Forms Auth Redirect on Access Denied - Question/Help

Discussion in 'ASP .Net Security' started by Brad, Nov 21, 2003.

  1. Brad

    Brad Guest

    If a web app uses forms authentication and a specific aspx page has a role
    authorization, where should a browser be directed if a user is not in the
    role for that location?

    Background to my question:
    I'm using forms authentication on a web app, setting the ticket in
    code...also setting the role in the ticket. I then later set the
    context.user to a new generic principal which includes the roles from the
    ticket. This works fine and the user (me in this case) is authenticated.

    I placed role authorization on a specific location (aspx file) and when I'm
    in that role I correctly see the page. If I remove myself (or another
    tester) from the role for that page access is correctly denied, however the
    browser is displays the message below instead of something like a 401 error.
    It seems I can't even use a custom 401 in the config to trap this.

    Is the message below what I should be getting? If so, can I trap to
    redirect? If not, what might be going on to cause this message?

    Thanks

    Brad

    Role setting example
    ================================================
    <location path="securepage.aspx">
    <system.web>
    <authorization>
    <allow roles="Manager"/>
    <deny users="*" />
    </authorization>
    </system.web>
    </location>


    ================================================
    Browser display when access is denied.
    ================================================
    The page cannot be displayed
    The page you are looking for is currently unavailable. The Web site might be
    experiencing technical difficulties, or you may need to adjust your browser
    settings.



    Please try the following:
    Click the Refresh button, or try again later.

    If you typed the page address in the Address bar, make sure that it is
    spelled correctly.

    To check your connection settings, click the Tools menu, and then click
    Internet Options. On the Connections tab, click Settings. The settings
    should match those provided by your local area network (LAN) administrator
    or Internet service provider (ISP).
    If your Network Administrator has enabled it, Microsoft Windows can examine
    your network and automatically discover network connection settings.
    If you would like Windows to try and discover them,
    click Detect Network Settings
    Some sites require 128-bit connection security. Click the Help menu and then
    click About Internet Explorer to determine what strength security you have
    installed.
    If you are trying to reach a secure site, make sure your Security settings
    can support it. Click the Tools menu, and then click Internet Options. On
    the Advanced tab, scroll to the Security section and check settings for SSL
    2.0, SSL 3.0, TLS 1.0, PCT 1.0.
    Click the Back button to try another link.


    Cannot find server or DNS Error
    Internet Explorer
    =======================================
    Brad, Nov 21, 2003
    #1
    1. Advertising

  2. Brad

    MSFT Guest

    MSFT, Nov 21, 2003
    #2
    1. Advertising

  3. Brad

    Brad Guest

    Luke - As I mentioned, that's my problem and thus my question: I'm
    setting custom errors and it's not hitting any.
    Again my question. If access is denied to a specific location (aspx) what
    result should IIS or .Net product (what should the browser get) And if
    customer error s is NOT trapping it how can I trap it...or is something
    wrong going on. (please review my original post again).


    Brad

    "MSFT" <> wrote in message
    news:...
    > Hi Brad,
    >
    > You may set the custom error page in <customErrors> Element of web.config:
    >
    >

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
    > ol/windowsserver2003/proddocs/standard/aaconcustomerrorselement.asp
    >
    > Hope this help,
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    Brad, Nov 21, 2003
    #3
  4. Brad

    MSFT Guest

    Hi Brad,

    Can you catch the error in the method Application_Error of global.asax? For
    more information about asp.net error handling, you may refer to:

    http://www.15seconds.com/issue/030102.htm

    Hope this help,

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Nov 24, 2003
    #4
  5. Brad

    Brad Guest

    No. I have applicaiton error handling and it's not picking it up. Let me
    ask this another way: Using the following example what should a client
    expect to see and/or how does asp.net react if the client attempts to access
    securepage.aspx and they NOT a memeber of the Manager Role.

    <location path="securepage.aspx">
    <system.web>
    <authorization>
    <allow roles="Manager"/>
    <deny users="*" />
    </authorization>
    </system.web>
    </location>




    "MSFT" <> wrote in message
    news:...
    > Hi Brad,
    >
    > Can you catch the error in the method Application_Error of global.asax?

    For
    > more information about asp.net error handling, you may refer to:
    >
    > http://www.15seconds.com/issue/030102.htm
    >
    > Hope this help,
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    Brad, Nov 24, 2003
    #5
  6. Brad

    Brad Guest

    Never mind, Luke. Seems that ASP.NET will just keep redirecting the user
    to the login page is they are not in the role....an error can't be trapped
    and user really can't be redirected if the roles are using in the web
    config. To bad...you'd think their would be a means to trap that access was
    denied. It just means I do forms auth in code on the page as I have been
    doing to date.


    "Brad" <> wrote in message
    news:Otq$...
    > No. I have applicaiton error handling and it's not picking it up. Let me
    > ask this another way: Using the following example what should a client
    > expect to see and/or how does asp.net react if the client attempts to

    access
    > securepage.aspx and they NOT a memeber of the Manager Role.
    >
    > <location path="securepage.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="Manager"/>
    > <deny users="*" />
    > </authorization>
    > </system.web>
    > </location>
    >
    >
    >
    >
    > "MSFT" <> wrote in message
    > news:...
    > > Hi Brad,
    > >
    > > Can you catch the error in the method Application_Error of global.asax?

    > For
    > > more information about asp.net error handling, you may refer to:
    > >
    > > http://www.15seconds.com/issue/030102.htm
    > >
    > > Hope this help,
    > >
    > > Luke
    > > Microsoft Online Support
    > >
    > > Get Secure! www.microsoft.com/security
    > > (This posting is provided "AS IS", with no warranties, and confers no
    > > rights.)
    > >

    >
    >
    Brad, Nov 24, 2003
    #6
  7. Brad

    MSFT Guest

    Hi Brad,

    I think we may try other approach to achieve this. For example, in the form
    load of the security.aspx, check the user with IsInRole method, perform
    further rocess or redirect it to a special form.

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    MSFT, Nov 26, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    673
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    522
    Elton Wang
    Jan 8, 2005
  3. Chris Mohan

    Configuring Windows Auth & Forms Auth in Asp.Net

    Chris Mohan, Apr 28, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    385
    Chris Mohan
    Apr 29, 2004
  4. Shaun

    Roles based Forms Auth - denied pages redirect

    Shaun, Jul 19, 2004, in forum: ASP .Net Security
    Replies:
    3
    Views:
    140
    Jim Cheshire [MSFT]
    Jul 21, 2004
  5. Forms Auth Info passed to Windows Auth?

    , Apr 28, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    196
    Hernan de Lahitte
    May 3, 2005
Loading...

Share This Page