B
Brad
If a web app uses forms authentication and a specific aspx page has a role
authorization, where should a browser be directed if a user is not in the
role for that location?
Background to my question:
I'm using forms authentication on a web app, setting the ticket in
code...also setting the role in the ticket. I then later set the
context.user to a new generic principal which includes the roles from the
ticket. This works fine and the user (me in this case) is authenticated.
I placed role authorization on a specific location (aspx file) and when I'm
in that role I correctly see the page. If I remove myself (or another
tester) from the role for that page access is correctly denied, however the
browser is displays the message below instead of something like a 401 error.
It seems I can't even use a custom 401 in the config to trap this.
Is the message below what I should be getting? If so, can I trap to
redirect? If not, what might be going on to cause this message?
Thanks
Brad
Role setting example
================================================
<location path="securepage.aspx">
<system.web>
<authorization>
<allow roles="Manager"/>
<deny users="*" />
</authorization>
</system.web>
</location>
================================================
Browser display when access is denied.
================================================
The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be
experiencing technical difficulties, or you may need to adjust your browser
settings.
Please try the following:
Click the Refresh button, or try again later.
If you typed the page address in the Address bar, make sure that it is
spelled correctly.
To check your connection settings, click the Tools menu, and then click
Internet Options. On the Connections tab, click Settings. The settings
should match those provided by your local area network (LAN) administrator
or Internet service provider (ISP).
If your Network Administrator has enabled it, Microsoft Windows can examine
your network and automatically discover network connection settings.
If you would like Windows to try and discover them,
click Detect Network Settings
Some sites require 128-bit connection security. Click the Help menu and then
click About Internet Explorer to determine what strength security you have
installed.
If you are trying to reach a secure site, make sure your Security settings
can support it. Click the Tools menu, and then click Internet Options. On
the Advanced tab, scroll to the Security section and check settings for SSL
2.0, SSL 3.0, TLS 1.0, PCT 1.0.
Click the Back button to try another link.
Cannot find server or DNS Error
Internet Explorer
=======================================
authorization, where should a browser be directed if a user is not in the
role for that location?
Background to my question:
I'm using forms authentication on a web app, setting the ticket in
code...also setting the role in the ticket. I then later set the
context.user to a new generic principal which includes the roles from the
ticket. This works fine and the user (me in this case) is authenticated.
I placed role authorization on a specific location (aspx file) and when I'm
in that role I correctly see the page. If I remove myself (or another
tester) from the role for that page access is correctly denied, however the
browser is displays the message below instead of something like a 401 error.
It seems I can't even use a custom 401 in the config to trap this.
Is the message below what I should be getting? If so, can I trap to
redirect? If not, what might be going on to cause this message?
Thanks
Brad
Role setting example
================================================
<location path="securepage.aspx">
<system.web>
<authorization>
<allow roles="Manager"/>
<deny users="*" />
</authorization>
</system.web>
</location>
================================================
Browser display when access is denied.
================================================
The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be
experiencing technical difficulties, or you may need to adjust your browser
settings.
Please try the following:
Click the Refresh button, or try again later.
If you typed the page address in the Address bar, make sure that it is
spelled correctly.
To check your connection settings, click the Tools menu, and then click
Internet Options. On the Connections tab, click Settings. The settings
should match those provided by your local area network (LAN) administrator
or Internet service provider (ISP).
If your Network Administrator has enabled it, Microsoft Windows can examine
your network and automatically discover network connection settings.
If you would like Windows to try and discover them,
click Detect Network Settings
Some sites require 128-bit connection security. Click the Help menu and then
click About Internet Explorer to determine what strength security you have
installed.
If you are trying to reach a secure site, make sure your Security settings
can support it. Click the Tools menu, and then click Internet Options. On
the Advanced tab, scroll to the Security section and check settings for SSL
2.0, SSL 3.0, TLS 1.0, PCT 1.0.
Click the Back button to try another link.
Cannot find server or DNS Error
Internet Explorer
=======================================