="On" defaultRedirect="/GeneralError.aspx">
<error statusCode="401" redirect="/AccessDenied.aspx" />
</customErrors>
That didn't work - I was presented with a logon box where I entered my
username and password 4 times. I was then taken to the ASP.NET default
401 error page. Note that it was NOT the page specified in IIS for my
website, nor was it the page specified in the web.config.
I hypothesized that perhaps first the authorization failed on the
requested page, so it redirected to AccessDenied.aspx and then
authorization failed on that page as well. So I debugged it and watched
Request.FilePath and AccessDenied.aspx was never called.
Just to be sure, I changed the redirect to an html page,
AccessDenied.htm. There was no change in behavior.
My workaround:
I got rid of the web.config authorization stuff and I put this in
Global.asax.cs:
void Application_AuthenticateRequest(Object sender, EventArgs e)
{
String AuthURL = "/AccessDenied.aspx";
if (!User.IsInRole("Domain\UserGroup")
&& Request.FilePath != AuthURL)
{
Server.Transfer(AuthURL);
}
}
Well, that works a treat, but what a hack! Isn't this what the
web.config settings should be doing anyway? Is there a better way of
doing it?
Next, A Global Error handler. It seems so silly to me that when using
the <customErrors> block in web.config, ASP.NET doesn't pass the
exception to the redirect page. Server.GetLastError() returns Null.
The documentation mentions storing the Exception in a Session variable
for use in the error page. So, I put this in global.asax.cs:
protected void Application_Error(Object sender, EventArgs e)
{
Exception ex = Server.GetLastError();
if (ex != null)
{
ex = ex.GetBaseException();
Session["lastErr"] = ex;
}
}
And in GeneralError.aspx.cs:
Exception ex = (Exception) Session["lastErr"];
if (ex != null)
errMsg.InnerHtml = ex.Message;
But Session["lastErr"] always returns null
So, now I've added Server.Transfer("/GeneralError.aspx") to
Application_Error. And that allows me to call Server.GetLastError() in
GeneralError.aspx. But now I can't use any custom errors in the
<customErrors> node. Adding this:
<error statusCode="404" redirect="/NotFound.htm" />
has no effect.
So, is there a better way of passing the exception to GeneralError.aspx
without doing a Server.Transfer so that I can still use my custom
errors? If not, what's the best way to check for a 404 in
Application_Error?
I'm sure I can work around all these things, but I find myself
contstantly thinking, "There must be a better way" and "Surely, I'm not
the first person to have these issues". Any feedback is appreciated.
thanks
-ivan.